How do you know if your Cloud Service Provider (CSP) can handle Controlled Unclassified Information (CUI)? What if they don’t have FedRAMP compliance?
Getting your organization’s Supply Chain compliance accomplished is a critical part of your business maintaining its own compliance. This article will help guide you through the potential pitfalls the CSP may lead you down.
One thing to remember as you go through this article, almost all Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) are using a CSP behind the scenes to do the work.
The Key DFARs Clause
Everything we will cover is based on the DFARS 52.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting clause at https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012). Understanding this clause is critical to organizations required to maintain compliance with the clause and NIST SP #800-171.
Just in case you didn’t catch that, if your organization is bound directly or indirectly because you handle or have any form of access to CUI or “the Government’s IP,” your organization must comply with all related DFARs clauses and NIST SP 800-171.
Simply put, the best practice is to only use CSP capabilities that are Certified or In-Progress to be certified in the FedRAMP Marketplace. Why? DFARS clause 52.204-7012(b)(2)(ii)(D) states:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
We tell all the clients we work with to use this as a critical requirement when selecting CSPs. When in doubt, this requirement should trump all other functional requirements. Why? The work you are doing for the Government and the associated revenue stream is predicated on your organization being compliant. The other tell is the use of the word “shall” in the bold sentence above. The use of the word “shall” is meant to be interpreted as the strongest form of an imperative requirement. “Must” and “can” are used where the contractor is allowed flexibility.
By using only FedRAMP certified CSPs, your organization can ensure this contractual risk is mitigated.
Remember to verify that all your CSPs are compliant during your periodic reviews per NIST SP 800-171 requirements 3.11.1 and 3.12.1.
What if the CSP isn’t FedRAMP Certified?
Sadly, this is more common than not. Why? CSPs tend to pursue AICPA SOC II Type 1/2, #ISO 27000, and #PCI certifications first because the majority of the clientele they are targeting only operate in the commercial sector.
So, what do you do? When this is the only option and you will be potentially storing CUI in their cloud, the CSP must demonstrate FULL compliance to the DFARs clauses and NIST SP-800-171 just as you would for a normal sub-contractor.
Likewise, you need to ensure the contract you have with the CSP has the entire DFARS clause 52.204-7012 in their contract with you.
All that being said, we still recommend is when ANY other CSP is FedRAMP certified, go with the FedRAMP certified provider.
Caveat Emptor – Don’t Trust Everything the CSP Sales & Security Team is Selling
We see too often the CSP doesn’t know what being FedRAMP or DFARS clause 52.204-7012 compliant truly means. We see the following CSP types of actions all too often:
- We have an AICPA SOC II Type 1 or 2 or [fill in the blank] certification; or
- We used a tool like the Consensus Assessments Initiative Questionnaire (#CAIQ) from the Cloud Security Alliance that has a mapping to NIST SP 800-171; or
- We follow NIST SP 800-53 and NIST SP 800-171 is just “800-53 lite”; and,
- Therefore you should trust us…
Their lack of understanding and presumptive sales tactics are putting your organization at risk. Unfortunately, the “800-53 lite” myth is propagated on the Internet as a justification not to pursue FedRAMP compliance.
To be clear, there are significant and unique requirements between DFARS clause 52.204-7012 & NIST SP 800-171 that are not in NIST SP 800-53. Likewise, there are significant variations between the other Information Security Frameworks and DFARS clause 52.204-7012 & NIST SP 800-171.
- Being compliant with another framework does not equal being complaint to DFARS clause 52.204-7012 and NIST SP 800-171;
- and, The CSP has to demonstrate compliance to NIST SP 800-171 in artifacts consistent with DFARS clause 52.204-7012 & NIST SP 800-171.
Still need help?
If you still need help or someone to talk to your CSP, MSP, or MSSP, please take a look at our Information Security Assessments page or
contact us at firstname.lastname@example.org / phone at (719) 622-6405.