Let me set the scene. You don’t feel well, and you head to the hospital. You ask the receptionist if they accept your insurance. They say yes, but three months later you get a bill for an ‘out of network' hospital visit and 'out of network practitioner’.
The next time you go to a different hospital when you're feeling unwell, you ask instead, "Are you in-network?" The receptionist says "Yes," but a few months go by, and you get a another whopper of a bill because one of the practitioners you saw was ‘out of network’.
So next time, you search for each hospital and each practitioner before going to ensure that they are in fact, ‘in-network’ and a perfect fit for your needs.
You have to painstakingly do your homework on CSPs just as you would for finding the right in-network hospitals and practitioners. You can’t fully trust that when you ask either a health or a cloud service provider whether they meet the requirements you need, that they will actually know the answers, so you must validate based on your own research before going forward.
The Cybersecurity Maturity Model Certification (CMMC) as defined in Title 32 Code of Federal Regulations (CFR) Part 170 requires organizations to fully understand who is responsible for enforcing and implementing the security controls listed in the:
Sure, if you are only using it for the management of data where no Controlled Unclassified Information (CUI) is involved. The same is true if the CSP investment is for security protection data of CUI.
If, however, the data you are managing is CUI, then No. The CSP must be at minimum FedRAMP moderate or equivalent depending on the type of CUI categories you have. This underscores the value of having good network segmentation based on your CUI dataflow and really understanding the difference between CUI assets and everything else on your network.
When selecting a CSP for CUI that requires additional level of safeguards, it is important to understand the dissemination requirements. In some cases, there are instances where it is also important to ensure that the service personnel are US citizens, and the data is stored within the USA. Again, using the healthcare analogy, your data and the personnel monitoring the data must be ‘in network’. If either the data or the CSP personnel are ‘out of network’ not only will the health of the data be at risk, but your financial standing will suffer if you are found to be in violation of the regulations, putting your contracts in jeopardy.
Another critical consideration is that even when you invest in a CSP that is FedRAMP Moderate, you still have work to do to show how you are meeting your own responsibilities. As a consultant and assessor for over a decade, a key observation is that clients are not aware of their responsibilities when investing in cloud services, especially true when investing for the protection of CUI. It is not as easy as selecting a CSP from the FedRAMP marketplace and then being done. CSPs do not provide customers with a full definition of shared responsibilities, complete with a Body of Evidence (BOE) when purchasing CSP services. This is the information customers need to know concerning who is responsible for implementing controls. Typically, CSPs that state that they are equivalent but are not FedRAMP authorized often do not have a body of evidence that is readily available to the client.
If you are considering a CSP that states they are FedRAMP equivalent, here are examples of what is included in a BOE:
BOEs are highly sensitive information, confidential, and are not publicly available. Customers must request this information.
When you review the SSP and CRM, you should take the time to review the information and know what you are responsible for so that you can carry out your responsibilities. You need to know what is shared or fully inherited from the CSP and are required to document the responsibilities in your own SSP. Assessments for your enterprise or CUI enclave will require you to document how each control objective is implemented and by whom. If there is any inheritance (partial or full) from a CSP, you must provide evidence, including a CRM that shows assessors where the responsibilities lie and how the evidence supports your affirmations.
Additionally, a CRM is needed for all external service providers you use for:
Further details of customers responsibilities for addressing use of External Service Providers are outlined under 32 CFR Part 170 and 48 CFR 252.204-7012.
FedRAMP moderate, high or equivalent BOEs address the implementations of the security controls identified under NIST 800-53, Security and Privacy Controls for Information Systems and Organizations. To help you identify which NIST 800-171 control aligns with those under NIST 80-53, NIST provides a mapping of the NIST 800-171 security controls to NIST 800-53 security controls: APPENDIX D: MAPPING TABLES
Navigating the complexities of CMMC compliance can be overwhelming, but you don’t have to do it alone.
At Coalfire Federal, we specialize in helping organizations:
As a trusted C3PAO with deep expertise in cybersecurity assessments, we provide the insights and guidance you need to:
Don't leave your compliance and security to chance—partner with Coalfire Federal to ensure your cloud strategy aligns with CMMC requirements and industry best practices.
Contact us today to learn how we can help you prepare for your CMMC assessment with confidence.
Brie Taylor is a cybersecurity leader with over 12 years of experience in the private and public space. She excels in training, planning, implementing, executing, and monitoring complex risk assessments with multidisciplinary teams, specializing in NIST, RMF IV&V, CobiT, FISMA, and FedRAMP compliance.
