Need help with your CMMC assessment scope?
Download Sentar’s latest whitepaper, “Tips on Establishing Your Assessment Scoping Boundary from a C3PAO”
FedRAMP Moderate Equivalency Assessments for CSPs
FedRAMP Moderate Equivalency Assessments for CSPs
With CMMC rulemaking around the corner, requirements for Cloud Service Providers (CSPs) are emerging related to CUI protections.
To best provide attestation for protecting CUI data (in both CUI Assets or Security Protection Assets), Cloud Service Providers (CSPs) must achieve a FedRAMP Authorization to provide a Body of Evidence (BOE) to the contractor for a JSVA or DIBCAC High assessment. For some CSPs, however, achieving FedRAMP ATO doesn’t align with their business needs or goals. For those CSPs, FedRAMP Moderate Equivalency exists.
The DoD’s Memo titled, “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings”, published in Dec 2023, specifies conditions for FedRAMP Moderate Equivalency.
For CSPs seeking FedRAMP Moderate Equivalency for CMMC, Sentar 3PAO follows a modified assessment approach based on the FedRAMP established assessment methodology against NIST 800-53 Rev. 5 with the primary focus on potential CUI data flow.
CSPs should be aware that to achieve FedRAMP Moderate Equivalency, ALL NIST 800-53 Rev. 5 controls must be MET and confirmed as such by a FedRAMP 3PAO. Essentially, no POA&Ms are allowed by assessment end. This creates an incredibly high standard for CSPs to follow.
In short, CSPs should evaluate their willingness to invest in FedRAMP Authorization or FedRAMP Moderate Equivalency (depending on their desired customer base), while also considering the anticipated lighter workload of FedRAMP Authorization vs the involvement of DIBCAC instead of PMO for FedRAMP Moderate Equivalency.
How Sentar Can Help
Sentar 3PAO follows the FedRAMP-established assessment methodology to ensure alignment with the DoD’s FedRAMP Moderate Equivalency expectations. At Sentar, we’re committed to disclosing findings as soon as they are detected by the assessment team to allow for additional time for POA&M remediation prior to assessment end, therefore increasing likelihood of client success.
FedRAMP Moderate Equivalency FAQ
“What is the timeline for FR Moderate Equivalency?”
It depends on a few things: the level of effort you have taken to prepare before you engage a 3PAO. Have you reviewed the FedRAMP Authorization requirements on the FedRAMP.gov website? Have you reviewed the DoD’s Memo on FedRAMP Moderate Equivalency to ensure you have necessary documentation completed?
During our initial project kick-off, Sentar 3PAO will provide a determination on whether they believe your CSP is “ready” to proceed with a FR Moderate Equivalency Assessment. If Sentar 3PAO determines your CSP is not ready to proceed, we will set a target date to return, pending those initial requirements (primarily the SSP requirements) have been met as specified in the DoD’s Memo. Overall, this sets your FR Moderate Equivalency Assessment for success, as we can avoid assessment pitfalls that may accrue unnecessary assessment and labor costs.
During an assessment, Sentar assessors regularly meet with the CSP to discuss open findings as they are identified.
Depending on your CSPs bandwidth to participate, including cost and labor to remediate POA&Ms as they are found, and pending that all preliminary documentation requirements have been met, an equivalency assessment can take 4-6 months.
“Who is the governing party for FedRAMP Moderate Equivalency assessments?”
DIBCAC. Instead of providing your assessment package to the FedRAMP PMO, it is instead communicated to DIBCAC for their review and confirmation that your CSP meets FedRAMP Moderate Equivalency.
“What requirements are expected of us following equivalency is granted by DIBCAC?”
In the case of a FedRAMP Moderate Equivalency Assessment, the Continuous Monitoring activities (as specified by CA-7) are conducted by DIBCAC. Once a CSP receives confirmation from DIBCAC that they have met FedRAMP Moderate Equivalency, the CSP is then required to attend at least monthly meetings with DIBCAC to provide verification that the continuous monitoring activities are being maintained to include (but may not be limited to): POA&M review, provide evidence of the latest vulnerability scans, etc.
In a standard FedRAMP Authorization, the Continuous Monitoring activities are conducted by the FedRAMP Authorizing Official (AO), typically from the sponsoring agency.
Separately (and most importantly), the CSP will be required to provide DIBCAC with an updated body of evidence (BOE) as they request it (in the case that the CSP has a client that is pursuing a JSVA or DIBCAC High assessment). The CSP should operationally prepare to update the BOE periodically (at least annually) to provide to DIBCAC.
For more information, please contact:
Chandler Hall
chandler.hall@sentar.com
(256) 836-7853
We’re Hiring
Join the fastest-growing team in cyber