Within the Defense Industrial Base (DIB), there is considerable confusion about the concept of "FedRAMP equivalency" as it pertains to Cloud Service Providers (CSP) offerings. The purpose of the informational graphics shown below is to provide a comparison between the common frameworks relied upon by the DIB, specifically NIST SP 800-53 R5, FedRAMP R5, NIST SP 800-171 R2 and the Initial Public Draft (IPD) of NIST SP 800-171 R3.
For the DIB, the discussion really begins around Federal Information Processing Standards (FIPS) 199 and 200, since that is what sets the stage for utilizing the NIST SP 800-53 moderate baseline as a starting point to protect Controlled Unclassified Information (CUI). This concept is shown in greater detail on the second page of this document, but the summary concept is:
- When you follow the footnote to the bottom of page 5 of NIST SP 800-171 rev2, it states "the moderate impact value defined in [FIPS 199] may become part of a moderate impact system in [FIPS 200]," which requires the use of the moderate baseline in [SP 800-53] as the starting point for tailoring actions.
- From page 4 of FIPS 199, it states "the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident..."
- From DFARS 252.204-7012(2)(ii)(D), this is where "FedRAMP equivalency" is stated: "...meets security requirements equivalent to those established by ... FedRAMP Moderate baseline."
The most important take-aways from this document should be:
- FedRAMP R5 (moderate) does not equal NIST SP 800-53 R5 (moderate) | FedRAMP R5 (moderate) > NIST SP 800-53 R5 (moderate)
- FedRAMP R5 (moderate) does not equal NIST SP 800-171 R2 or R3 IPD | FedRAMP R5 (moderate) > NIST SP 800-171 R2 or R3 IPD
- FedRAMP R5 (moderate) does not equal CMMC 2.0 Level 2 | FedRAMP R5 (moderate) > CMMC 2.0 Level 2
The infographic can be downloaded from: https://content.complianceforge.com/education/fedramp-equivalency.pdf