The issue of CMMC vs FedRAMP can be a confusing one. Some businesses may need one or the other while others may need both. With that in mind, here is a quick guide to what you need to know about CMMC vs FedRAMP.
CMMC stands for Cybersecurity Maturity Model Certification. It measures the effectiveness of an organization’s cybersecurity. CMMC is required for entities participating in the Defense Industrial Base (DIB) sector and the Department of Defense (DOD) supply chain.
FedRAMP stands for Federal Risk Authorization Management Program. It is a cloud-specific security certification. FedRAMP is required for all cloud service providers handling data for federal government agencies.
Acquiring CMMC certification is really only a business benefit if you specifically want to work in the DIB. FedRAMP, by contrast, is widely regarded as the gold standard in cloud security. It is therefore highly in demand by state and local agencies. Many businesses and other private organizations also request FedRAMP.
Even though CMMC and FedRAMP are both ultimately based on NIST specifications, their certification frameworks and processes are clearly different.
At present, CMMC has five levels. This is due to be streamlined to three. These will be foundation, advanced and expert.
The foundational level is for contractors handling Federal Contract Information (FCI). The advanced level is for contractors handling Controlled Unclassified Information (CUI). It is essentially a replica of NIST SP 800-171. The expert level is only required for contractors handling the most sensitive information. It will still be based on NIST SP 800-171 but will contain elements of NIST SP800-172.
FedRAMP also has three main impact levels. These are high, medium, and low. There is a fourth level officially called Low-Impact Software-as-a-Service (Li-SaaS) and probably better known as FedRAMP Tailored. As its name suggests, however, this is exclusively for low-impact SaSS, particularly collaborative tools.
With FedRAMP, each government agency categorizes the level of security it requires for each type of data it handles. FedRAMP-compliant CSPs can bid on any project at the level for which they are certified (or below).
FedRAMP is based on NIST SP 800-53 but is both broader and deeper. It is broader in the sense that it expands upon the NIST SP 800-53 controls and deeper in the sense that it is focused purely on the cloud. CMMC by contrast applies in any environment.
The DOD recognizes FedRAMP audits (and ISO 27001 audits) for any relevant aspects of CMMC compliance. With that said, there are still major differences between the process for achieving compliance with CMMC vs FedRAMP.
As the system currently stands, third-party certification is required for levels one, three, and five. Levels two and four do not require certification.
When the system changes, level one will require an annual self-assessment. Level two will require tri-annual external assessments. Some programs will require annual external assessments. Level three will require triannual government-led assessments.
At present, there are no known plans for changes to the FedRAMP compliance system. This can be achieved either through validation with any government agency or through validation from the Joint Advisory Board (JAB).
The main difference between the two processes is that the agency process starts with partnership establishment. The JAB process starts with a readiness assessment and FedRAMP connect. In the agency process, businesses have the option to undertake a readiness assessment. It’s highly recommended that they do so but it is still optional.
The following stages of the process are the same for both routes. They are a full security assessment, the authorization process itself, and then continuous monitoring via ongoing security audits.
Technically only the agency process results in a full authorization to operate (ATO). JAB can only provide a provisional authorization to operate PATO. In reality, the two authorization processes have equal standing.
It’s very difficult to provide hard-and-fast guidance on the timescale and/or costs for achieving CMMC vs FedRAMP. This is because they will depend partly on what level you want to achieve and partly on where you are now.
As a rough guideline, however, CMMC levels 1 and 2 (or foundation) and FedRAMP low can, in principle, both be achieved in about three months. CMMC levels 3 and 4 (or advanced) and FedRAMP medium can be achieved in 6-12 months. CMMC level 5 (or expert) and FedRAMP high are both likely to take at least 12 months.
Is CMMC Cloud Certification Worth The Effort?
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.