FedRAMP and SPAs under CMMC
By Jake Williams
Disclaimer: This is my personal work and references other works or people who have been helpful in getting this information together. It is not the opinion or work of my employer, now or in the future, and was done on my own time. If you like what I wrote, then my employer gets credit for hiring such a smart guy. If you don’t like it, then don’t blame my employer.
Summary
This article discusses the FedRAMP Requirements under DFARS 7012 and how these currently tie into CMMC and the introduction of Security Protection Assets (SPAs) in CMMC 2.0.
FedRAMP in 7012
If you look at DFARS 7012 (252.204-7000 Disclosure of Information. (osd.mil)) you’ll see explicit requirements on when FedRAMP is required. From 7012(b)(ii)(2)(D), FedRAMP is required when you “use an external cloud service provider to store, process, or transmit any covered defense information.” There are no other times that 7012 references FedRAMP as a requirement, so this is the only determination under 7012 on when FedRAMP is required.
If you reference my earlier article on what is CUI (Understanding CUI - a DIB perspective | LinkedIn), it is the data itself that is CUI, not other information about what you are doing. Based on that definition, anything where you would use a cloud service that wouldn’t involve CUI would not require FedRAMP. Examples I have considered that would not be CUI and you may use a cloud service are logs into a SIEM, multifactor authentications, or DNS lookups.
领英推荐
Security assets in 800-171
800-171 R2 added the following text to the Abstract which made things unclear: “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.” There has been a lot of discussion about which requirements apply to systems that provide protection.
SPAs in CMMC
CMMC version 2 (https://www.acq.osd.mil/cmmc/docs/Scope_Level2_V2.0_FINAL_20211202_508.pdf) introduced the term SPA to help explain the requirements that apply to a system that doesn’t hold CUI data but provides protection for them. The term SPA does not explicitly exist in 800-171 or 7012 but is an attempt to clarify when systems need to be assessed against all controls or just a subset.
If you are you trying to determine if an asset is a CUI asset or an SPA, determine if your asset stores, processes, or transmits CUI. If it does, then it must be a CUI asset. If it does not but provides security functions or capabilities to CUI assets, it is an SPA. In the text for CMMC version 2 it specifically calls out a SIEM that does not process CUI as an example of an SPA.
Putting it together
As things stand now, there are no changes with CMMC that would require FedRAMP for any SPAs. This isn’t to say that the DoD wouldn’t require it in the future, but there isn’t any information that I can find in the current laws or regulations that would indicate it is required.
EVP - Waterleaf International LLC and Cyberleaf. CMMC Lead CCA
1 年What is the latest on this? I've seen "2.1" any other thoughts?
IT & Cybersecurity Professional | Navy Veteran | CISSP | M.S. | Azure and M365 SME | CMMC | NIST SP 800-53 | RMF
2 年Derek Kernus, CISSP, CCSP, MBA, CMMC RP
Cloud PC Enclaves for CMMC / NIST 800-171 deployed into your Azure tenant with compliance documentation. Ready in a few days. Get compliant in a few weeks. Save up to 70% over one-off solutions.
2 年The SPA is in scope for the OSC. This is a key point. What role within the overall security architecture does it play? That's going to determine the controls that apply. For example, a SIEM plays a role but shouldn't contain CUI. It satisfies select parts of the overall compliance picture but is not a CUI asset. When assessed in context and scope, it forms a component of the assessed system, not a system unto itself. The details will matter. An SPA that hosts CUI on a 3rd party system is likely to be either fully in scope or, more likely, be a cloud service subject to FedRAMP. There are many shades of grey between these two and beyond.
The use of technology, not THE Technology, is what will complete the mission.
3 年I am looking for a course/training/certification/cheat sheet on the difference and similarity for a CUI DIB company. I am capable(famous last words) of doing this for the company, but keeping track of all the different requirements would be helpful. Any ideas? #cmmc #fedramp #notopentospam #stoplearningyoudie
InfoSec / GRC professional
3 年The only bit I'll add in from 2.5 years performing fedramp assessments is that fedramp program considered both the direct data, as well as Metadata (so the siem, since it would include host IP addresses for example) to be under the purview of the FR requirements. Differentiating the two seems, unless fedramp changed since I left that role last fall, to be a uniquely cmmc thing.