What CMMC can and should learn from FedRAMP

In our role as NIST 800 series and Risk Management Framework (RMF) subject matter experts, we’ve worked closely with both third-party assessment organizations (3PAO) and companies at different points of the package process for Federal Risk and Authorization Management Program (FedRAMP) authorization. I’ve seen the evolution of FedRAMP over the past 8 years from concept to execution. Given the similarities in the model to FedRAMP, the cybersecurity maturity model certification (CMMC) team is surely paying close attention to the history and execution of FedRAMP. Here’s what I hope they learn.

1.     Reciprocity. FedRAMP compliance is no small effort, and I would hate to see CMMC diminish those efforts by requiring recertification. Any changes to FedRAMP stemming from CMMC should be gradual and slow. Let CMMC develop and marinate in the real world for at least a year, before trying to apply it FedRAMP (or any other cyber compliance standards for that matter). Platforms, applications, and systems certified on FedRAMP should be granted reciprocity with CMMC, as should FedRAMP certified 3PAOs. This can be done by mapping CMMC to FedRAMP, and then training all FedRAMPs on the mapping. We can take it from there as mapping security controls and impact levels are what we do for a living.

 Assuming reciprocity comes to fruition, CMMC should leverage FedRAMP to do some of the work for them. The Pentagon should become a sponsoring agency for SaaS providers to defense contractors. This would enable them to get the FedRAMP low certification. Currently, these providers can’t get certified because they don’t sell to the government (sponsor), but are part of the DIB supply chain and attack surface. Doing this will potentially drive down the cost of FedRAMP low certification, resulting in more SaaS providers going that route and improving the overall supply chain security. This makes auditors lives easier and automation more possible as contractors move to the cloud.

2.     The accrediting body. The board looks good, although I have some conflict of interest concerns as some members are clearly service providers, providing them a head start and credibility advantage against their competitors. I would have like to have seen the search for board members last longer than 6 days and be better publicized outside the beltway. That said, the approach is correct in building this from the ground up. This is not something that an RFP could have accomplished. No non-profit has the capability set to train, certify and maintain the quality of the expected volume of auditors. My main point of advice to the accrediting body at this point is to let the market do the work for you, don’t overstep and over-regulate something you won’t be able to control. This is too big, focus instead on putting the right structure in place to let market forces work. 

3.     One Standard. CMMC’s focus is much broader than FedRAMPs, and eventually, I would think FedRAMP will fall under CMMC in some way. There can only be so many different cyber standards from the federal government, and early indications that CMMC is trying to be THE cyber standard. If that turns out to be the case, all other standards will either cease to exist or consolidate under CMMC. This doesn’t mean FedRAMP will change significantly, it just means it will be mapped to CMMC impact levels and nomenclature. Semantics really, but the premise of certifying cloud providers’ products and services who want to sell to the government will remain. As mentioned above, this change begins with reciprocity and should be gradual, over the course of a few years, not overnight.

-----------

Chris is the founder and managing partner of Ariento, a cybersecurity, IT and compliance service provider to small and mid-sized organizations. His background in information security began at a Fortune 200 company in 2006. He left to serve six years in the United States Marine Corps (USMC) where he was the country Chief Information Security Officer (CISO) for the Republic of Georgia, a role in which he built, secured and successfully protected the USMC cyber architecture in a highly vulnerable cyber threat environment. Upon returning to the United States, Chris pursued an MBA and Masters of Computer Science from UCLA and worked for the MITRE Corporation as a cybersecurity engineer, a role in which he identified more than 1,000 vulnerabilities and recommended fixes in national security software. Chris gives back to the cyber community through serving on numerous boards, appearing as a regular speaker for various outlets including the Wall Street Journal, and teaching topics of cybersecurity and privacy at UCLA and other institutions.