To meet CMMC requirements, organizations need a security strategy that integrates technology, people, and policies. It is important to know when to use IT solutions and when to involve HR and leadership so everyone works toward the same goals.
If you are a Department of Defense contractor preparing for CMMC certification, remember that people and policies are as important as technology.
A FedRAMP Moderate baseline, now classified as Class C under the updated FedRAMP 20x framework, requires documentation and validation of over 300 controls–not an insignificant number, regardless of the enterprise.
Modern IT, however, rests on a network of digital infrastructure and vendor-supplied applications. If your app runs on a FedRAMP-authorized infrastructure provider, you benefit from the fact that those providers have already invested years and tens of millions of dollars in proving the security of systems to a Third Party Assessment Organization (3PAO).
By maximizing your Customer Responsibility Matrix (CRM) and building an inheritance-first architecture, organizations can offload their documentation and assessment burden to their underlying provider, reducing total time-to-ATO by 30% or more.
Anchored by the FedRAMP Authorization Act and OMB Memo M-24-15, FedRAMP is undergoing a major change that affects virtually every aspect of how cloud service providers pursue, achieve, and maintain federal authorization. Named FedRAMP 20x, this program is meant to streamline compliance and make it easier for cloud products to enter the federal marketplace.
The most visible of those changes is the retirement of the legacy FIPS 199 security categories (Low, Moderate, and High) in favor of a new alphabetical system: Certification Classes A through D.
We’re walking through these new classes and what they mean for agencies seeking Authorization.