CMMC Reciprocity & FedRAMP Reciprocity

0
27

Have you heard that Katie Arrington, Cybersecurity Maturity Model Certification (CMMC) lead and CISO for acquisition at the Department of Defense’s (DoD) Undersecretary of Defense, confirmed that the CMMC and FedRAMP (Federal Risk and Authorization Management Program) offices are working on a way to grant reciprocity between the two certifications? The FedRAMP Program Management Office has ensured that they are working through the CMMC reciprocity and FedRAMP reciprocity so that the taxpayers who have paid for FedRAMP need not pay again.

Arrington explained that the CMMC office has asked the accreditation body (CMMC-AB) to give reciprocity for any vendor that has the authority to operate with the Federal government through a third-party certification system, such as FedRAMP. There is, however, a condition.

Cloud providers that are FedRAMP-approved, to get the reciprocity, and they’re going to have to adjudicate their POA&Ms to get CMMC. Even cloud service providers that have FedRAMP high approval will have to close gaps “with the accreditation body in a way that they feel comfortable.

CMMC is all about securing supply chain. The main motto of CMMC is security of supply chain.

Recently it is announced that cloud computing vendors with FedRAMP authorizations will receive reciprocal authorizations for the new cybersecurity program. The Department of Defense (DOD) is developing a new cybersecurity standard and certification for contractors, the Cybersecurity Maturity Model Certification (CMMC). When fully implemented, all companies that seek to hold a contract with the DOD will be required to have their firm’s cybersecurity assessed and certified to meet specific requirements in those contracts.

Reciprocity across FedRAMP and CMMC will look like it still yet to be formally determined by DOD. One might assume that the DOD and the CMMC Accreditation Body overseeing the governance of third-party assessors is looking at the commonalities between the two assessment schemes and developing policies that would formalize such reciprocity arrangements. Ideally, once defined reciprocity would smooth the way for existing FedRAMP companies to quickly obtain their CMMC certifications. Reciprocity would also mitigate the burden on CMMC assessors and avoid additional bottlenecks due to high demand for assessments. Finally, reciprocity would help smooth the way for CMMC to move from concept to pilot to full implementation and take its place as regular part of the DOD acquisition landscape.

CMMC will become the basis for a global cybersecurity standard.

About CMMC Marketplace:

CMMC Marketplace binds needy government contractors who are looking to get cyber security maturity model certification (CMMC) compliance for their business/organization through qualified CMMC service providers. For more information visit our website https://cmmcmarketplace.org/