Article
Cloud service providers, FedRAMP “Equivalency” and CMMC
July 22, 2024 · Authored by Matt Gilbert
If you’re uncertain about the definition of a cloud service provider (CSP) within the context of the Cybersecurity Maturity Model Certification (CMMC), or if you utilize a CSP that handles controlled unclassified information (CUI), this article could provide useful insights. It covers what a CSP is in CMMC, requirements for CSPs under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the Department of Defense (DOD) FedRAMP Equivalency Memo and the DOD’s CMMC proposed rule and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC’s) expectations for CSPs.
What is CSP in CMMC?
The definition of a CSP from the proposed CMMC rule issued in December of 2023 is:
“CSP is defined as an external company that provides a platform, infrastructure, applications, and/or storage services for its clients.” [1]
Many contractors leverage cloud solutions for a variety of reasons, such as sharing information through applications, hosting platforms or managing their entire DOD program’s in-scope environment. If a contractor chooses to use a CSP, the DOD has defined requirements that apply today, as well as additional requirements that are likely to apply in the future.
While some organizations argue they aren’t CSPs because they are not infrastructure as a service (IAAS) or platform as a service (PAAS), the definition of CSP clearly includes both software and applications.
DFARS 252.204-7012 requirements
The DOD has defined the following CSP requirements for contractors in their contracts via DFARS 252.204-7012:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) [2]. Moderate baseline and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment" [2].
