FedRAMP and CMMC: What is the Relationship?

FedRAMP and CMMC are cybersecurity standards often required for organizations to secure government contracts. While these frameworks do share some security goals, they are separate standards. Compliance with one does not mean you are compliant with the other.

Businesses that work with the Department of Defense (DoD) and offer cloud services to any federal agency will want to demonstrate compliance with both CMMC and FedRAMP. This article will provide details on FedRAMP and CMMC so you can better understand their similarities and differences. You will also learn steps for achieving compliance with both standards more efficiently.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. Federal agencies can only use FedRAMP-authorized Cloud Service Offerings (CSOs). Cloud Service Providers (CSP) that want to make Cloud Service Offerings (CSO) available to federal agencies must have a FedRAMP designation to be listed on the FedRAMP marketplace. Organizations must have their security assessments conducted by an approved Third Party Assessment Organization (3PAO) to achieve a designation.

What is CCMC?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD program designed to protect data in the Defense Industrial Base (DIB). CMMC assesses an entire IT system, making it a broader cybersecurity standard than FedRAMP. Organizations must demonstrate CMMC compliance to secure DoD contracts. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for processing data.

CMMC is designed to protect two types of data, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is data provided by or generated for the federal government under a contract to develop or deliver a product or service not intended for public release.

CUI is information that does not carry classified status but must be safeguarded due to government policies and laws or ordinances, such as:

• Data on defense, nuclear, and natural resources infrastructures
• Financial records
• International agreements
• Global and domestic defense data
• Provisional and statistical data from governmental agencies

CMMC includes three certification levels, each with different assessment requirements.

Level 1: Foundational

Level 1 compliance is an appropriate target for organizations that handle FCI, but not CUI. Annual self-assessments are required to show Level 1 compliance.

Level 2: Advanced

Level 2 is split into two groups. Organizations that handle CUI need to work with a CMMC Third-Party Assessment Organization (C3PAO) to complete certification. Organizations that don’t work with CUI can do an annual self-assessment.

Level 3: Expert

Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. Assessments for Level 3 certification are government-led.

Overlapping FedRAMP and CMMC Compliance Efforts

CMMC is based on NIST 800-171. FedRAMP uses the NIST 800-53 security controls along with additional parameters that address the unique elements of cloud computing. NIST 800-171 and 800-53 have much in common, so organizations with FedRAMP and CMMC goals can implement many security controls that will advance their compliance efforts with both frameworks simultaneously.
Here are some control families found in both NIST 800-171 and 800-53 that create overlapping requirements in FedRAMP and CMMC.

• Access Control (AC): Implement role-based access, multi-factor authentication (MFA), and control access to systems and sensitive data.
• Audit and Accountability (AU): Maintain audit logs, monitor user activity, and retain records for accountability.
• Configuration Management (CM): Use baseline configurations, manage changes securely, and enforce configuration controls.
• Incident Response (IR): Establish an incident response plan, conduct training, and ensure fast incident reporting.
• System and Communications Protection (SC): Encrypt data in transit and at rest, implement boundary protections, and secure communications.
• Personnel Security (PS): Screen personnel for security risks and enforce termination processes to remove access after employment ends.
• System Integrity (SI): Protect systems from malicious code, monitor for integrity violations, and apply updates promptly.

The DoD provides CMMC reciprocity for FedRAMP audits, meaning audits for FedRAMP or ISO 27001 certification apply equally to relevant aspects of CMMC compliance. Despite this, achieving compliance with both frameworks will require separate efforts. For organizations working towards FedRAMP authorization and CMMC certification, here are some ways to leverage the overlaps between the frameworks and accelerate your compliance projects:

Map Controls

Create a mapping of CMMC controls to their corresponding FedRAMP controls (and vice versa). This will help you identify where existing compliance efforts can meet the requirements for both frameworks.

Implement Common Policies and Procedures

Develop universal policies and technical controls that satisfy both frameworks, reducing duplication.

Use FedRAMP-Authorized CSPs

Only use FedRAMP-authorized cloud service providers if possible. Many of their implemented controls will align with CMMC requirements, easing your burden.

Centralize Documentation

Maintain a single, unified repository of compliance evidence and documentation to address both FedRAMP and CMMC audits.

Continuous Monitoring Practices

FedRAMP and CMMC require continuous monitoring to ensure ongoing compliance. Develop or use existing compliance monitoring practices that meet requirements for both.

CompliancePoint has a team of experienced cybersecurity professionals who can guide your organization through designing and implementing security controls that satisfy FedRAMP and CMMC requirements. Contact us at connect@compliancepoint.com to learn more about our services.