Under CMMC Level 1, if a contractor is using a CSP to process/store/transmit FCI ONLY, must that CSP meet any FedRAMP equivalent levels?

old.reddit.com / @/u/Key_Thought1305, https://old.reddit.com/user/Key_Thought1305

Myself and a coworker are struggling to find an answer to this. He believes FedRAMP is intended to apply to any/all federal information that is processed/stored/transmitted in a CSP.

However, if I'm sticking strictly to government sources, the only mandated FedRAMP requirement is in DFARS 7012, and the CMMC FAQ, which applies to CDI and CUI respectively. My understanding of CDI is that it is a subset of CUI, and CUI is a subset of FCI.

In my logic, that means that the FCI that CMMC Level 1 deals with is not subject to requiring a CSP (that is processing/storing/transmitting it for a contractor) to meet any FedRAMP levels.

If anyone has any knowledge or answers for this and can back it up with a source, I'd really appreciate it. Thank you.

submitted by /u/Key_Thought1305
[link] [comments]

published about 4 hours ago


Previous

GCC High Tenant can't share with non GCC High user
published about 6 hours ago

Next

See all items from the same source