Currently, some ProShop clients have contractual requirements related to cybersecurity and cloud storage. Specifically,
DFARS 252.204-7012, when included in contracts, requires subcontractors (e.g. ProShop clients) to use a FedRAMP Moderate Equivalent cloud service provider when they process, store or transit covered defense information in an external cloud environment, such as the cloud environment ProShop offers. Covered defense information includes, but is not limited to, Controlled Unclassified Information (i.e. CUI). Per a Department of Defense Memorandum cleared for publication to the public on Jan 02, 2024, a CSO must achieve 100% compliance with the latest FedRAMP Moderate Control Baseline, achieved through an assessment by a FedRAMP recognized Third Party Assessment Organization (3PAO) in order to be considered FedRAMP Moderate Equivalent.
This memo also states that the subcontractor (e.g. ProShop client) acts as the approver for use of the CSO. In other words, a CSO must establish FedRAMP Moderate Equivalency, but the organization who uses the CSO (e.g. ProShop client) approves its use.
DFAR 252-204.7012 also requires subcontractors to implement NIST SP 800-171, whose controls form the basis of the
Cybersecurity Maturity Model Certification Program (i.e. CMMC). To successfully implement CMMC: when the subcontractor uses an external cloud provider to store its covered defense information, the subcontractor must use a FedRAMP Moderate Equivalent CSO and approve its use for the organization. However, in line with
latest proposed rule the and current practice, subcontractors may continue to complete self-assessments in lieu of certification. Self-assessments allow subcontractors to identify, accept and manage risks where gaps in their compliance to CMMC exist. The Department of Defense intends to include CMMC requirements, at specified levels (e.g. 1, 2, 3) in all solicitations issued on or after October 1, 2026.
It is assumed that contract requirements will be enforced and self-assessments will no longer suffice to satisfy CMMC requirements at that time. Practically speaking, this date gives industry time to implement requirements and obtain the required assessments and certifications.