Whenever a government agency, contractor, or subcontractor wants to work with a cloud service provider, they have to find one that upholds the level of cybersecurity, physical security, and authentication that the government sets as standard. Usually, agencies have two options to do this. They can work with a cloud service provider that is FedRAMP authorized, or they can work with one that is FedRAMP Equivalent.

In the past, we’ve talked a lot about the various FedRAMP guidelines required to reach either a single Authority to Operate or a generalized Provisional Authority to Operate. One thing that can be said to be common to all of these is that, in general, you’re talking about FedRAMP Moderate Impact Levels when you discuss these kinds of standards and certification processes. This is because around 80% of cloud service providers and offerings are classified as Moderate impact.

FedRAMP, the Federal Risk and Authorization Management Program, is a way for cloud service providers to undergo auditing, scrutiny, and testing to validate their security. This security encompasses primarily information security but also user authorization and authentication, physical security, and more.

Recently, the Department of Defense shook up the entire defense industrial base with the release of a memo titled “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings.” The memo, aimed at FedRAMP contractors and the CSPs they work with, clarifies the concept of equivalency and what it means to be equivalent to the FedRAMP/CMMC Moderate control standard.

What is the government if not an organization dedicated to the creation of paperwork? All of that paperwork means something, though, and it can range from trivial to vitally important. One of the more important forms, if it’s required for your business or institution to fill out, is the DD2345 form. What is it, what is it used for, do you need one, and how does it interact with CMMC?