FedRAMP

Background

The Federal Risk and Authorization Management Program (FedRAMP) is a government program designed to assess and authorize cloud technologies for use by the Federal government. In December 2022, Congress passed the FedRAMP Authorization Act, which codified the FedRAMP program to apply to cloud technologies that process unclassified federal information. In this context, ProShop USA is considered a cloud service provider (CSP) because we offer our clients the capability to store their ProShop ERP data in a secured cloud environment. 

Our cloud offering is referred to as a Cloud Service Offering (CSO). Many current and prospective ProShop clients are subcontractors within the Defense Industrial Base who receive controlled information that must be stored in a FedRAMP environment when cloud deployments are used.

ProShop Clients and FedRAMP

Currently, some ProShop clients have contractual requirements related to cybersecurity and cloud storage. Specifically, DFARS 252.204-7012, when included in contracts, requires subcontractors (e.g. ProShop clients) to use a FedRAMP Moderate Equivalent cloud service provider when they process, store or transit covered defense information in an external cloud environment, such as the cloud environment ProShop offers. Covered defense information includes, but is not limited to, Controlled Unclassified Information (i.e. CUI). Per a Department of Defense Memorandum cleared for publication to the public on Jan 02, 2024, a CSO must achieve 100% compliance with the latest FedRAMP Moderate Control Baseline, achieved through an assessment by a FedRAMP recognized Third Party Assessment Organization (3PAO) in order to be considered FedRAMP Moderate Equivalent. 


 This memo also states that the subcontractor (e.g. ProShop client) acts as the approver for use of the CSO. In other words, a CSO must establish FedRAMP Moderate Equivalency, but the organization who uses the CSO (e.g. ProShop client) approves its use.

ProShop Clients, FedRAMP and CMMC

DFAR 252-204.7012 also requires subcontractors to implement NIST SP 800-171, whose controls form the basis of the Cybersecurity Maturity Model Certification Program (i.e. CMMC). To successfully implement CMMC: when the subcontractor uses an external cloud provider to store its covered defense information, the subcontractor must use a FedRAMP Moderate Equivalent CSO and approve its use for the organization. However, in line with latest proposed rule the and current practice, subcontractors may continue to complete self-assessments in lieu of certification. Self-assessments allow subcontractors to identify, accept and manage risks where gaps in their compliance to CMMC exist. The Department of Defense intends to include CMMC requirements, at specified levels (e.g. 1, 2, 3) in all solicitations issued on or after October 1, 2026. 


 It is assumed that contract requirements will be enforced and self-assessments will no longer suffice to satisfy CMMC requirements at that time. Practically speaking, this date gives industry time to implement requirements and obtain the required assessments and certifications.

ProShop USA and FedRAMP

ProShop USA (the company) is not required to obtain an Authorization to Operate (ATO) because (1) the ATO applies to the Cloud Service Offer (CSO), not to the company providing the CSO; and (2) ATOs are reserved for CSOs used directly by the Federal Government. Currently ProShop ERP (CSO) is not used directly by the Federal Government.

ProShop USA is currently in the planning and implementation stages of FedRAMP and intends to obtain FedRAMP Moderate Equivalency in 2025. For information on FedRAMP Moderate Equivalency, refer to this DOD Memo.

Book your no commitment Discovery Call

BOOK A CALL
Privacy Policy
Terms of Service
magnifiercrosschevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram