The DoD created CMMC to audit defense contractors and subcontractors to make sure they have effectively implemented the necessary cybersecurity controls before bidding on and during the performance of DoD contracts.

CMMC 2.0 currently defines three levels of certification that vendors must attain:

• Level 1 requires implementation of 17 practices from FAR 52.204-21 and an annual self-assessment with affirmation in the Supplier Performance Risk System (SPRS) for companies and vendors that handle Federal Contract Information (FCI), but not Controlled Unclassified Information (CUI). 

• Level 2 includes all the controls in CMMC Level 1, but also covers many other controls aligned with NIST SP 800-171 for companies and vendors that handle CUI.

• Level 3 applies to companies and vendors that support the most critical national security programs and is not yet broadly implemented.

In the past, DoD contractors and subcontractors self-certified that they put the cybersecurity controls in NIST SP 800-171 in place. Now with CMMC level 2, an independent third-party assessment organization (C3PAO) evaluates and certifies that they have.

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services that federal agencies plan to adopt. 

FedRAMP created one streamlined process that all federal agencies must follow. This standardization means cloud service providers only need to go through the authorization process once, rather than repeating assessments for each agency they want to serve. The continuous monitoring component makes sure that security controls remain effective over time, not just at the initial authorization.

With FedRAMP, a cloud service provider works with a third-party assessment organization (3PAO) that assesses the service provider to make sure they meet FedRAMP security requirements. The 3PAO conducts an independent security assessment of the cloud service provider, and on approval, the cloud service provider is then ready to offer their cloud service to federal agencies.

Which framework applies to you?

CMMC is for defense contractors, and FedRAMP is for cloud service providers. One way to look at it is that CMMC is for all DoD contracts and FedRAMP is for cloud services used across the federal government (including for non-DoD contracts).

Assessment and authorization bodies

CMMC Third-Party Assessment Organizations (C3PAOs) perform CMMC assessments. The CMMC Accreditation Body accredits them. Third-Party Assessment Organizations (3PAO) conduct FedRAMP authorizations. The FedRAMP Program Management Office accredits them. The JAB (Joint Authorization Board) or individual agencies make authorization decisions.

Scope of certification

CMMC evaluates your organization's cybersecurity controls across the entire organization, no matter where CUI or FCI is located. FedRAMP only certifies the specific cloud service offering that the cloud service provider sells, with scope determined by the agency use case, specifically, whether the cloud service creates, collects, processes, stores, or maintains federal information.  

Regulatory drivers

The DoD drove CMMC as a requirement, but the Office of Management and Budget (OMB) drove FedRAMP as a requirement for all federal agencies, not just DoD.

Where CMMC and FedRAMP overlap

First, you should decide if your organization is either a DoD contractor or subcontractor, a cloud service provider, or a hybrid of the two.

Then, determine which compliance framework applies to your organization:

• DoD contractor or subcontractor: You’re required to comply with CMMC.

• Cloud service provider selling to federal agencies: You need FedRAMP authorization.

• Cloud service provider selling to the DoD: You’ll likely need both CMMC and FedRAMP, depending on your service model and how you handle federal data. 

• DoD contractor using cloud services: CMMC is required. Your cloud providers may need FedRAMP authorization depending on whether they’re classified as Security Protection Assets (SPAs) or External Service Providers (ESPs) and how they handle CUI.

One common misconception is that all security tools purchased by CMMC Level 2 organizations have to be FedRAMP authorized solutions. This is not the case.

Security tools can be scoped as SPAs vs. ESPs under CMMC 2.0. A SPA is defined as any system that provides security capabilities that does not process, store, or transmit CUI. If your security tool vendor can scope their product as an SPA, you’ll not need FedRAMP authorization.

EDR, ITDR, and SIEM solutions are commonly scoped as SPAs when there are technical controls in place that prevent vendors’ access to CUI. Companies have successfully achieved a CMMC Level 2 without having any security tools scoped as ESPs.

Ask your security tool vendor if their solution is built to run as an SPA and what controls are in place to prevent access to CUI.

Whether you need CMMC, FedRAMP, or both, the right tooling can simplify your compliance journey. The Huntress Managed SIEM, Managed EDR, and Managed ITDR provide visibility, threat detection, and monitoring capabilities that align with security controls common to both frameworks. Get a demo to see how Huntress can support your compliance program.