FedRAMP: A Guide to Construction Compliance

The federal government has long had to balance a difficult situation: Protecting government data is necessary for national security — but keeping information overly siloed can cause communication breakdowns. 

In the wake of the events of September 11, 2001, the White House issued Executive Order 13556. This order established the Controlled Unclassified Information (CUI) program, meant to streamline data exchange while protecting sensitive information. 

What does that have to do with the construction industry? CUI establishes a spectrum of data classification, from public information to classified information. If a contractor wants to work on a Department of Defense (DOD) project, they tread into the side of the CUI spectrum, which subjects them to certain compliance measures, including the requirement for certain CSPs (Cloud Service Providers) to have FedRAMP certification.

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide initiative that establishes guidelines and requirements for agencies and their partners — including construction professionals — to use cloud technology and manage data in a secure way. In this article, we’ll discuss how FedRAMP works, how it applies to different construction jobs and the most effective way to comply with FedRAMP requirements. 

Fitting FedRAMP Into the Larger Compliance Scheme for Contractors

In order to do certain types of business with the federal government — and particularly the DOD — companies need to implement added security measures that comply with the CUI program. Otherwise, federal agencies will not entrust those outside partners with their data. In other words, contractors who can’t comply with CUI protection requirements will not be awarded contracts.

For contractors who want to take on government construction projects, the gold standard in attesting that the required CUI security measures are in place is Cybersecurity Maturity Model Certification (CMMC). CMMC initially allowed DOD contractors to self-attest to compliance. But as the newest version of CMMC takes effect, companies that need to achieve Level 2 compliance will be required to meet 110 requirements as evidenced by a triennial third-party assessment.  

The deadline for these requirements and the third-party audit is still forthcoming. Recently, public comment closed on a key piece of CMMC 2.0: Defense Federal Acquisition Regulation Supplement (DFARS) 48 of the Code of Federal Regulations (CFR). Solidifying 48 CFR and, in turn, CMMC 2.0 will likely take some time. 

That said, construction companies that want the opportunity to bid DOD projects should start taking compliance steps as soon as possible.

The Basics of FedRAMP

FedRAMP is a government-wide program and a component of CMMC that requires cybersecurity measures. 

As it pertains to military construction, FedRAMP lays out required security measures for any cloud service offerings (CSOs) that DOD contractors use. In other words, if companies store data in the cloud, that cloud storage solution needs to comply with FedRAMP. 

Fortunately, this isn’t something contractors need to undertake themselves. Instead, FedRAMP certification falls on the shoulders of the cloud service provider (CSP). 

Unfortunately for cloud service offerings (CSOs), FedRAMP certification is a lengthy and involved process. As a result, many CSO providers haven’t yet achieved this certification. That can stand in the way of the compliance needed to bid DOD projects. 

Key FedRAMP Terms and Concepts

As a combined recap and explainer, here is an overview of key terms that affect contractors' ability to bid DOD projects. 

• CMMC 2.0

  The Cybersecurity Maturity Model Certification is a Department of Defense program intended to ensure its partners protect any data that the DOD shares. This second wave of CMMC aligns the requirements for compliance with cybersecurity standards from the National Institute of Standards and Technology (NIST) and breaks the resulting certification into three levels. This second-wave model has not yet been finalized and is currently in its rulemaking process. 

• Level 2 CMMC

  Level 2 CMMC certification will be what most construction companies need to achieve in order to bid DOD projects. Once CMMC 2.0 is live, Level 2 will require DOD contractors to comply with 110 requirements aligned with NIST Special Publication (SP) 800-171. To confirm compliance, CMMC 2.0 will require triennial third-party assessment along with annual affirmation (i.e., self-attestation). 

• C3PAO

  The triennial assessment to ensure Level 2 CMMC compliance needs to be completed by a certified third-party assessor organization (C3PAO). 

• CSO/CSP

  A cloud service provider (CSP) offers a cloud service offering (CSO), or a third-party software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS). 

These are just a few of the abbreviations and acronyms that apply here. For a full list, see the reference section at the bottom of this page.

FedRAMP Impact Levels

The FedRAMP Program Management Office (PMO) groups CSOs into impact levels based on the integrity of information stored in these systems, how readily available that information is, and, of course, how confidential the information is within the CSO. As a result, a CSO can be authorized at one of three impact levels:

• Low
• Moderate
• High

Low-impact systems are authorized for use on projects when a breach or other unwanted sharing of CUI would be less problematic. As the impact levels scale up, the CSP implements more stringent security measures that are better equipped to handle sensitive information. 

How FedRAMP Applies to Construction Professionals

Because only CSPs need to pursue FedRAMP certification, it can be unclear how this requirement pertains to construction professionals. While they won’t need to directly engage in the FedRAMP certification process, any construction company that wants to bid DOD projects needs to be knowledgeable about this federal program. 

Per a memo from the Office of Management and Budget, “The scope of FedRAMP is cloud computing products and services (such as IaaS, Platform-as-a-Service [PaaS], and SaaS) that create, collect, process, store or maintain Federal information on behalf of a Federal agency.” 

As a result, if the DOD will be sharing data with the contractor — like drawings and specifications for the build — any CSO into which that data will be uploaded likely needs to be FedRAMP-certified. Because that data is controlled unclassified information, the way it’s stored is subject to the CMMC program and, consequently, FedRAMP certification.

