This article highlights how information security professionals and SME attorneys can work together to navigate key authorizations and certifications for cloud service providers to bring success in the US Federal market.

FedRAMP

Since 2011, FedRAMP authorizations have helped federal agencies assess the cybersecurity risk of commercial cloud service offerings. Once the cloud service provider has obtained either a Provisional Authority To Operate (P-ATO) from the FedRAMP Joint Authorization Board or an Agency Authority to Operate (ATO), its product is listed as “FedRAMP Authorized” in the FedRAMP Marketplace. The provider must then continuously monitor and report to retain their ATO.

Cybersecurity Maturity Model Certification (CMMC)

This year, the DoD launched a cybersecurity requirement, the CMMC, for all its contractors – even commercial subcontractors. The CMMC combines several existing cybersecurity standards for controls and processes, such as NIST SP 800-171, into a single, up-front, third-party certification rather than multiple self-certifying, trust-based representations. CMMC has five levels of certification, but the DoD will start by requiring the basic levels. Some industry experts anticipate that Civilian agencies will adopt CMMC in the future.

Teaming for Success: InfoSec & Legal

For programs focused on FedRAMP, gearing up for CMMC, or both, an information security professional/team should be responsible (e.g., R in RACI) for implementation but consider including an attorney to counsel and consult (C) in the following ways:

• Project teams: Interpreting regulations and advising on the nuances of the cloud service or business operations to ensure proper disclosures and commitments are made to Federal agencies or other certifying entities.

• Sales teams: Advising on what and how to share and what to commit to in a variety of settings (customer meetings, through channel partners, RFP responses, etc.) based on the status of the authorization or certification.

• Compliance teams: Once authorized or certified, assisting the transition from implementation to compliance with the right policies and cross-functional stakeholders for long term monitoring and reporting.

This article is not legal advice but gives a general summary for educational purposes only and is not intended to be comprehensive. Seek specific legal advice before taking or refraining from taking any action. Please see our full Legal Disclaimer