Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke and Stacey from Justice IT Consulting dive deep into the critical distinctions between FedRAMP Authorization and FedRAMP Equivalency. Whether you're leveraging cloud services for compliance or planning your next steps in CMMC certification, understanding these two pathways is crucial. We break down the key differences, discuss how each impacts your compliance journey, and provide actionable advice to help you make the right choice for your business.
Tune in to learn:
- What FedRAMP is and why it matters for cloud security.
- The pros and cons of Authorization vs. Equivalency.
- How each option affects your CMMC assessment timelines and costs.
- Practical tips to stay ahead in your compliance efforts.
Got questions? We’re answering them for free on the podcast! Reach out via text, email, or call at cmmccomplianceguide.com.
Don't miss this essential episode—subscribe now and stay compliant, stay secure!
[00:00:21] Welcome to the CMMC Compliance Guide Podcast. I'm Stacey. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all those secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're talking FedRAMP. If you're relying on cloud services
[00:00:51] for compliance, understanding the differences between FedRAMP authorization and equivalency is crucial. It can impact timelines, costs, and the level of effort required during your CMMC assessment. So Brooke, can you tell us what is FedRAMP? Sure. FedRAMP is a Federal Risk Authorization Management Program, FedRAMP. So there's different levels of it, but it's basically a set of standards
[00:01:19] for cloud service providers like Microsoft, Google, Amazon, a ton of others. It's a framework for them to, for some stringent security standards for them to follow to make sure federal agency data is kept safe.
[00:01:38] And specifically, really for us, dealing with the DOD, with CMMC, it's a place where we can rest assured that CUI and SPD is, CUI is controlled unclassified information and SPD is security protection data, where that stuff can be stored safely. Can you tell us what the key characteristics are for
[00:02:04] FedRAMP authorization? Sure. So, uh, FedRAMP is, uh, uh, FedRAMP authorization, uh, it's really ATO and authorization to operate. So, uh, the government gives you authorization to operate and sell your services to, uh, to, uh, federal agencies. In this case, the DOD. So this, uh, there's a, has to be a sponsoring agency like the DOD in this case, uh, that sponsors you, uh, sponsors a company, a cloud service
[00:02:32] provider to, uh, to go through the FedRAMP process. Uh, uh, this, it's also considered a more permanent solution than FedRAMP equivalency, which is what we're kind of comparing it to. Um, uh, because it can be reused across other agencies. Uh, once you're on the FedRAMP marketplace, you're on the FedRAMP marketplace. There is a continuous monitoring portion of it and other things, but you're on the, it's as opposed to equivalency, you're on the, uh, FedRAMP marketplace and, and, uh,
[00:02:59] you're, they can basically, uh, shop with you. So, uh, it also helps out with assessments, which, uh, may be the next question, I think. Yes. So really what we're looking for is what does the process look like for FedRAMP authorization? What would that look like for our listeners who are seeking that? Uh, yeah. So, uh, really, I mean, high level the process is, uh,
[00:03:25] you get a, there's a, um, sponsoring agency in this case, a DOD, uh, uh, that has to sponsor you to be able to go through it. So if there's not a federal agency that wants your product, you're just kind of out of luck. Um, but, um, they can, one of them can sponsor you. Uh, you go through a rate is assessment, you, uh, engage with a C three, excuse me, a three P A O,
[00:03:49] same concept, except C three P A O is a CMMC third party assessment organization. This is just a, a third party organization, uh, assessment organization. So it's a three P A O. Uh, they do the assessment, they generate their documents, um, the, uh, and the reports, and then, uh, the sponsoring agency approves you or not, but, uh, anyway, the sponsoring agency approves you after that. Are there any advantages to FedRAMP authorization? There are, uh,
[00:04:18] uh, advantages other than being able to be, uh, resold across federal agencies. That's, that's of course one, you know, that you can have, uh, uh, anyway, other agencies can, can, uh, go through the process and, and, uh, use you for their services as well. But the one big advantage as far as CMMC goes, uh, is that, um, it, uh, it effectively cuts, uh, that may be a bad word to use, but effectively, uh, lowers the amount of hours used to do the
[00:04:47] assessment, uh, when you compare to, uh, FedRAMP equivalency versus, uh, FedRAMP authorized. Uh, so if you have authorized, you say, here's my authorization and, uh, we're good to go. So there's, that's about as far as they need to check into it at that point. That's as far as the assessor needs to check into it at that point. Can you tell us how working with FedRAMP authorized services simplifies the CMMC assessment process for businesses? Uh, uh, yeah, I can. And actually,
[00:05:16] I think I probably just, uh, spilled the beans there in the, in the previous answer, but, um, so yes, the, uh, um, during a CMMC assessment, uh, a certification assessment, uh, if you have a FedRAMP authorized service as opposed to a FedRAMP equivalent service, like I said, it's, uh, you, um, basically show them the certificate, the FedRAMP authorization, uh, and they verify that and they're good to go. If it's equivalency, uh, then there's, they have to go through the
[00:05:46] whole body of evidence. So it's a lot, there's, it's a lot quicker there. You had mentioned FedRAMP equivalency a couple of times. Could you go into the key characteristics of FedRAMP equivalency? Sure. Uh, so FedRAMP equivalency, uh, is, uh, it's basically, it's a snapshot of, of a cloud service provider being, uh, FedRAMP equivalent. So, um, but that's not, they don't go through
[00:06:13] the same process and, and it's still rigorous and the way the, uh, DOD defines it, um, as FedRAMP official, I guess, FedRAMP equivalency. Um, then, uh, they have to go through the same process using a, uh, 3PAO, uh, and they have to come in and assess the organization. They have to still generate the documents, uh, but they don't go through the rest of the process
[00:06:37] of the DOD, then going through all that, reviewing everything and then approving it. Um, but you get those documents, uh, you get, um, uh, you get your, anyway, you get that equivalency and then you can use that equivalency. However, in the CMMC process, you still, uh, the, as I mentioned a while ago, the assessor still have to go through all of that documentation of the body of evidence, uh, and
[00:07:03] customer responsibility matrix and all that, of course, but, uh, to, uh, verify that product, that cloud service offering is still, still valid, still equivalent. Is there a specific process that our listeners need to be aware of when it comes to FedRAMP equivalency? Process I kind of went over, but the, um, um, uh, 3PAO, uh, has to do their, uh, due diligence and,
[00:07:28] and make sure that, uh, you cover all, uh, controls, uh, and that there's no POAM items, uh, but they have to generate their security assessment plans, security assessment report. Um, and, uh, all that is very time intensive, uh, with a 3PAO. Uh, so neither the authorization process or the, uh, equivalency process is, is cheap or easy. I can tell you that, but, uh,
[00:07:53] uh, but yes, there's, uh, they start with that through PAO and go through that process and generate the security assessment plan and security, uh, security assessment report. Are there any challenges when it comes to FedRAMP equivalency? Uh, yes. As far as, uh, CMMC goes, again, I've already said this, uh, but I'll say it again,
[00:08:16] as we're saying with equivalency, um, uh, each time, uh, well, when you're assessed, uh, when you, uh, get a certification assessment, the assessor has to go through the body of evidence and has to go through all that and the security assessment report, uh, security assessment plan and, and their body of evidence and, and, uh, figure out, uh, uh, if they're still, uh, FedRAMP equivalent
[00:08:42] or not, they have to go through all that as opposed to the, um, FedRAMP authorization where you say, here's my author, here's the authorization right here. And they say, okay, that, that, uh, cloud service offering is good. Is there anything else businesses should keep in mind when it comes to using FedRAMP equivalent services during their CMMC assessment? Uh, yeah, I really, it's, uh, it's just the, the time involved, uh, in, uh, using a FedRAMP,
