Upcoming Webinar | AI Meets ISO: What Makes ISO 42001 Different from ISO 27001 & 27701 on August 14th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

FedRAMP Moderate Equivalency Explained: What CSPs Need to Know Blog Feature
Tim Walsh

By: Tim Walsh

Print/Save as PDF

FedRAMP Moderate Equivalency Explained: What CSPs Need to Know

FedRAMP | Federal Assessments | CMMC

Published: Sep 3, 2024

Last Updated: Jul 21, 2025

Looking back, 2024 was a significant year for the Department of Defense (DoD). Not only did they release the 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Final Rule, but the DoD also published a pivotal memorandum titled Federal Risk and Authorization Management Program (FedRAMP) Moderate Equivalency for Cloud Service Provider’s (CSP) Cloud Service Offerings (CSOs).  

The latter development clarified requirements for CSOs who are currently or plan to start storing, processing, or transmitting Covered Defense Information (CDI)—more commonly referred to as Controlled Unclassified Information (CUI). However, there are some important nuances that must be understood.  

If your organization handles Security Protection Data (SPD) or provides assets, systems, or functionality to support CUI as a CSP or CSO, it’s critical to understand how this memorandum impacts your FedRAMP responsibilities. For further context, reference our breakdown of the CMMC Final Rule and its implications in What DoD Contractors Need to Know About the 32 CFR CMMC Rule and Its Effect on Vendors. 

Why the DoD Issued FedRAMP Moderate Equivalency Guidance

Notably, this isn’t the first major step toward this determination. Back in 2016, when the DFARS 252.204-7012 clause was revised, the DoD acknowledged the idea that members of the Defense Industrial Base (DIB)—more specifically DoD contractors—might choose to put CUI in the cloud. Considering that the DoD must meet a minimum of FedRAMP Moderate or DoD IL2 requirements to put data in a CSO, there became a related need to require contractors who choose to put CUI in the cloud to also ensure that CUI is stored, processed, or transmitted with the same standard of protection. And so, the clause was revised to state: 

“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.” 

Ever since, there’s been friendly debate in the IT audit community and among the DIB on what would be necessary or acceptable to meet what was laid out in the above statement—particularly regarding the term “equivalent.” 

But now, the DoD’s memorandum has finally clarified expectations as it relates to FedRAMP Moderate Equivalency, and as the #1 3PAO provider of FedRAMP assessments, we’re here to help you better understand. In this article, we’ll summarize the memo, including what documentation is required to demonstrate equivalency, how equivalency is validated, and why simply getting FedRAMP Authorized may not be the best alternate solution. 

We hope this information will assist DIB contractors in determining what their CSPs must do to comply with DFARS clause 252.204-7012—as will the additional context provided by the 32 CFR CMMC Final Rule—including how DIB contractors determine which CSPs to do business with as it pertains to the handling of CUI by the CSP. 

How to Achieve FedRAMP Moderate Equivalency

In short, the memorandum dictates that CSOs can obtain FedRAMP Moderate equivalency by: 

  • Achieving 100% compliance—i.e., zero findings—with the latest FedRAMP Moderate security control baseline 
  • Having that compliance assessed by a FedRAMP-recognized and accredited Third-Party Assessment Organization (3PAO) 
  • Presenting the body of evidence (BoE)—i.e., supporting documentation—to the contractor (i.e., member of the DIB) 

As simple as these requirements may seem, achieving 100% compliance with the FedRAMP Moderate baseline to demonstrate equivalency will be extremely challenging because the DoD is serious about that 100%— CSPs must fully implement all 323 controls within the FedRAMP Moderate baseline and your 3PAO assessment must yield zero control findings.* 

*While DoD requirements for FedRAMP Moderate Equivalency do not allow for POA&Ms resulting from a 3PAO assessment, CSPs are allowed to have operational POA&Ms. Additionally, terms that have historically been important in DoD contractor compliance discussions such as “temporary deficiency" and “enduring exception" have no bearing on FedRAMP or FedRAMP Equivalency discussions.  

Why Not Just Get FedRAMP Authorized?

And, if that’s the case, you may be thinking, “Why not just go ahead and pursue a FedRAMP Authorization to Operate (ATO)? Why consider the equivalency path at all?” After all, CSOs seeking a FedRAMP Authorization—a process that involves finding a sponsor and federal agency/FedRAMP PMO reviews—do not require 100% compliance as the equivalency option does. 

