R3

CMMC vs. FedRAMP: What You Should Know

In our post “The CMMC: What It Is, Why You Need It & How a Managed Service Provider Can Help,” we touched on everything from what the CMMC is, what it protects, its maturity levels, the benefits of having the CMMC, and how much the CMMC costs. (Since the publication of that post, CMMC 2.0 has launched.)

In this post, we’re going to dive a bit deeper into how the CMMC differs from the FedRAMP, and why having both as a contractor is important.

Let’s dive in.

FedRAMP

The US General Services Administration’s (GSA) FedRAMP, or Federal Risk Authorization Management Program, is required for nearly all contractors—not just DoD preferred contractors—and exists to create uniform security standards for cloud computing across all government agencies and contractors.

Here’s a look at how the authorization process works:

FedRAMP’s requirements consist of 17 primary categories, or “Families.” These requirements are informed by the OMB Circular A-130, the Federal Information Security Modernization Act (FISMA), and FedRAMP policy.

FedRAMP’s 17 families include:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Certification, Accreditation, and Security Assessments
  5. Configuration Management
  6. Contingency Planning
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical and Environmental Protection
  12. Planning
  13. Personnel Security
  14. Risk Assessment
  15. System and Services Acquisition
  16. System and Communications Protection
  17. System and Information Integrity

CMMC

The Cybersecurity Maturity Model Certification, on the other hand, is a unified standard for adopting cybersecurity across the Defense Industrial Base (DIB) sector and the Department of Defense (DOD) supply chain.

This training, certification, and third party assessment cybersecurity program aims to measure the maturity of an organization’s cybersecurity processes and demonstrate compliance with the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Like the FedRAMP, the CMMC has 17 “domains” of cybersecurity—each satisfying several goals or capabilities.

These include:

  1. Access Control
  2. Asset Management
  3. Audit and Accountability
  4. Awareness and Training
  5. Configuration Management
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical Protection
  12. Recovery
  13. Risk Management
  14. Security Assessment
  15. Situational Awareness
  16. Systems and Communications Protection
  17. System and Information Integrity

As we mentioned in the introduction, since the publication of our first post on CMMC 1.0, CMMC 2.0 was launched on November 4, 2021. One big change is that 2.0 streamlined the number of maturity levels from five to three.

  • CMMC 2.0 Level 1 – Foundational is aligned with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
  • CMMC 2.0 Level 2 – Advanced is aligned with NIST SP 800-171 (and also requires compliance with FAR 52.204-21)
  • CMMC 2.0 Level 3 – Expert is aligned with NIST SP 800-172 (and also requires compliance with FAR 52.204-21 and NIST SP 800-171)

The DoD implemented these changes as a response to feedback received on CMMC 1.0. According to the Department’s website, they made these changes in order to:

  1. Reduce costs, particularly for small businesses
  2. Increase trust in the CMMC assessment ecosystem
  3. Clarify and align cybersecurity requirements to other federal requirements and commonly accepted standards

We get it—understanding all of these requirements and ensuring your security systems are up to date is an incredibly difficult task. That’s why we’re here to help.

Ready to get started? Send us a message today to learn how we can provide the experienced, knowledgeable CMMC 2.0 and FedRAMP support you need.

CMMC vs FedRamp

CMMC vs. FedRAMP: What You Should Know