[00:09:10] when you use FedRAMP equivalency, uh, cloud service offering, uh, then the time involved in doing the assessment is going to be greater than, uh, one where there's not a, uh, uh, where, where it's a FedRAMP authorized. You've mentioned now FedRAMP authorization and equivalency. Can you give us the key characteristic differences of FedRAMP authorization versus equivalency? Uh, yeah, sure. So, uh, so FedRAMP authorization, uh, is a,
[00:09:40] uh, is a more permanent solution. Uh, it requires a sponsoring agency, uh, and you're, you're basically, you're good after that. There's other things that go into it. It's a very high level, but, uh, you're good after that. And equivalency, uh, is, like I said, it's a point in time, um, a point in time assessment, and it requires a lot more time on this, on the, uh, assessor's part to, uh, review the, uh, FedRAMP equivalent service, uh, cloud service
[00:10:08] offering that you may be using. Are there any significant impacts on businesses that do get certified? The FedRAMP authorized again, really just, uh, uh, it's going to take less time, uh, FedRAMP equivalency, um, uh, whatever cloud service offerings you may have. And if you have two or three that are equivalent and not just one, uh, you know, it's going to take more time to go through those and, uh, and, and assess those for the assessor. So that means more time,
[00:10:37] more money for you, uh, and the assessor of course. Um, and you know, you can always run into getting, getting the, uh, body of evidence and getting all the documentation. You've got to do that well in advance because, uh, it is not, it's not always very easy to get that from the vendor. Um, if you're getting it from Microsoft, uh, you can get it, uh, it very well may not be very quick
[00:11:03] at all, but, uh, so, uh, yeah, there's that. There's a time everywhere with equivalency and, uh, with FedRAMP, um, authorized, it's just a whole lot easier. When should you use FedRAMP authorized versus FedRAMP equivalent services? Well, uh, really as far as, um, when you should use one over the other, I would say, uh, you should, if at all possible, you should use, uh, FedRAMP
[00:11:32] authorized services. Um, they, they'll make your life a whole lot easier. Um, and there's less documentation to have to, uh, keep track of, uh, and gather from the vendors. Um, FedRAMP equivalency, if you just can't find what is in your, uh, budget or, um, what quite fits your needs in, uh, FedRAMP, in the FedRAMP marketplace, uh, what's authorized for the DOD, um, then, uh, you
[00:12:00] can go FedRAMP equivalency, but you just got to keep in mind that you're going to need that documentation. Uh, and that, like I said, it could, it could be the 10th of never when you get that, or the 10th of, uh, almost never maybe when you get that documentation from companies like Microsoft, um, or, you know, the, I guess it's possible the assessor may want, you know, uh, more paperwork than was provided. Uh, but it's, you know, FedRAMP equivalency can be used and
[00:12:29] can be done. Um, but it's, uh, but there's, it's a lot more time intensive. So if you can, it's, it's always best to use FedRAMP authorized. What should companies do to plan ahead when it comes to choosing FedRAMP authorized versus equivalent services? Uh, well, so, uh, really just, uh, engage that CSP early, uh, figure out if they're FedRAMP authorized or FedRAMP, FedRAMP,
[00:12:55] I can't speak today, uh, FedRAMP equivalent. Um, if they're neither, it's a no-go if it's a CUI or SPD, uh, figure out, figure out if they're either authorized or equivalent. Uh, and then if they're equivalent, um, some, you'll either have to sign a NDA or you probably have to sign NDA. Um, but, uh, it'll be a process to get that paper paperwork because they don't just want to turn it over to
[00:13:20] anybody. Uh, so going through that FedRAMP equivalency, uh, company that's used, that's FedRAMP equivalent, um, you just got to start early and make sure you have that paperwork as soon as possible. Well, that wraps up our episode on FedRAMP authorization and FedRAMP equivalency. If you have any questions about what we covered today, please feel free to reach out to us. We're here to help and fast track your compliance journey. So please, please, please text, email,
[00:13:49] or call in your questions. We'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure.