FedRamp Or CMMC

What is FedRamp 

FedRamp, or Federal Risk and Authorization Management Program, is a risk-based approach to adopting cloud services that can be used by the federal government and any interacting entities. The main focus emphasizes the security and protection of sensitive information within cloud services.  

FedRamp allows the government to establish public-private relationships with cloud technology to grow the country from a security perspective. The overall process helps to speed up the adoption of cloud services that can be used in these public-private channels to ensure proper authorizations are in place government-wide. The overall goals of FedRAMP are as follows: 

  • Secure cloud technologies in use by government agencies 
  • Enhance the framework in which the government secures cloud technologies 
  • Build strong partnerships with FedRAMP stakeholders 

Who needs FedRamp… 

FedRamp is required for any commercially available cloud service offering to be used by a federal government agency. This allows a source of truth for approved public cloud offerings that the government can choose to interact with without security concerns.  

Over 200 approved cloud applications so far have been FedRamp certified. Unless you are this solution, you do not need FedRAMP certification. Instead, it would be best if you focused your efforts on CMMC.  

What is the difference between FedRamp and CMMC? 

The main difference is that FedRamp primarily authenticates public cloud offerings for long-term government relationships. Whereas CMMC focuses on proving the current state of security compliance within that organization in a tiered hygiene approach ( Levels 1-5; Basic Hygiene to Advanced proactive hygiene). Most government organizations require a level 3 or Good cyber Hygiene level to pursue contracts. 

While they are very similar in many ways, obtaining the CMMC is a bit less strenuous and will still allow entities to entertain government contracts. 

The main difference, FedRAMP is primarily for the government benefit of cloud service offerings that they can approve for use. 

I have a client who is a government agency. Can I get FedRamp? 

Restating to emphasize its importance, is your product offering something that the government will plan to use exclusively across all government agencies? Or are they working with your company in a limited capacity to complete a specific task? C3PAO authorities assess CMMC and FedRAMP for companies that want to establish a long-term relationship. The FedRAMP certification is a bit more strenuous and overkill when you can have a yearly CMMC assessment completed to achieve the exact clearance needed for government contracts. At the end of the day, if you are a subcontractor selling widgets or providing a direct service, you most likely need CMMC instead of FedRamp. 

Ok, how can I go about preparing for and achieving CMMC? 

By utilizing TetherView's Digital Bunker and Pocket Protector solutions, you can get a head start on CMMC compliance. Below are some of the high-level inclusions that TetherView provides that align with CMMC compliance: 

  • SOC2/Type 2 compliant 
  • Comes pre-baked with whitelisted industry standards that give instance signoff 
  • Provide the ability to control all changes on desktops and VM environments 
  • Encourage change management to address permission-related concerns by implementing just-in-time access.  
  • Email Protection via the mobile Pocket Protector application 

Ideally, by starting with TetherView, you can cover 90% of what CMMC requires for certification, leaving only 10% to be determined by your internal organizational directives. 

Once CMMC goes from notational to required, this will essentially need anyone seeking a government contract to best align their security posture with both NIST SP 800-171 and NIST 800-172. As CMMC transitions into a new phase of becoming a requirement (slated for early 2023), now is a perfect time to partner with TetherView to get a jump on aligning your processes to become compliant.