FedRAMP Equivalency
Also known as: FedRAMP Moderate equivalent
FedRAMP equivalency is the DoD standard a cloud service must meet when a contractor uses it to store, process, or transmit CUI: the cloud offering must be FedRAMP Moderate authorized or meet requirements equivalent to the FedRAMP Moderate baseline, per DFARS 252.204-7012. It governs which cloud tools a CMMC Level 2 contractor may use for CUI.
Related terms
- FedRAMP
FedRAMP is the federal government program that standardizes the security assessment, authorization, and continuous monitoring of cloud service offerings used by federal agencies. Cloud services used by DoD contractors to process or store CUI must be FedRAMP Moderate Equivalent or higher under DFARS 252.204-7012(b)(2)(ii)(D).
- DFARS 252.204-7012
DFARS 252.204-7012 is the DoD acquisition clause that requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 and report cyber incidents within 72 hours. It is the contractual hook that has made NIST 800-171 mandatory across the defense industrial base since 2017.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections, and at the contractual level, CMMC Level 2.
- External Service Provider
An External Service Provider (ESP) is an external entity that provides information technology or cybersecurity services that handle the contractor's FCI or CUI, or that play a security-protection role for in-scope systems. Examples include managed service providers, cloud hosting providers, and managed security service providers; ESPs that handle CUI must themselves meet applicable CMMC requirements.