Navigating FedRAMP Authorization

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 is a clause that all Department of Defense (DoD) contractors should be familiar with. This clause outlines the requirements for safeguarding covered defense information (CDI) and reporting cyber incidents.

In essence, DFARS 252.204-7012 requires contractors to implement adequate security measures to protect CDI, including any unclassified information provided by or generated for the government subject to safeguarding or dissemination controls. This can include sensitive technical information, proprietary information, and other data that, if compromised, could negatively impact national security.

To comply with DFARS 252.204-7012 requirements, contractors must adhere to the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which provides guidelines for protecting CDI in non-federal systems and organizations. These controls cover areas such as access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response and system and communication protection.

Additionally, contractors are required to report any cyber incidents that affect CDI to the DoD within a specific timeframe. This reporting allows the DoD to respond to and mitigate the impact of cyber incidents that could pose a threat to national security.

Established in 2011, FedRAMP emerged as a crucial framework for assessing the cybersecurity posture of cloud service providers (CSPs) who wish to offer their services to the federal government.

Before FedRAMP, CSPs had to prepare an authorization package (essentially a set of documentation proving their cybersecurity controls) for each agency they wanted to work with. Agency requirements were not consistent, and agencies ultimately would duplicate work when reviewing authorization packages. FedRAMP introduced consistency and streamlined the process for cloud products and services, facilitating their adoption by federal agencies while providing a robust security framework.

With FedRAMP, the goal is for all CSPs to undergo a comprehensive security assessment under a common framework. Then, once a CSP is approved and listed on the FedRAMP Marketplace, federal agencies use the CSP’s services without further analysis.

FedRAMP also promotes transparency and collaboration among agencies, CSPs and third-party assessment organizations (3PAOs). Creating standardized security requirements and testing procedures ensures a consistent level of security across all authorized cloud services. This not only saves time and resources but also eliminates duplication of efforts and maximizes the utilization of secure cloud solutions throughout the federal government.

FedRAMP provides a standardized and efficient process for evaluating the security posture of cloud service providers, resulting in increased confidence and trust in cloud solutions and ultimately enabling secure digital transformation across the federal government.

Understanding FedRAMP Compliance

Join us in this on demand webinar for an information overview of the FedRAMP program, who it affects and what it means for your DoD contracts.

Watch On-Demand Now

As a key cloud security program, compliance with FedRAMP is essential for several reasons.

1. It provides government agencies with a standardized approach to evaluating, authorizing and monitoring CSPs.
2. It provides government contractors with a standard to evaluate their cloud service providers against when complying with Federal security requirements such as DFARS 252.204-7012 or CMMC.
3. It streamlines the procurement process for government agencies. They can rely on FedRAMP’s analysis and authorization, saving time and resources. This expedites the procurement cycle, allowing for faster adoption and deployment of cloud services while meeting necessary security standards.
4. It allows contractors to publicly demonstrate their capabilities with less duplication of effort. By following the program's rigorous security requirements and controls, contractors can demonstrate their dedication to safeguarding the government’s sensitive information. Being listed on the FedRAMP Marketplace means CSPs have fewer hurdles to jump over for each individual agency that may wish to use their services. Thus, adhering to FedRAMP standards is one avenue whereby contractors can position themselves as reliable government partners.

FedRAMP requirements apply to all federal agencies when federal information is collected, maintained, processed, disseminated or disposed of by CSP.  This means that other organizations who participate in this work - federal agencies, state and local governments, and other entities that provide cloud services for these entities – may also need to satisfy FedRAMP requirements.

FedRAMP Moderate equivalence (or higher) is the minimum requirement for CSPs that transmit, store or process Controlled Unclassified Information (CUI) as part of DoD contracts with the DFARS 252.204-7012 compliance clause. Similarly, defense contractors seeking a CMMC Level 2 or Level 3 certification (once final) must likely confirm their CSPs satisfy these requirements.

To become FedRAMP-authorized, cloud service providers must undergo a series of comprehensive steps. The agency authorization process is outlined on FedRAMP.gov, where it’s categorized into three sections:

1. Preparation
2. Authorization
3. Continuous Monitoring

There are three different levels of FedRAMP, each with its own set of controls aimed at mitigating risks and safeguarding sensitive information.

1. FedRAMP Low: Requires controls such as access controls, incident response capabilities, and basic security measures. This level is suitable for data that is not classified as sensitive but still requires a certain level of protection.
2. FedRAMP Moderate: Introduces additional controls, including continuous monitoring, thorough security assessments, and more stringent access controls. This level is appropriate for storing sensitive but unclassified information, such as personally identifiable information (PII) or medical records.
3. FedRAMP High: In addition to the controls mentioned earlier, this level mandates advanced intrusion detection and prevention systems, robust incident response capabilities, and strong encryption mechanisms. It is ideal for highly sensitive data.

FedRAMP Authorization refers to the designation given after successfully completing the FedRAMP authorization process with the Joint Authorization Board (JAB) or a federal agency. There is no FedRAMP certification. 

Deltek announced that Costpoint GovCon Cloud Moderate (GCCM) has officially achieved FedRAMP Moderate Ready status by the Federal Risk and Authorization Management Program (FedRAMP®). This major accomplishment demonstrates Deltek's continued commitment and investment in delivering industry-leading, secure solutions.

Deltek's achievement of FedRAMP Moderate Ready means that an independent 3PAO has thoroughly evaluated Costpoint GCCM against FedRAMP Moderate controls and has verified that Deltek Costpoint GCCM meets this high standard for data security.