A new memo sent from the Department of Defense (DoD) revealed that they’re tightening security requirements for cloud providers at the FedRAMP level.
Historically, it was unclear what constituted being FedRAMP certified and what it entails. Before the new rules, the DFARS clause stated a third-party contractor should ensure their cloud service providers meet FedRAMP requirements.
At the time those requirements simply meant that the service providers needed to follow rules for data retention, incident reports, and access requirements.
While that’s still an important step to take, it failed to create a baseline level of security requirements cloud service providers needed to take. However, after altering the DFARS clause, that concern has been addressed.
Now, being FedRAMP-approved requires a minimum baseline of cybersecurity defenses. FedRAMP uses a third-party company to evaluate if providers meet the given criteria.
“To be considered FedRAMP Moderate equivalent, CSO’s must achieve 100% with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third-Party Assessment Organization (3PAO),” reads the memo.
This puts the ball in the cloud service providers’ hands, so to speak. If they want to continue working with the DoD, they’ll need to bring their cybersecurity up to snuff. Companies that take shortcuts with their cybersecurity practices will lose the DoD’s business.
It’s not completely known what’s causing the DoD to tighten its security rules, but there are a few guesses. Data breaches and hacks on cloud service providers have sharply risen over the years, especially with the rise of AI making it easier than ever. If a hacker can obtain data from the service provider, they can obtain the data of every contractor that they work with.
In response, US government agencies have been working together to make sure that companies are following minimum safety requirement guidelines.