Any IT or cloud provider working with the government needs to show that they are secured against data breach or theft. As the SolarWinds hack has demonstrated, our interconnected technology systems are under attack from outside entities who want to gain access to critical civil, military, and industrial data and undermine our security. That’s why frameworks like FedRAMP and CMMC exist. 

But do these frameworks play well together? As of right now, there isn’t a clear 1-to-1 relationship between the two. But some similarities between the two could help cloud service providers who want to work with defense agencies prepare their systems for CMMC compliance if they currently have FedRAMP certification. 

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) framework created specifically for IT and cloud providers working with agencies under the umbrella of the Department of Defense (DoD). A relatively new framework, it is intended as a unified approach to protecting data related to specific defense applications, namely Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

1. Controlled Unclassified Information is information “that requires safeguarding or dissemination controls according to and consistent with applicable law, regulations, and government-wide policies, but is not classified”. This simply means that CUI is data that, while not classified, is of import across the DoD and agencies within the Executive Branch and should be protected.
2. Federal Contract Information is information related to or generated through agencies under contract with the government, but that isn’t publicly available to the public (as through a website or other public disclosure). 

The primary reason for CMMC’s existence is to protect the extensive contractor chain serving federal defense agencies. This certification is almost like a demonstration of capability and compliance, like many other certifications, and covers several processes and controls that must be assessed by a certified CMMC Third-Party Assessment Organization (C3PAO).

CMMC is broken down into 5 Levels of security: each with a rising level of controls and capabilities:

1. Level 1: Basic Cyber Hygiene Controls and the ability to perform security tasks with those controls. 
2. Level 2: Intermediate Cyber Hygiene and the ability to report, document, and log policies and procedures related to their security implementation.
3. Level 3: Good Cyber Hygiene and the ability to manage resources and plans related to their security implementation, including resourcing, training, mission and goal setting, and involving other stakeholders. 
4. Level 4: Proactive Cyber Hygiene with the ability to review and measure the effectiveness of their security implementation and correct issues as they arise. 
5. Level 5: Advanced Proactive Cyber Hygiene and the ability to standardize and optimize their security implementation.

What is FedRAMP?

FedRAMP is a federal compliance framework for cloud service providers (CSPs) who want to work with any federal agency. 

FedRAMP includes a lengthy certification process, typically in line with a workflow that includes a Third-Party Assessment Organization (3PAO) that assesses a CSP for readiness, performs critical tests and audits, and reports to the FedRAMP PMO as to the compliance of the provider. 

FedRAMP isn’t limited to a specific set of agencies, but it is limited specifically to cloud service providers who want to enter into working relationships with federal agencies. The framework is broken into three Impact Levels, determined by the type of data managed by the CSP:

1. Low Impact Level covers generally public data and that will have little impact on the public or the operation of the agency if it is stolen or manipulated. 
2. Moderate Impact Level covers private data that will have a significant impact on the public or the operation of the agency if it is stolen or manipulated, including potential financial loss or damage to individuals.
3. High Impact Level covers private data that will have a severe impact on the public or the operation of the agency if it is stolen or manipulated, including financial loss or damage to individuals or loss of life.

Where Do CMMC and FedRAMP Overlap?

While they are both different frameworks, both CMMC and FedRAMP have some overlap:

1. Both frameworks derive their requirements from a similar pool of documentation. The primary documents for FedRAMP compliance include NIST SP 800-53 and FIPS 199, which outline security controls and regulations and define impact levels for data security (respectively). CMMC draws from NIST 800-171 and NIST 800-171B to define controls at specific security levels. 
2. Both frameworks can cover similar data. A cloud provider working with an executive agency would handle FCI or CUI (as has been the case prior to the advent of CMMC). CUI is generally categorized as the Moderate Impact Level in FedRAMP, and Level 3 certification in CMMC. 
3. Both CMMC and FedRAMP require a 3PAO. 

For this last part, it bears attention that the function of the 3PAO is slightly different between the two:

1. In FedRAMP, the 3PAO is a long-term working partner for the CSP. The 3PAO helps the CSP prepare for certification and Ready status performs audits and pen testing during certification helps prepare security plans and subsequent reports, and works with the CSP during continued maintenance.
   
2. In CMMC, the primary work of the C3PAO is to assess the provider and perform audits of compliance. Due to a different certification process, they are not as involved with planning and implementing security–at least, not on paper. The truth is that a C3PAO will often be a security firm that can help any provider maintain their certification over time while remaining a partner. 

CMMC and FedRAMP are not interchangeable. As of March 2021, this isn’t hitting all contractors the same. Not all DoD RFPs are including requirements for CMMC certification yet. However, the plan is to have all calls for proposals require CMMC certification and to have this certification standard across DoD agencies. 

Any CSP wanting to work with an agency handling CUI or FCI (such as an agency with the DoD) will eventually need CMMC certification. Additionally, any CSP working with other federal agencies needs FedRAMP certification. There are several ways in which having one lead to or be fully compatible with, the other is desirable. 

While there isn’t a direct path or plan for FedRAMP/CMMC reciprocity as of yet, security experts and planners expect there will be. Many point to the shared focus on CUI management as a midpoint for both frameworks (you’d need CMMC Level 3 or FedRAMP Intermediate Impact Level to handle CUI). 

Conclusion

CMMC is brand new, but it stands to dramatically improve the security of the DoD contractor supply chain. In a world where cyber warfare is increasingly common and where the military is increasingly turning to responsive technology like the cloud, rigorous and standardized security is much. 

That’s why CMMC is a step in securing that contractor ecosystem. And, as the government begins to consolidate federal security requirements, we may likely see frameworks like FedRAMP and CMMC work together to make it easiest for cloud providers to secure their systems and support the federal government. 

Do you want to learn more about CMMC, FedRAMP, and compliance automation? Call Continuum GRC at 1-888-896-6207 or contact us with the form below to learn about our ITAMs auditing and compliance tools.