Without FedRAMP-certified CSOs, even cybersecure companies may not be able to meet the terms of the project’s contract. That’s because DOD projects often require CMMC compliance, and FedRAMP is one component of the CMMC program. 

Once CMMC 2.0 goes live, most DOD contractors will need CMMC Level 2 as a condition of contract award. CMMC Level 2 maps to FedRAMP moderate authorization, which means that to comply with CMMC Level 2, most contractors will need to be using a CSO certified as FedRAMP moderate. (Fortunately for contractors, moderate impact systems make up about 80% of all FedRAMP-authorized CSPs.) 

For example, if the construction company utilizes a third-party SaaS to modify DOD blueprints, that SaaS solution usually must be FedRAMP moderate.

The contract language should clarify if CMMC compliance — and, consequently, FedRAMP certification for any CSPs that will be used to house CUI — is required. Specifically, if the contract calls for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, any external cloud service provider the contractor uses needs to be FedRAMP compliant. 

Note that if a CMMC-requiring contract clause exists, it also flows down to subcontractors.   

Complying With FedRAMP Certification Requirements

If the DOD (or any other federal) contract calls for FedRAMP certification from the CSO(s) the contractor uses, the contracting company has a few options for compliance. 

To ensure they’re ready to choose the best option, contractors should take steps now to inventory their current cloud service providers and make note of their FedRAMP certification (if any). Then, any time the DOD contract calls for FedRAMP compliance, the contractor can determine what is part of the CUI boundary based on the contract detail. From there, the contractor can ensure that any CSP handling CUI meets the required certification level (usually, FedRAMP moderate). 

Based on the contract details, for example, the contractor may determine that the company’s payroll information doesn’t need to be handled by a FedRAMP-certified CSO but the software the company uses for storing blueprints does.

If the company is working with a CMMC auditor, that C3PAO may also identify where CUI applies and what software systems are within the FedRAMP scope. 

Whether FedRAMP compliance comes up during a CMMC audit or because the contract language calls for it, the contractor has a few pathways to get the necessary compliance measures in place. 

Finding FedRAMP Service Providers

The easiest way to comply with FedRAMP is to use a CSP that’s already certified. The federal government maintains a list of the more than 300 FedRAMP-authorized CSPs called the FedRAMP marketplace. 

If the contractor doesn’t already have a software solution in place, choosing a CSP that’s marked as “FedRAMP Authorized” from the list builds in FedRAMP compliance. 

Finding FedRAMP Equivalencies

Getting FedRAMP certification is by no means a fast process. The CSP has to build its FedRAMP environment, obtain an agency sponsor, complete a C3PAO audit, go through the authorization approval board, and then wait as they go through the review process, which is often time-consuming. This can take years. 

To help bridge the gap that comes with that extensive certification process, CSPs are allowed to get FedRAMP Moderate Equivalency. This certifies that a C3PAO has verified that the CSP has the security measures in place to protect any data stored in its CSO. To secure that verification, the CSP must meet 100% of the FedRAMP Moderate (NIST 800-53) baseline and have all appropriate body of evidence to substantiate that compliance. 

In some ways, FedRAMP Moderate Equivalency is more difficult to secure because it requires 100% alignment with NIST 800-53. Getting fully FedRAMP moderate requires agency sponsorship or approval from the FedRAMP Program Management Office (PMO), but in some cases, it allows for remediation of non-compliant areas even after the PMO issues the Authority to Operate (ATO). 

In other words, FedRAMP Moderate Equivalency is extremely stringent. As a result, it complies with DFARS 252.204-7012, meaning the contractor using that CSP can bid on the job and use that CSO if they’re awarded the contract. 

Taking an Enclaved Approach

If the contractor’s currently deployed software solutions aren’t FedRAMP-certified, they can explore siloing CUI data in a FedRAMP Moderate Equivalent solution. This tactic is called enclaving. With this process in place, specific files can be stored in the compliant solution and pulled up in windows alongside the non-compliant software of choice. This can allow the contractor to meet FedRAMP requirements while still using their chosen solution. 

Using Internally Developed Software

FedRAMP specifically applies to external cloud service providers. If the contractor is using its own internally developed software, this requirement doesn’t apply. 

Still, that doesn’t mean the DOD gets lax. Instead, generally, that software will be in the CUI boundary scope and will need to stand up to a C3PAO audit confirming that it meets the 110 measures required for CMMC certification. 

Courses about construction.
For construction.

Unlock your career potential with our free educational courses on Health & Safety, Data in Construction, and more.

Learn More

The Benefits of Acting on Federally Required Compliance Measures

Whichever path construction professionals choose to comply with CMMC and meet the necessary FedRAMP requirements to bid DOD jobs, the benefits can extend well past federally funded work. 

Many state programs have reciprocity agreements with federal compliance programs. FedRAMP certification generally entitles the CSP to StateRAMP certification if their state participates in this security standardization program. 

Additionally, being CMMC compliant and using FedRAMP-certified CSPs builds in cybersecurity measures that any owner would likely be glad to see. In an age where data breaches are costly and common, these added protections can help the contractor gain an edge over competitors. 

Reference: Key FedRAMP Acronyms

The DOD also maintains a thorough list as an appendix to the CMMC model overview. 

Written by

Reviewed by