If your company seeks lucrative contracts with the US Department of Defense (DoD) or other governmental agencies, you’ll need to keep your cybersecurity up to date. In practice, that means complying with several cyberdefense frameworks, many of which overlap in critical ways. Read on to learn all about CMMC vs. FedRAMP regulatory compliance.
Regulatory Comparison: CMMC vs. FedRAMP
Government agencies are attractive targets for cybercrime; they host valuable information, from defense data to market and geopolitical insights. For these reasons, working with agencies requires implementing advanced security controls.
This guide breaks down all you need to comply with CMMC and FedRAMP, including:
- An overview of the CMMC and a deep dive into its required practices
- A comparative look at FedRAMP and a deep dive into its requirements
Then, we’ll end off with some valuable resources that should help you comply with both in pursuit of lucrative contracts with the DoD (and other government agencies).
Let’s get started.
Overview of CMMC Framework
The CMMC, or Cybersecurity Maturity Model Certification, is a publication of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD–A&S). It exists to protect controlled unclassified information (CUI) and federal contract information (FCI) across the Defense Industrial Base (DIB) sector. CMMC applies to DoD contractors primarily.
The CMMC comprises five “Maturity Levels.” Each maturity level has a particular focus (like finalizing CUI protection at Level 3). Each level requires implementation of several “Practices” (171 total) and institutionalization of “Processes.” The Practices themselves are distributed across 17 “Domains” of Cybersecurity, each of which satisfies several “Capabilities” or goals.
Breakdown of CMMC Requirements
The requirements of the CMMC, sourced from version 1.02, break down as follows:
- Access Control (AC) – Restricting access to protected information through robust account and session management protocols across four Capabilities and 26 Practices
- Asset Management (AM) – Governing safeguards for inventorying and indexing all hardware and software relevant to security across two Capabilities and two Practices
- Audit and Accountability (AU) – Specifying how often audits should occur, as well as protocols for logging and audit log security, across four Capabilities and 14 Practices
- Awareness and Training (AT) – Requiring regular training of all personnel levels to bolster staff security and IT awareness, across two Capabilities and five Practices
- Configuration Management (CM) – Requiring the immediate removal and replacement of default security settings with more robust ones, across two Capabilities and 11 Practices
- Identification and Authentication (IA) – Building on AC controls, specifying user credentials and account security features, across one Capability and 11 Practices
- Incident Response (IR) – Defining immediate, short term, and long term plans for responding to security incidents as they occur, across five Capabilities and 13 Practices
- Maintenance (MA) – Governing schedules and protocols for routine maintenance, as well as proactive and reactive reparative work, across one Capability and six Practices
- Media Protection (MP) – Defining safeguards for software and hardware containing or connected to protected classes of information, across four Capabilities and eight Practices
- Personnel Security (PS) – Integrating security measures into recruitment, onboarding, movement, and termination of staff at all levels, across two Capabilities and two Practices
- Physical Protection (PE) – Restricting access to spaces and devices containing or connected to protected classes of information, across one Capability and six Practices
- Recovery (RE) – Governing planning and execution of practices for stopping attacks, recovering from them, and parenting recurrence, across two Capabilities and four Practices
- Risk Management (RM) – Governing the organization’s systematic approach to risk identification, analysis, prevention, and mitigation, across three Capabilities and 12 Practices
- Security Assessment (CA) – Specifying scheduling and other protocols for regular assessments, distinct from and in addition to AU, across three Capabilities and eight Practices
- Situational Awareness (SA) – Requiring gathering and mobilization of threat data specific to the company’s security environment, across one Capability and three Practices
- Systems and Communications Protection (SC) – Protecting information traveling in and between internal and external networks, across two Capabilities and 27 Practices
- System and Information Integrity (SI) – Ensuring full delivery of security and immediate correction of all identified flaws across four Capabilities and 13 Practices
Overview of FedRAMP Program
FedRAMP’s full title is the “Federal Risk Authorization Management Program.” It falls under the US General Services Administration (GSA) jurisdiction, and it exists to create uniform security standards for cloud computing across all government agencies and contractors. Unlike the CMMC, it’s required for nearly all contractors, and not just DoD preferred contractors.
However, just like the CMMC, FedRAMP’s requirements break down across 17 primary categories, or “Families,” informed by the Federal Information Security Modernization Act (FISMA) and the OMB Circular A-130. The 17 Families break down into 113 “Low Count” and 170 “Moderate Count” controls, not including several applicable “enhancements.”
Breakdown of FedRAMP Requirements
Per GSA’s FedRAMP SSP Control guide, the families and controls break down as follows:
- AC: Access Control – Building on the AC domain from the CMMC with 11 Low Count controls (no enhancements) and 17 Moderate controls (24 enhancements)
- AT: Awareness and Training – Building on the AT domain from the CMMC with four Low Count controls (no enhancements) and four Moderate controls (no enhancements)
- AU: Audit and Accountability – Building on the AU domain from the CMMC with ten Low Count controls (no enhancements) and 12 Moderate controls (nine enhancements)
- CA: Certification, Accreditation, and Security Assessments – Governing compliance, with six Low Count controls (one enhancement) and six Moderate controls (two enhancements)
- CM: Configuration Management – Building on the CM domain from the CMMC with six Low Count controls (no enhancements) and nine Moderate controls (12 enhancements)
- CP: Contingency Planning – Ensuring smooth recovery and continuity, with six Low Count controls (no enhancements) and nine Moderate controls (15 enhancements)
- IA: Identification and Authentication – Building on the IA domain from the CMMC with seven Low Count controls (two enhancements) and eight Moderate controls (ten enhancements)
- IR: Incident Response – Building on the IR domain from the CMMC with seven Low Count controls (no enhancements) and eight Moderate controls (four enhancements)
- MA: Maintenance – Building on the MA domain from the CMMC with four Low Count controls (no enhancements) and six Moderate controls (six enhancements)
- MP: Media Protection – Building on the MP domain from the CMMC with three Low Count controls (no enhancements) and six Moderate controls (five enhancements)
- PE: Physical and Environmental Protection – Similar to the PE CMMC domain, with 11 Low Count controls (no enhancements) and 18 Moderate controls (five enhancements)
- PL: Planning – Governing protocols for preparation and continuous planning, with four Low Count controls (no enhancements) and five Moderate controls (no enhancements)
- PS: Personnel Security – Building on the PS domain from the CMMC with eight Low Count controls (no enhancements) and eight Moderate controls (no enhancements)
- RA: Risk Assessment – Governing systematic risk analysis and mitigation, with four Low Count controls (no enhancements) and four Moderate controls (five enhancements)
- SA: System and Services Acquisition – Ensuring safe, secure procurement, with eight Low Count controls (no enhancements) and 12 Moderate controls (seven enhancements)
- SC: System and Communications Protection – Building on SC from the CMMC with eight Low Count controls (one enhancement) and 24 Moderate controls (16 enhancements)
- SI: System and Information Integrity – Building on the SI domain from the CMMC with six Low Count controls (no enhancements) and 12 Moderate controls (nine enhancements)
Compliance and Cyberdefense, Professionalized
RSI Security offers robust, customizable CMMC certification and FISMA advisory service packages to help companies meet all requirements to work with government agencies. We understand compliance for DIB and other government contractors is critical to the safety of all US citizens.
We also know that compliance is not the end of security. It’s just the beginning. That’s why we also offer a wide range of cybersecurity solutions for companies of all industries and sizes. No matter your needs (CMMC vs. FedRAMP, web filtering vs. cloud security, etc.), we have you covered! Contact RSI Security today to see just how robust your cyberdefenses can be.