FedRAMP
Also known as: Federal Risk and Authorization Management Program
FedRAMP is the federal government program that standardizes the security assessment, authorization, and continuous monitoring of cloud service offerings used by federal agencies. Cloud services used by DoD contractors to process or store CUI must be FedRAMP Moderate Equivalent or higher under DFARS 252.204-7012(b)(2)(ii)(D).
Related terms
- External Service Provider
An External Service Provider (ESP) is an external entity that provides information technology or cybersecurity services that handle the contractor's FCI or CUI, or that play a security-protection role for in-scope systems. Examples include managed service providers, cloud hosting providers, and managed security service providers; ESPs that handle CUI must themselves meet applicable CMMC requirements.
- DFARS 252.204-7012
DFARS 252.204-7012 is the DoD acquisition clause that requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 and report cyber incidents within 72 hours. It is the contractual hook that has made NIST 800-171 mandatory across the defense industrial base since 2017.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.