Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 establishes clear guidelines for how defense companies can store and process Controlled Unclassified Information (CUI) in the cloud as well as standards for the cloud services they use. Contractors must ensure that cloud service providers (CSP)s meet FedRAMP Moderate Baseline or equivalent and use FIPS 140-2 validated encryption to protect data.
While the DoD is currently finalizing the exact definition of “or equivalent” for CSPs, PreVeil’s approach has always been to set the bar high as high as possible and reach full equivalency by implementing a system security program that meets or exceeds the FedRAMP Moderate Baseline standard and then passing a full program assessment by a FedRAMP accredited Third Party Assessment Organization (3PAO).
Getting to equivalent
Getting to FedRAMP Moderate Baseline equivalency took PreVeil over a year of work. In the process, we had to bring our IT controls, processes, and documentation up to the FedRAMP Moderate Baseline equivalency requirements included in NIST 800-53. This work included updating our technology stack to AWS GovCloud, which meant we were able to store all customer data in a FedRAMP High cloud. PreVeil also upgraded IT tools, provided additional systems monitoring and vulnerability scanning, and documented dozens of upgraded processes.
We also stood up a more rigorous set of software development life cycle (SDLC) controls and processes. SDLC principles support building security and assurance into the software code, not as an afterthought to be ‘fixed’ later. Code scans, peer reviews and strict source code control ensure we deploy only secure and reliable software changes to our customers.
Once these upgrades were completed, PreVeil was ready to be assessed by a FedRAMP-accredited 3PAO. This assessment was conducted using the same level of rigor that would be used for any company pursuing a FedRAMP Authority to Operate (ATO). Our entire cloud program was assessed against the FedRAMP Moderate Baseline standard. The Moderate Baseline includes over 300 controls specified in NIST 800-53. The assessment required a complete documentation review and collection of artifacts to prove each control is in place and operating as designed.
PreVeil received a letter of attestation from an approved FedRAMP third party assessor organization (3PAO) that states PreVeil’s program was found to meet the FedRAMP Moderate Baseline requirements in their assessment. Hence, equivalent. PreVeil has clearly established equivalence to the FedRAMP Moderate Baseline requirements as stated in DFARS 252.204-7012. If and when the DoD provides a more verbose definition of the equivalence requirement, we are very confident that our approach will be within the scope of defined acceptance.
Going forward, PreVeil will continue to follow FedRAMP Moderate Baseline standards by reassessing a third of the FedRAMP Moderate Baseline controls in the preVeil system every year. After every yearly FedRAMP Moderate Baseline equivalency assessment, PreVeil will receive a letter of attestation that states PreVeil’s program was found to meet the FedRAMP Moderate Baseline requirements in their assessment.
Why no ATO?
Some critics state that in order for a CSP to achieve equivalency, it must pursue ATO certification under the FedRAMP program. However, the FedRAMP ATO program is reserved only for those companies selling directly to the US Government. This requirement does not extend to companies selling to government contractors such as PreVeil. Companies that just sell to defense contractors are instructed to follow the regulations laid out for FedRAMP Moderate Baseline equivalent in DFARS.
What equivalency means for customers
Today, over 750 DIB companies use PreVeil as a part of their programs to secure and protect Controlled Unclassified Information (CUI) in the cloud. In relying on PreVeil, contractors can be confident that they are meeting the high standards for data protection set out by FedRAMP Moderate Baseline because their CSP has met these standards.
In addition, PreVeil relies on Zero Trust security principles to protect user data. Zero Trust security means PreVeil does not trust any one element, node, or service. Instead, the PreVeil platform protects user data with end-to-end encryption and ensures information remains secure even if servers are breached, passwords stolen, or admins compromised. Even if a PreVeil server is fully compromised, an attacker will only get encrypted gibberish. You can further read our case study here about a small-to-mid-size (SMB) defense contractor using PreVeil for storing and sharing Controlled Unclassified Information (CUI) achieved the highest possible score of 110 on a rigorous NIST SP 800-171 audit, which demonstrates CMMC Level 2 compliance.
Conclusion
By passing a FedRAMP Moderate Baseline assessment from an accredited 3PAO, our customers can be confident not only that we would be ready for an ATO if we ever needed one, but also that we have clearly established equivalence to the FedRAMP Moderate Baseline requirements stated in DFARS 7012. Our 750+ DIB customers are very important to us and we strongly support the mission of bringing cost effective, state of the art security technology to the DIB companies pursuing DFARS, CMMC, ITAR, and NIST compliance.