And while the small leniency concerning findings may seem attractive, CSPs should also consider that the FedRAMP ATO process—including the effort to find an agency sponsorship* and the subsequent steps in the process—is time-consuming, rigorous, and requires additional review from the FedRAMP PMO. 

Do You Already Have FedRAMP ATO? Are You Still Working Through the FedRAMP Process? 

Per the DoD memo, FedRAMP Equivalency is not required for CSOs that are FedRAMP Moderate Authorized under the existing FedRAMP process. However, that carve-out does not apply to CSOs without a formal FedRAMP Moderate Authorization, which means that CSOs in the following states would still be required to demonstrate FedRAMP Equivalency via the process defined below: 

  • CSOs FedRAMP Authorized below the Moderate baseline (i.e., Low baseline, LI-SaaS)
  • CSOs designated as FedRAMP Ready
  • CSOs that are designated as In Process 

*On March 24, 2025, FedRAMP made a public announcement outlining its vision for the program's future – known as FedRAMP 20x. This vision includes significant changes to the existing process with the goal of making FedRAMP more accessible to a wider range of cloud service providers (CSPs). For more information on the vision, read our breakdown.

What Documentation is Necessary for FedRAMP Equivalency in CMMC? 

So then, if you, as a CSP, instead decide to move forward with obtaining FedRAMP equivalency for your CSO through 100% compliance with the Moderate baseline, you’ll need to make the comprehensive control implementations, have those assessed by a 3PAO applying standard FedRAMP assessment methodology, undergo a penetration test of the CSO, and provide a BoE to your DIB contractor. But what comprises that BoE? 

As it relates to FedRAMP Moderate Equivalency, the following documentation must be included or obtained as part of your FedRAMP assessment and provided to DIB contractors to demonstrate equivalency with the Moderate baseline: 

Document

Details

System Security Plan (SSP)

 

As the SSP is meant to document how compliance is achieved in relation to FedRAMP control requirements for a given CSO, it must include the following: 

  • Implementation details of security controls 
  • Interconnections 
  • Defined boundary 
  • CSP roles/responsibilities 
  • Means of communication between components (e.g., APIs, protocols, services) 
  • Responsibilities of customers using the service offering  

The SSP also includes several attachments:

  • Information Security Policies and Procedures (covering all control families) 
  • User Guide 
  • Digital Identity Worksheet 
  • Rules of Behavior (RoB) 
  • Information System Contingency Plan (ISCP) 
  • Incident Response Plan (IRP) 
  • Configuration Management Plan (CMP) 
  • Control Implementation Summary (CIS) Workbook (+ the Customer Responsibilities Matrix (CRM) referenced in the memo) 
  • Federal Information Processing Standard (FIPS) 199 
  • Separation of Duties Matrix 
  • Applicable Laws, Regulations, and Standards 
  • Integrated Inventory Workbook 

3PAOs will review the SSP as part of their assessment, but—when provided as part of the BoE—DIB contractors will also use it to assess the CSO and surmise the risk of that CSO storing, processing, or transmitting the contractor’s data. 

Security Assessment Plan (SAP)

 

The SAP includes:

  • A methodology outlining the scope of what’s to be assessed 
  • The 3PAO’s approach and limits 
  • The testing process 
  • A summary of contracted deliverables and milestones likely outlined prior in a Statement of Work (SOW) with your 3PAO 

The SAP also includes the following attachments:

  • Security Test Case Procedures (i.e., the template to be used to document testing for the 323 controls) 
  • 3PAO-supplied Deliverables (e.g., Penetration Testing Plan and Methodology, Penetration Test Rules of Engagement, Sampling Methodology) 

Security Assessment Report (SAR)

 

The SAR includes:

  • A summary of the assessment process 
  • Any deviations from the aforementioned SAP 
  • Any risks attributed to the CSO as identified by the 3PAO 
The SAR also includes several attachments that are either generated by the 3PAO during testing or part of the evidence provided by the CSP:
  • Risk Exposure Table – i.e., a detailed list of findings summarized in the SAR, including those from controls testing, penetration testing, and vulnerability scan analysis, as well as configuration compliance scan results 
  • Security Test Case Procedures (aka the Security Requirements Traceability Matrix (SRTM)) 
  • Infrastructure Scan Results (including container scans) 
  • Database Scan Results 
  • Web Scan Results 
  • Auxiliary Documents (e.g., evidence artifacts) 
  • Penetration Test Reports 

Plan of Action and Milestones (POA&M)

 

A POA&M assists CSPs in identifying, evaluating, prioritizing, and continuously assessing the progress of corrective efforts to address security weaknesses, deficiencies, or vulnerabilities in the CSO. 

