The Department of Defense memorandum on the Federal Risk and Authorization Management Program Moderate equivalency application for cloud service offerings allows non-FedRAMP certified companies to seek third-party assessment for authorization instead, said David McKeown, DOD’s chief information security officer and a 2025 Wash100 Award winner. He told Federal News Network that his office will schedule an industry meeting in the next 30–45 days to “clarify the memo” issued in December 2023.
The memo provides guidance on a provision in the Defense Federal Acquisition Regulation Supplement covering the FedRAMP moderate status application for cloud services that contractors use to store defense information.
Clearer Contractor Qualifications
According to McKeown, the memo addresses the ambiguity of the FedRAMP equivalency concept under the supplement that the Defense Industrial Base Cybersecurity Assessment Center uses to assess contractors’ qualifications.
FedRAMP moderate consideration for cloud services under the new memo requires 100 percent compliance with latest FedRAMP moderate security control criteria as determined by a third-party organization.
A cloud service contractor will have to present compliance evidence to the third party including an action plan and milestones. The memo further requires that the third-party assessor must close the tasks lined up in the action plan and milestones.
FedRAMP Bottleneck Remedy
McKeown said the third-party approach will help the certification of more cloud service providers, as FedRAMP can process only a limited number of organizations each year.
In September, MITRE released its response to a FedRAMP request for information, recommending that certification metrics be expanded to enhance the authorization’s effectiveness beyond cost and timeliness to include the streamlining of compliance and the reduction of redundant assessments.
