DataBank Establishes $725M Financing Facility to Support Growth. Read the press release.

What You Need to Know About CMMC vs. FedRAMP: Key Differences

What You Need to Know About CMMC vs. FedRAMP: Key Differences

The issue of CMMC vs FedRAMP can be a confusing one. Some businesses may need one or the other while others may need both. With that in mind, here is a quick guide to what you need to know about CMMC vs FedRAMP.

What exactly is CMMC vs FedRAMP

CMMC stands for Cybersecurity Maturity Model Certification. It measures the effectiveness of an organization’s cybersecurity. CMMC is required for entities participating in the Defense Industrial Base (DIB) sector and the Department of Defense (DOD) supply chain.

FedRAMP stands for Federal Risk Authorization Management Program. It is a cloud-specific security certification. FedRAMP is required for all cloud service providers handling data for federal government agencies.

The business benefits of CMMC vs FedRAMP

Acquiring CMMC certification is really only a business benefit if you specifically want to work in the DIB. FedRAMP, by contrast, is widely regarded as the gold standard in cloud security. It is therefore highly in demand by state and local agencies. Many businesses and other private organizations also request FedRAMP.

The framework of CMMC vs FedRAMPs

Even though CMMC and FedRAMP are both ultimately based on NIST specifications, their certification frameworks and processes are clearly different.

The framework of CMMC

At present, CMMC has five levels. This is due to be streamlined to three. These will be foundation, advanced and expert.

The foundational level is for contractors handling Federal Contract Information (FCI). The advanced level is for contractors handling Controlled Unclassified Information (CUI). It is essentially a replica of NIST SP 800-171. The expert level is only required for contractors handling the most sensitive information. It will still be based on NIST SP 800-171 but will contain elements of NIST SP800-172.

The framework of FedRAMP

FedRAMP also has three main impact levels. These are high, medium, and low. There is a fourth level officially called Low-Impact Software-as-a-Service (Li-SaaS) and probably better known as FedRAMP Tailored. As its name suggests, however, this is exclusively for low-impact SaSS, particularly collaborative tools.

With FedRAMP, each government agency categorizes the level of security it requires for each type of data it handles. FedRAMP-compliant CSPs can bid on any project at the level for which they are certified (or below).

FedRAMP is based on NIST SP 800-53 but is both broader and deeper. It is broader in the sense that it expands upon the NIST SP 800-53 controls and deeper in the sense that it is focused purely on the cloud. CMMC by contrast applies in any environment.

Achieving compliance with CMMC vs FedRAMP

The DOD recognizes FedRAMP audits (and ISO 27001 audits) for any relevant aspects of CMMC compliance. With that said, there are still major differences between the process for achieving compliance with CMMC vs FedRAMP.

Achieving compliance with CMMC

As the system currently stands, third-party certification is required for levels one, three, and five. Levels two and four do not require certification.

When the system changes, level one will require an annual self-assessment. Level two will require tri-annual external assessments. Some programs will require annual external assessments. Level three will require triannual government-led assessments.

Achieving compliance with FedRAMP

At present, there are no known plans for changes to the FedRAMP compliance system. This can be achieved either through validation with any government agency or through validation from the Joint Advisory Board (JAB).

The main difference between the two processes is that the agency process starts with partnership establishment. The JAB process starts with a readiness assessment and FedRAMP connect. In the agency process, businesses have the option to undertake a readiness assessment. It’s highly recommended that they do so but it is still optional.

The following stages of the process are the same for both routes. They are a full security assessment, the authorization process itself, and then continuous monitoring via ongoing security audits.

Technically only the agency process results in a full authorization to operate (ATO). JAB can only provide a provisional authorization to operate PATO. In reality, the two authorization processes have equal standing.

Timescale and costs for achieving CMMC vs FedRAMP

It’s very difficult to provide hard-and-fast guidance on the timescale and/or costs for achieving CMMC vs FedRAMP. This is because they will depend partly on what level you want to achieve and partly on where you are now.

As a rough guideline, however, CMMC levels 1 and 2 (or foundation) and FedRAMP low can, in principle, both be achieved in about three months. CMMC levels 3 and 4 (or advanced) and FedRAMP medium can be achieved in 6-12 months. CMMC level 5 (or expert) and FedRAMP high are both likely to take at least 12 months.


Read More:

Is CMMC Cloud Certification Worth The Effort?

Should You Become FedRAMP PaaS Compliant?

Share Article


Discover the DataBank Difference

Discover the DataBank Difference

Explore the eight critical factors that define our Data Center Evolved approach and set us apart from other providers.
Download Now
Get Started

Get Started

Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.

Get A Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of the team members will be in touch.

Schedule a Tour

Tour Our Facilities

Let us know which data center you’d like to visit and how to reach you, and one of the team members will be in touch shortly.