The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 is a clause that all Department of Defense (DoD) contractors should be familiar with. This clause outlines the requirements for safeguarding covered defense information (CDI) and reporting cyber incidents.
In essence, DFARS 252.204-7012 requires contractors to implement adequate security measures to protect CDI, including any unclassified information provided by or generated for the government, subject to safeguarding or dissemination controls. This can include sensitive technical information, proprietary information, and other data that, if compromised, could negatively impact national security.
To comply with DFARS 252.204-7012 requirements, contractors must adhere to the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which provides guidelines for protecting CDI in non-federal systems and organizations. These controls cover areas such as access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, and system and communication protection.
Additionally, contractors are required to report any cyber incidents affecting CDI to the DoD within a specified timeframe. This reporting allows the DoD to respond to and mitigate the impact of cyber incidents that could pose a threat to national security.
What is FedRAMP?
Established in 2011, FedRAMP has emerged as a crucial framework for assessing the cybersecurity posture of cloud service providers (CSPs) seeking to offer services to the federal government.
Before FedRAMP, CSPs had to prepare an authorization package (essentially a set of documentation proving their cybersecurity controls) for each agency they wanted to work with. Agency requirements were inconsistent, and agencies ultimately duplicated work when reviewing authorization packages.
FedRAMP introduced consistency and streamlined the process for cloud products and services, facilitating their adoption by federal agencies while providing a robust security framework.
With FedRAMP, the goal is for all CSPs to undergo a comprehensive security assessment under a common framework. Then, once a CSP is approved and listed on the FedRAMP Marketplace, federal agencies use the CSP’s services without further analysis.
FedRAMP also promotes transparency and collaboration among agencies, CSPs, and third-party assessment organizations (3PAOs). Creating standardized security requirements and testing procedures ensures a consistent level of security across all authorized cloud services. This not only saves time and resources but also eliminates duplication of effort and maximizes the use of secure cloud solutions across the federal government.
FedRAMP provides a standardized, efficient process for evaluating the security posture of cloud service providers, increasing confidence and trust in cloud solutions and ultimately enabling secure digital transformation across the federal government.
Why is FedRAMP Important?
As a key cloud security program, compliance with FedRAMP is essential for several reasons.
- It provides government agencies with a standardized approach to evaluating, authorizing, and monitoring CSPs.
- It provides government contractors with a standard to evaluate their cloud service providers against when complying with Federal security requirements such as DFARS 252.204-7012 or CMMC.
- It streamlines the procurement process for government agencies. They can rely on FedRAMP's analysis and authorization, saving time and resources. This expedites the procurement cycle, enabling faster adoption and deployment of cloud services while meeting required security standards.
- It allows contractors to publicly demonstrate their capabilities with less duplication of effort. By following the program's rigorous security requirements and controls, contractors can demonstrate their dedication to safeguarding the government's sensitive information. Being listed on the FedRAMP Marketplace means CSPs face fewer hurdles for each agency that may wish to use their services. Thus, adhering to FedRAMP standards is one avenue whereby contractors can position themselves as reliable government partners.
What Types of Businesses Need to Satisfy FedRAMP Requirements?
FedRAMP requirements apply to all federal agencies when CSP collects, maintains, processes, disseminates, or disposes of federal information. This means that other organizations that participate in this work - federal agencies, state and local governments, and other entities that provide cloud services for these entities – may also need to satisfy FedRAMP requirements.
FedRAMP Moderate equivalence (or higher) is the minimum requirement for CSPs that transmit, store, or process Controlled Unclassified Information (CUI) as part of DoD contracts with the DFARS 252.204-7012 compliance clause. Similarly, defense contractors seeking a CMMC Level 2 or Level 3 certification (once final) must likely confirm their CSPs satisfy these requirements.
What is the FedRAMP Authorization Process?
To become FedRAMP-authorized, cloud service providers must undergo a series of comprehensive steps. The agency authorization process is outlined on FedRAMP.gov, where it's categorized into three sections:
- Preparation
- Authorization
- Continuous Monitoring
What are the Different Levels of FedRAMP?
There are three levels of FedRAMP, each with its own set of controls aimed at mitigating risks and safeguarding sensitive information.
- FedRAMP Low: Requires controls such as access controls, incident response capabilities, and basic security measures. This level is suitable for data that is not classified as sensitive but still requires a certain level of protection.
- FedRAMP Moderate: Introduces additional controls, including continuous monitoring, thorough security assessments, and more stringent access controls. This level is appropriate for storing sensitive but unclassified information, such as personally identifiable information (PII) or medical records.
- FedRAMP High: In addition to the controls mentioned earlier, this level mandates advanced intrusion detection and prevention systems, robust incident response capabilities, and strong encryption mechanisms. It is ideal for highly sensitive data.
What is FedRAMP Authorization vs Certification?
FedRAMP Authorization refers to the designation given after successfully completing the FedRAMP authorization process with the Joint Authorization Board (JAB) or a federal agency.
There is no FedRAMP certification.
How Deltek Supports Government Contractors with FedRAMP Compliance
Deltek announced that Costpoint GovCon Cloud Moderate (GCCM) has officially achieved FedRAMP Moderate Ready status by the Federal Risk and Authorization Management Program (FedRAMP®).
This major accomplishment demonstrates Deltek's continued commitment and investment in delivering industry-leading, secure solutions.
Deltek's achievement of FedRAMP Moderate Ready means that an independent 3PAO has thoroughly evaluated Costpoint GCCM against FedRAMP Moderate controls and has verified that Deltek Costpoint GCCM meets this high standard for data security.
