skip to Main Content

Is FedRAMP Authorization Required for CSP’s?

Is the Cloud Service Provider (CSP) you have partnered with, for securely storing and working with Controlled Unclassified Information (CUI), required to be FedRAMP authorized or approved?

Well, there is no need to guess the answer to this question, as the Department of Defense has directly answered it. The current direction from the Defense Contract Management Agency (DCMA) (the agency within the Department of Defense responsible for setting cybersecurity procurement policies) includes a clear statement that DFARS compliance does not mandate that a contractor’s CSP be FedRAMP authorized or approved.

Specifically, the DCMA has said that it recognizes that DFARS clause 252.204-7012 (b)(2)(ii)(D) states that a DoD Contractor shall require and ensure that the CSP meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (see https://www.fedramp.gov/resources/documents/). However, the DCMA has explained what this means:

[t]his does not preclude nor require the contractor use a CSP service authorized/approved by the FedRAMP program – since in some instances such FedRAMP approved services may only allow use by government agencies – but simply requires that the contractor ensure that the cloud services contracted to process and store covered defense information meet the same set of requirements. (Emphasis added).

This DCMA statement can be found on page 72 in the current (December 19, 2021, updated) language of the DCMA’s FAQ document for DFARS implementation. 

 The FAQ document is directly accessible here (accessed February 3, 2023). The document can additionally be accessed from the DCMA’s main website page (https://www.dcma.mil/DIBCAC/) by using a link on that page entitled DoD Cybersecurity Toolbox (FedRAMP Equivalency – see Question # 115 and then further by clicking the link on the next website page for downloading the updated Cybersecurity FAQS.

 

So, the answer to the question is that no FedRAMP authorization or approval of CSPs is required.

In fact, no CUI SaaS storage and management service available today has application specific FedRAMP authorization or approval. As is the case with RegDOX’s CUI storage and management SaaS solution, a CSP storage and management service for CUI must meet the equivalent of FedRAMP Moderate as a baseline.  It need not be FedRAMP authorized or approved.

 

Contact Us for Additional Information Here

Explore Our Products Here

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top