Deltek Costpoint GCCM Customers Gain Huge Advantage for CMMC Compliance

In a significant win for government contractors, Deltek has completed its assessment for FedRAMP Moderate Equivalency for its Costpoint GovCon Cloud Moderate (GCCM) offering. This means Costpoint GCCM now provides contractors with the full-suite functionality they need—ERP, CRM, Capture, Manufacturing and a robust integration tool—all on a single platform that meets the requirements of FedRAMP Moderate Equivalency. Contractors looking to reduce their risk and prepare for their CMMC assessment can rely on Deltek’s Costpoint GCCM to support their compliance needs.

Continued Success for Government Contractors

FedRAMP Moderate Equivalency is a big deal for Costpoint GCCM customers. Deltek, known for its leadership in project-based software, now leads the charge in secure solutions built for compliance with government cybersecurity regulations. Customers can now review Deltek documentation to validate that Costpoint GCCM meets the high cybersecurity standards required by the federal government and that they can confidently rely on Deltek to support their compliance needs today and in the future.

Compliance with DoD Requirements Like CMMC

When working with the Department of Defense (DoD), handling controlled unclassified information (CUI) requires compliance with the cybersecurity standards outlined in DFARS 252.204-7012 and has since 2017. This requirement mandates that contractors leveraging cloud service providers (CSPs) must be FedRAMP Moderate Authorized, or equivalent, to store, process or transmit CUI.

With the rollout of the Cybersecurity Maturity Model Certification (CMMC) to enforce compliance with these requirements, DoD contractors need cloud service providers that meet this DFARS requirement to win contracts going forward. Costpoint GCCM customers can rest assured that they have the right solution to support their cybersecurity compliance requirements and maintain eligibility for contracts while avoiding penalties of non-compliance.

Background & History of FedRAMP Moderate Equivalency

Until the end of 2023, the definition of FedRAMP Moderate "equivalent" was not defined, leading to confusion among contractors about what constituted compliance. In response, the DoD issued a memo that outlined the requirements for meeting the FedRAMP Moderate Equivalency standard. This memo now serves as the official DoD policy for validating cloud services used by government contractors.

For SaaS ERP providers, like Deltek, that do not sell directly to the federal government (and cannot easily obtain FedRAMP Authorization through agency sponsorship), this means FedRAMP Moderate Equivalency is the only path to support the compliance needs of our customers.

Knowing this, Deltek worked quickly to create an official Body of Evidence (as defined in the DoD memo) and engaged with Schellman Compliance, a FedRAMP-recognized Third Party Assessment Organization (3PAO), to conduct the required assessment. The Body of Evidence and the 3PAO assessment are a DoD-specific requirement for DFARS 252.204-7012 compliance and, eventually, CMMC Level 2 certification.

What This Means for Government Contractors

By being able to validate Deltek’s FedRAMP Moderate Equivalency, Deltek Costpoint GCCM customers gain a competitive edge over any companies using non-FedRAMP assessed SaaS ERP offerings. Switching to Costpoint GCCM can reduce your compliance risks and ensure your government contracts are not jeopardized by non-compliant solutions.

Key Benefits

FedRAMP Moderate Equivalency sets Deltek apart from other SaaS ERP providers. Here are the key benefits:

• FedRAMP Moderate Equivalency: Deltek’s Costpoint GCCM can demonstrate that it meets the DoD’s standard for cybersecurity compliance, as assessed by a 3PAO.
• Notable Status: Costpoint GCCM is one of the few SaaS ERP solutions to demonstrate FedRAMP Moderate Ready status and be able to demonstrate FedRAMP Moderate Equivalency, making it a strong choice for compliance.
• Independent Verification: The 3PAO assessment was conducted by Schellman Compliance, ensuring a thorough and unbiased evaluation of our compliance standards.
• Comprehensive Documentation: Costpoint GCCM customers can request the Body of Evidence, which is comprised of a Security Assessment Report (SAR), System Security Plan (SSP), Plan of Action & Milestones (POAM), and Security Assessment Plan (SAP). 
• Future-Ready: Costpoint GCCM is prepared for the evolving government contracting environment, ensuring that our customers are always supported for compliance.

The Deltek Costpoint GCCM Advantage

Since December 2024, the CMMC Program Rule has been final, allowing DoD contractors and subcontractors to seek CMMC Level 2 certification assessments. This certification is crucial as it will soon become a condition for award in most defense contracts. Deltek’s Costpoint GCCM, listed on the FedRAMP Marketplace, meets the requirements for a cloud service provider, demonstrating Deltek’s commitment to supporting cybersecurity compliance requirements for government contractors.

The DoD currently requires contractors to implement and affirm compliance with the NIST SP 800-171 controls and assessment objectives every year. When contractors use a cloud service offering to store, process, or handle CUI, the cloud offering must be FedRAMP Moderate Authorized or equivalent, as per DoD policy. The CMMC program seeks to validate cybersecurity compliance and requires any cloud service providers handling CUI to be FedRAMP Moderate Authorized, or equivalent, and listed on the FedRAMP Marketplace for CMMC Level 2 and Level 3 certification.

Deltek’s Costpoint GCCM achieved FedRAMP Moderate Ready status and has been listed on the FedRAMP Marketplace since January 2024. Deltek recently renewed Costpoint GCCM’s FedRAMP Moderate Ready status under the newly required, more comprehensive, FedRAMP revision 5 standard in February 2025, demonstrating Deltek’s continued commitment to supporting cybersecurity compliance requirements for government contractors.

By being able to validate Deltek’s FedRAMP Moderate Equivalency, Costpoint GCCM customers can be confident that they are fully ready to meet cybersecurity compliance requirements, securing their position in the competitive government contracting space.