- in European Union
The landscape is shifting under the feet of government contractors as it is quickly becoming apparent that those who do not assess their security obligations now may be excluded from contract awards in the near future:
- Contractors in the Department of Defense (DoD) supply chain are facing challenges with implementing Cybersecurity Maturity Model Certification (CMMC) requirements, including questions internally and from third parties around classifying controlled unclassified information (CUI).
- The evolving Federal Risk and Authorization Management Program (FedRAMP) landscape is making it hard to predict what will be required in order to obtain FedRAMP authorization, while the push for CMMC compliance is likely to increase demand for FedRAMP authorized services.
- The General Services Administration (GSA) has released guidance signaling that civilian contractors will also soon be required to comply with controls similar to those required under CMMC.
In addition to these topics, in the upcoming series, BakerHostetler will discuss some of the on-the-ground concerns for contractors and subcontractors as they go through the CMMC certification process.
The State of CMMC and FedRAMP
The CMMC rule became effective at the end of 2025, and more DoD contractors and subcontractors are starting to realize that they need to obtain certification. CMMC is required for anyone in the DoD supply chain when the underlying DoD contract requires CMMC certification to handle federal contract information (FCI) or CUI – in other words, most defense contractors.
At a high level, CMMC requires contractors to implement certain security controls, which depend on the sensitivity of the CUI the contractor will process or handle. While CMMC Level 1 – the level associated with the lowest-sensitivity CUI – allows contractors to self-assess their security controls, other levels of CMMC certification require a third-party assessor to certify that the requirements are met.
When a DoD contractor subject to the CMMC requirements would like to use a cloud service provider (CSP), the contractor must ensure that the CSP meets the security requirements equivalent to those established by the government for the FedRAMP Moderate baseline.
For CSPs that would like to provide services to agencies or contractors, the push for CMMC certification and compliance places additional pressure on the CSPs to obtain FedRAMP authorization.
Identifying FCI and CUI Is Complicated, and Prime Contractors Are Leaning Toward Bright-Line Rules
A common question that many subcontractors are asking internally is whether they can exclude parts of their business from the CMMC requirements because they do not handle FCI or CUI, which trigger CMMC obligations. Depending on their business structure, this can be a complex question. It is helpful to discuss the flow of data with internal stakeholders as well as the legal team. Regardless, many contractors are drawing a hard line for their subcontractors, stating that the entire supply chain must comply with the CMMC framework – no exceptions. This is a conversation that anyone in the supply chain should have now while there is still time to discuss the topic with prime contractors and put any needed compliance measures in place.
Cloud Service Providers Interested in Handling FCI or CUI Should Track the Evolving FedRAMP Landscape
Similarly, CSPs that plan to handle FCI or CUI should be tracking the developments in the FedRAMP space. The FedRAMP program is quickly evolving, and CSPs should be closely monitoring these developments if they intend to market themselves to agency clients or clients in the DoD supply chain. Currently, CSPs can obtain the "FedRAMP Certified" authorization, showing that a specific cloud service has completed the FedRAMP assessment based on the Rev5 requirements.
Obtaining a FedRAMP authorization has historically been difficult. Before a CSP is allowed to demonstrate its security posture and prove it satisfies the applicable security requirements for a particular FedRAMP level – Low, Medium or High – CSPs have typically needed an agency sponsor. This has been challenging because agencies usually prefer to sponsor services that are already authorized. Authorized services are a safer bet for agencies because the CSPs have already demonstrated that they can achieve authorization for these services. However, without an agency sponsor, CSPs cannot obtain authorization for their services. This is coupled with the fact that it is expensive to prepare a cloud service offering for FedRAMP authorization.
The FedRAMP program is in the process of addressing both of these roadblocks. In the recent Requests for Comments, one of the proposals is to expand the FedRAMP Marketplace to include the progress of cloud service offerings as they work toward their authorization rather than waiting for the CSPs to complete the authorization process. This will provide potential customers with updates regarding when these services may be ready to use.
The biggest push that the FedRAMP program is making is toward its 20x program, which is still in the pilot stages. FedRAMP has made it clear that it is pushing all CSPs toward the 20x program, which abandons the traditional framework of point and time assessments to determine whether a cloud service offering checks the required boxes for the security controls and instead seeks to create an ongoing near real-time status portal for the CSPs that specifically address Key Security Indicators (KSIs). KSIs are security capabilities that the CSPs must address. Similar to the current security frameworks for both CMMC and FedRAMP Rev5, the number of KSIs that a CSP must address will depend on the FedRAMP level the CSP is seeking to achieve. Additionally, CSPs will not be required to have an agency sponsor in order to seek authorization through FedRAMP 20x. The FedRAMP 20x program is intended to encourage wide adoption, reduce the time and money to achieve authorization, and streamline the required monitoring to maintain authorization.
Anyone Handling CUI Needs To Be Aware of These Security Requirements: "The Times They Are A-Changin'" and "All in all, it's just another brick in the wall"
The sections above discuss entities that are DoD contractors or subcontractors as well as CSPs that would like to market their services to agencies or DoD contractors. However, even outside these categories, tracking the developments in this space is important for any entity handling CUI. In another series, BakerHostetler discusses the recent GSA policy guidance that potentially requires any entities with GSA contracts handling CUI to start complying with the same types of security requirements as required under CMMC. Given the Trump administration's push to centralize government procurement activities within GSA, this policy shift could be seismic.
Anyone Handling Federal Government Data Should Be Tracking These Developments
These new developments serve as a reminder that any entities handling government data, directly or through contractors, should assess whether they have or may soon have increased cybersecurity obligations in their contracts. Currently, certain DoD contractors and their subcontractors are the first to fall within the scope of these new security requirements; they are only the beginning.
As time goes on, contractors will not be able to bid on DoD contracts if they have not achieved the required level of CMMC certification. Additionally, the industry is seeing a push from prime contractors for their subcontractors to become CMMC-certified.
Even entities that handle CUI outside the DoD supply chain are seeing the same push toward complying with ever-increasing security requirements.
What's Next
If you want to better understand the landscape or to discuss how these security requirements may apply to your organization, we are here to help.
Additionally, if you would like to be proactive in shaping the legal landscape as these new rules come up, there are comment periods where stakeholders may submit comments and help shape the final rules. We can help with that too!
In the upcoming series, BakerHostetler will discuss some of the on-the-ground concerns for contractors and subcontractors as they go through the CMMC certification process. The key word here is "process." There is a lot for organizations to consider when starting on this journey, and it is imperative that all parties in the organization understand the process, their responsibilities and their road map to get across the finish line.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
