New DoD Memo Clarifies Accountability for Cyber Incidents

The U.S. Department of Defense (DoD) has issued a new memorandum offering clarification on security and cyber incident management requirements for defense contractors utilizing external Cloud Service Offerings (CSOs).

“To be considered Federal Risk and Authorization Management Program (FedRAMP) Moderate equivalent, CSOs must achieve 100% compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization (3PAO),” the memo said.

Oftentimes, incidents like identifying vulnerabilities or responding to zero-day events led to a lot of finger-pointing, causing confusion among providers, contractors, and the government.

“I think what this memo clarifies is that at the end of the day, the DoD’s contract is with that company A, and they got to make sure that they have an incident response plan, which shows how they’re going to coordinate any kind of remediation, or triaging that needs to happen when there is an incident that happens. That way, DoD holds the contractor accountable and responsible, and it’s their job to coordinate with all of the stakeholders, Raj Iyer, ServiceNow’s global head of public sector, told the Federal News Network.

Within the memo, there's guidance on how to apply FedRAMP moderation to cloud services employed by contractors for the storage and processing of defense information, as outlined in the Defense Federal Acquisition Regulation Supplement.

FedRAMP is crafted to offer executive departments and agencies a cost-effective, risk-based strategy for adopting and utilizing cloud services.

However, despite a nearly 60% increase in authorizations of cloud services under FedRAMP from July 2019 to April 2023, media reports suggest numerous agencies continued to use services that were unauthorized under FedRAMP.