In addition, other artifacts are required as part of a CSP’s ongoing responsibilities for maintaining the security posture of the CSO: 

  • Continuous Monitoring Strategy 
  • Continuous Monitoring Monthly Executive Summary 

Given that FedRAMP Moderate Equivalency requires full compliance with the baseline, DoD requirements for FedRAMP Moderate Equivalency do not allow for control-related POA&Ms that result from a 3PAO assessment of the CSP’s CSO. However, the memo does state that CSOs are allowed to have operational POA&Ms (e.g., vulnerability scan remediation as part of ongoing continuous monitoring responsibilities). 

These POA&Ms would either be provided by the CSP at the beginning of the assessment as a form of due diligence and/or generated at the end of the assessment to track remediation efforts of findings identified by the 3PAO. 

While the DIB contractor must validate that the BoE the CSP provides meets the FedRAMP Moderate Equivalent standards, the DIB contractor must also ensure the following obligations are (or will be) met: 

  • Endorse the use of the CSO by their organization and confirm that the selected CSP has an incident response plan. 
  • Ensure the CSP follows the incident response plan, including notifying the contractor in the event of an issue. 
  • Report any compromise of the CSO in accordance with the applicable contract terms and conditions, as the memorandum dictates that the contractor—not the CSP’s CSO—will be held responsible. 

FedRAMP Equivalency Validation - Who is Responsible for What? 

Once the CSP has fully implemented the 323 controls FedRAMP Moderate in their CSO, has achieved 100% compliance with the baseline per the 3PAO’s assessment, and has provided their BoE to their DIB contractor, the DIB contractor must provide the BoE to their C3PAO during a CMMC Level 2 Certification Assessment. 

As FedRAMP Moderate Equivalency is heavily tied to the 32 CFR CMMC Final Rule, the C3PAO must review the BoE from the CSO's FedRAMP equivalency assessment to ensure that the BoE is comprehensive, timely, and the results are accepted as equivalent by the DIB contractor. 

What’s Still Unclear About FedRAMP Moderate Equivalency 

As much clarification as this memorandum provided about the opportunity for CSPs to demonstrate their CSO’s FedRAMP Moderate Equivalency to the DIB, some things have yet to be fully and clearly incorporated into this avenue: 

  • While the memorandum did outline an initial process for demonstrating equivalency, it did not clearly indicate how often a CSP’s CSO would need to undergo subsequent assessments by a FedRAMP-recognized 3PAO and whether the full Moderate baseline would need to be assessed again or if following the traditional FedRAMP process for Authorization by undergoing annual assessments and ensuring that all controls from the Moderate baseline are tested over a 3 year period is sufficient. 
  • Though the CA-8(2) control for Red Teaming exercises* was added to the requisite controls in the Moderate Baseline as part of FedRAMP’s transition to Revision 5, the memorandum made no indication of the deliverables associated with these exercises whether they’re performed internally by the CSP or the 3PAO or another third-party. 

*Red Team exercises simulate attempts by real attackers to compromise the system and extend farther than the traditional penetration test. 

  • As mentioned previously, the memorandum indicated that operational POA&Ms are allowed; however, it does not fully define “operational POAMs” and the types of findings that may fall into the category, nor does the memo go into detail about thresholds for the number of operational POA&Ms at a given time. 

What’s Next for CSPs, DIB Contractors, and CMMC? 

All in all, this new memorandum from the DoD—together with the 32 CFR CMMC Final Rule—has provided much-needed clarification regarding the compliance of DIB contractors with DFARS clause 252.204-7012 and that of the third-party solutions you’re using to store, process, or transmit CUI. Per this memorandum, CSPs working with contractors must formally demonstrate FedRAMP Moderate Equivalency, and now you understand a little more of what that will entail. 

These developments will surely keep the experts talking about the details and nuances in the coming years, and in the meantime, if you’re looking for more information regarding CMMC, check out our other content for helpful insights: 

And if you still have questions about these new complexities, as it’s likely you do, our experiences as a leading FedRAMP 3PAO and CMMC C3PAO could be of further assistance—for a more

About Tim Walsh

Tim Walsh is a Manager in Schellman's Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Prior to joining Schellman in 2019, Tim worked as a Systems Engineer for a Defense Contractor specializing in the design of physical security systems for Naval installations across the United States. Tim also led and supported various other projects, including software development of an inventory and logistics program used in support of Naval vessels as well as participating in Internal Research & Development (IRAD) of critical operations.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.