FedRAMP moderate “equivalency” has been a thing since 2016, but DoD never really defined the term until January 2024. “The memo” has defense suppliers and the people behind their cloud apps in panic mode. In this episode we dive into what the memo says, potential reasons why, and whether equivalency will still be a thing in the future at all.

Episode Links:

DFARS 7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

The memo (PDF): https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf

Equivalency circa 2018: https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

FedRAMP: https://www.fedramp.gov/program-basics/

NIST SP 800-171r3: https://csrc.nist.gov/pubs/sp/800/171/r3/fpd