March 12, 2021

Last Updated on January 13, 2024

FedRAMP, the Federal Risk and Authorization Management Program, assesses the cybersecurity of cloud services on behalf of all US government agencies. You need a FedRAMP Authority to Operate (ATO) to sell to government agencies. But FedRAMP authorization, like its US Department of Defense (DoD) counterpart, the Cybersecurity Maturity Model Certification (CMMC), is a rigorous process that requires a third-party audit.

How do FedRAMP and CMMC relate? Why all the buzz around these two government cybersecurity programs? Will your business need to comply with both regulations? Is there a way to “double dip” your controls?

To get guidance on everything FedRAMP (and then some), we invited Stephen Halbrook, Partner and government compliance lead at Schellman & Co., to share his expertise on a recent episode of The Virtual CISO Podcast.

FedRAMP is certainly red-hot and getting hotter, as Steve indicates: “As of today, there are 200 systems that have been authorized [since FedRAMP began in 2011]. Of those, 64 were authorized in 2020. The first 100 were authorized over the first 6 years.”

That’s over a third of the nine-year total authorized in just one year. The reason is simple: a surge in government agencies’ adoption of cloud services. The success of the FedRAMP program is a big factor in this trend.

“We’ve seen just insane acceleration [in FedRAMP interest] in the past three or four months,” shares host John Verry, Pivot Point Security’s CISO and Managing Partner. “But I think anyone who’s looking at going FedRAMP right now is swimming upstream a little bit, because of CMMC. CMMC is so hot as well, and there’s not a wealth of really strong NIST experience out there.”

How might high demand for professional support around CMMC impact firms pursuing a FedRAMP ATO?

“I do think there is a shortage,” Steve concurs. “From a CMMC perspective, they’ve just now started granting provisional approval of C3PAOs, which is the credential for the firms to do the actual assessments. And even still, assessors need to get trained up and up to speed and have completed enough audits to be able to be a qualified assessor for CMMC.”

“So that’s going on and competing with a similar basket of resources that would perhaps work in FedRAMP as well, just given the tie-back to NIST 800-53. So I do think there are some limitations there,” Steve notes.

“Schellman will be a C3PAO, I’m sure,” responds John. “I’d say you’ll be doing CMMC audits with the same pool of guys that you designated for FedRAMP for? Because they understand NIST. … Unless you’ve ‘been there, done that,’ you’re going to struggle a little bit to understand what the rigor is or how most entities interpret and hold somebody accountable to a particular piece of language. … And then we have the further vagueness of the fact that we don’t know how the C3PAOs are going to interpret how they’re being taught by the CMMC-AB to actually interpret and/or validate that.”

What about some kind of “reciprocity” for FedRAMP within CMMC? Or maybe vice versa?
“So if you’re FedRAMP authorized—let’s say you’re a FedRAMP Moderate ATO organization—would that basically make you CMMC Level 3 conforming? Have you heard that?” asks John.

“Yeah, we’ve started to see maybe the tune change a little bit on reciprocity from strongly stating that it wouldn’t happen, to now saying it’s likely to occur,” observes Steve. “But it’s not going to be blanket reciprocity one-for-one. I don’t think there’s going to be straight reciprocity between CMMC and FedRAMP, and I don’t see a situation where FedRAMP would accept CMMC.”

“I think it really comes down to scoping,” Steve clarifies. “The scope with CMMC isn’t really bound to an authorization boundary like FedRAMP. And for CMMC, the scope is likely to expand beyond the typical authorization boundary. Sure, there’s some overlap there in CUI [Controlled Unclassified Information]. But then CMMC looks at FCI [Federal Contract Information], which is almost always going to be outside of the FedRAMP system.”

“Scope, as always, rules,” remarks John.

What’s Next?

If your company covets a FedRAMP ATO, you’ll appreciate the up-to-the-minute insights in this podcast episode featuring Stephen Halbrook.

To hear the episode all the way through, click here. If you don’t use Apple Podcasts, you can find all the shows in our continuing podcast series here.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.