DAY TWO 14:00 - 15:00PM EXECUTIVE BREAKOUT ONE

MODERATELY CONFUSED: DECODING FEDRAMP EQUIVALENCE FOR DEFENSE CONTRACTORS

The Proposed Final Rule allows Defense Industrial Base (DIB) contractors to utilize Cloud Service Providers (CSPs) that are either FedRAMP Moderate Authorized or have implemented security requirements equivalent to FedRAMP Moderate. This distinction is particularly important for industry-specific cloud solutions, like manufacturing software, which may not have a direct market in the federal government and thus lack a clear path to Authorization. In these situations, contractors must confirm the CSP is equivalent, as defined in a recent DOD memo. This presentation will provide contractors with a comprehensive overview of why a CSP might pursue equivalency, what it takes for a CSP to be compliant (including the process, costs, and timeline required), and what to look for in a CSP’s Body of Evidence. By better understanding the requirements and evidence, you will be better equipped to make a well-informed decision about whether to include a particular CSP in your CMMC boundary.