Stakeholders watching the Pentagon’s cyber certification program say they see an opportunity for reciprocity in a section of a May cyber executive order that calls for the modernization of a separate civilian agency certification program dedicated to authorizing services for government use from cloud service providers.
“Ever since these programs came into being, the idea of reciprocity has been talked about,” said Stephanie Kostro, executive vice president for policy at the Professional Services Council. “I’m really hoping for progress on that because it is not cheap to get these assessments done and to be able to move forward [with] reciprocity in some form is really important.”
The EO directs the General Services Administration to revamp its Federal Risk Authorization Management Program by providing more training to agency officials on how to manage FedRAMP requests and incorporating automation into “the lifecycle of FedRAMP, including assessment, authorization, continuous monitoring, and compliance.”
Stephanie Kostro, Executive VP for Policy, Professional Services Council
The last component of the modernization effort directs GSA to make changes by “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.”
Establishing reciprocity between the Defense Department’s Cybersecurity Maturity Model Certification program and FedRAMP has been a priority for industry since the Pentagon began working on CMMC in 2019.
Kostro told Inside Cybersecurity, “Even though CMMC is not specifically mentioned in the executive order, the CMMC Accreditation Body is still moving forward with accrediting folks in order to move forward with” the program. “Whether CMMC evolves or changes under the Biden-Harris administration is a fair question, but at its core, the issues are still the same and there are lot of potential synergies between” CMMC and FedRAMP as well as “room for growth,” she said.
Coalfire’s Karen Laughton said her company has met with the FedRAMP Program Management Office to discuss how to map the FedRAMP “to other security compliance requirements” as discussed in the EO. Coalfire was accredited as a third party assessment organization for FedRAMP six years ago and it has assessed 108 products from cloud service providers over the years.
One of the challenges between creating reciprocity between the two government standards is the scope, Laughton told Inside Cybersecurity. Laughton is Coalfire’s vice president for compliance advisory services.
“With CMMC, the scope is much broader than FedRAMP so it is not a one-to-one reciprocity," Laughton said, calling the scope “much more expansive with CMMC in most cases than it would be with FedRAMP.”
Carl Anderson, managing partner at Rock Spring Law Group and former HITRUST chief legal officer, said “I was encouraged to see the foresight of the EO to address the need to improve FedRAMP by directly tasking GSA with ‘identifying relevant compliance frameworks.’ The private sector has sought reciprocity from government stakeholders for their work on shared-responsibility models and cloud security frameworks for some time.”
Anderson continued, “These frameworks are directly relevant to this review and should be examined in earnest. Equally relevant is CMMC and how it maps to FedRAMP. DOD has stated that this review will be complete by the end of FY2021. Contractors that have invested time and effort seeking FedRAMP authorization should be encouraged to leverage those investments to comply with CMMC.” -- Sara Friedman (firstname.lastname@example.org)