Government cybersecurity standards such as FedRAMP and CMMC can be challenging to comprehend. There are a host of details to decipher between the two.

Let’s dive into common questions about these programs: how they work together, how they work independently, and other questions that frequently arise.

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a federal program to spell out proper cybersecurity requirements when U.S. government agencies access cloud products and cloud services. 

FedRAMP uses a framework to monitor security assessment, authorization, and continuous oversight of cloud service providers (CSPs). The program grants authorizations to cloud service providers at three impact levels: low, medium, and high.

What Is the CMMC Framework?

“CMMC” stands for Cybersecurity Maturity Model Certification. It’s a set of standards to implement cybersecurity across the defense industrial base (DIB). 

CMMC program is used by the Department of Defense (DoD) to secure sensitive defense data. CMMC has five levels of security risk, where FedRAMP has only three.

The five levels of CMMC program are as follows:

Level 1: Performed. This level requires basic cyber hygiene. The cloud service provider (or other defense contractor) meets basic standards regarding protocol and requirements.

Level 2: Documented. The business has intermediate cyber hygiene and requirements and policies. 

Level 3: Managed. The business shows consistency in meeting cybersecurity requirements and staying within guidelines.

Level 4: Reviewed. This is considered “proactive” security. This level focuses on the protection of controlled, unclassified information (CUI) from advanced persistent threats, and requires advanced security requirements. 

Level 5: Optimizing. This is considered advanced and practical. This level is the most established and also focuses on the protection of CUI from APTs.

What Else Is Required for CMMC Certification

​In addition to CMMC, the Department of Defense created another agency, the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) to train and test assessors. 

These trained assessors are then qualified to join the CMMC Assessors and Instructors Certification Organization (CAICO), responsible for performing cybersecurity audits of defense contractors’ networks.

​What Are FedRamp Levels?

FedRAMP currently uses three levels of security: low, moderate and high; although the Defense Department currently doesn’t use the high level destination.

When Will the DoD Fully Implement CMMC?

The Defense Department released the first version of its much-anticipated Cybersecurity Maturity Model Certification (CMMC) in January 2020. The department intends to roll out the certification requirement in phases, until all defense contracts include CMMC certification in 2026. The Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.

What’s the Difference Between DFARS 7012 and FedRAMP Moderate?

DFARS 7012 is the government contracting rule the Defense Department uses to require cybersecurity among all DoD contractors. The cybersecurity standard required in DFARS 7012 is NIST 800-171, also commonly known as the NIST Cybersecurity Framework.

In other words, to meet the requirements of DFARS 7012, which allows a business to bid on Defense Department contracts, that business must implement the NIST Cybersecurity Framework. 

“FedRAMP Moderate” is the FedRAMP standard for cloud computing security at all other federal government agencies. The moderate impact level is appropriate for CSPs that will handle government data that is not publicly available.

So DFARS 7012 applies to defense contractors working for the Defense Department. FedRAMP applies to all government contractors working with any other U.S. government agency.

What Are NIST Framework Controls? 

The NIST Cybersecurity Framework, released by the National Institute of Standards & Technology, is a framework of security policies and guidance for organizations to secure their systems. This framework guides the organization in improving its abilities to handle cyber-attacks. The framework contains an exhaustive list of cybersecurity standards and the security controls needed to make the system secure.

The NIST framework consists of five functions. These functions are:

  • Identify: the ability of an organization to identify important assets that need protection, whether those assets are data or IT systems
  • Protect: create tasks to assure critical services remain functional 
  • Detect: create tasks that monitor the occurrence of a security event
  • Respond: create tasks that are used when facing a detected security event
  • Recover: create needed tasks to repair damage after a security event occurs

What Is Supply Chain Compliance?

The phrase “supply chain compliance” refers to the regulations and requirements that can apply not just to an organization, but to that organization’s supply chain. Supply chain compliance might govern the cybersecurity of your suppliers, or relate to concerns such as ethical sourcing, product liability, and other issues. 

Are FedRAMP and CMMC Reciprocal?

FedRAMP and CMMC have similar requirements for the Defense Department, but the DoD has yet to determine how much reciprocity will exist between the two. 

Defense Department officials have indicated that offering certification reciprocity between FedRAMP and CMMC is something they want to achieve, to keep compliance costs as low as possible. The challenge, however, is that FedRAMP and CMMC have a different number of security levels, which makes reciprocity more difficult.

This is why software like ZenGRC can be a cost-effective and seamless way to assure compliance among multiple, complex cloud security standards and compliance frameworks. 

ZenGRC compliance templates can simplify your self-assessments, while our easy-to-use, central dashboard provides a single view across all your compliance frameworks, showing you where gaps exist in your cybersecurity program and how to fill them.

ZenGRC stores and organizes all related documentation, so it’s easy to procure when it’s time for your audit. 

Setting up a demo can provide better insight into how ZenGRC can help you achieve “Zen-mode” in your compliance efforts.