Why Your CMMC Service Provider Should be Fully FedRAMP Authorized

How Trustwave’s FedRAMP Authorization Removes the Burden of CMMC Federal Compliance from Clients

Navigating the labyrinth that is the US federal procurement system, particularly for Defense Industrial Base (DIB) companies, can be difficult. Particularly when these organizations should meet specific cybersecurity compliance standards like Cybersecurity Maturity Model Certification (CMMC).

The best way to make this process as painless and quick as possible is for DIB’s and organizations that have International Traffic in Arms Regulations (ITAR) requirements to only use a fully FedRAMP-authorized Cloud Service Provider/MSSP to meet their CMMC requirements like Trustwave.

Trustwave, through its subsidiary Trustwave Government Solutions, has committed the time and invested the financial resources necessary to achieve and maintain FedRAMP authorization.

Trustwave has the unique honor of being the only pure-play Managed Detection and Response (MDR) provider recognized by FedRAMP.

By being FedRAMP and ITAR authorized, Trustwave takes on all the responsibilities that would otherwise fall onto the DIB. This includes meeting the requirement of US-only data restrictions and US-Only personnel for IT/Security management.

Trustwave, with its full set of FedRAMP and ITAR authorizations, has far greater value for DIB organizations and considerably reduces the workload on the part of a DIB company.

Essentially, Trustwave made these investments on behalf of our CMMC clients.

What CMMC Compliance Entails

To give you an idea of the process, let’s take a look at the path that must be taken to become CMMC compliant. The journey starts with scoping.

The most important part of scoping is the Controlled Unclassified Information (CUI). This consists of unclassified information that requires safeguarding or dissemination controls.

Part of a DIB company’s CMMC in-scope environment is protection of that CUI, which for security services is called Security Protection Data assets or SPD.

SPD is considered in-scope because it protects the CUI and, therefore, must be part of the CMMC assessment. If the DIB company is using external cloud service providers or uses cloud-based resources to monitor the SPD, then it must follow the CMMC guidelines.

CMMC guidelines state that if you use cloud resources, they must be FedRAMP Moderate Authorized or the equivalent. This is an absolute requirement for CMMC Level 3. The provider must be 100% FedRAMP authorized.

Level 2 could allow cloud service providers with only a self-stated FedRAMP equivalent.

In reality, that leaves a major burden on the DIB company to gather all the material necessary from the vendor for the C3PAO auditor to make this assessment.

This is called a Body of Evidence, and the following very lengthy list of items must be provided:

1. System Security Plan (SSP)
2. Information Security Policies and Procedures (covering all control families)
3. User Guide
4. Digital Identity Worksheet
5. Rules of Behavior (RoB)
6. Information System Contingency Plan (ISCP) Incident Response Plan (IRP)
7. Configuration Management Plan (CMP)
8. Control Implementation Summary (CIS) Workbook Federal Information Processing Standard (FIPS) 199 Separation of Duties Matrix
9. Applicable Laws, Regulations, and Standards Integrated Inventory Workbook
10. System Assessment Plan (SAP)
11. Security Test Case Procedures
12. Penetration Testing Plan and Methodology conducted annually and validated by a FedRAMP-recognized 3PAO
13. FedRAMP-recognized 3PAO Supplied Deliverables (e.g., Penetration Test Rules of Engagement, Sampling Methodology)
14. Security Assessment Report (SAR) performed by a FedRAMP- recognized 3PAO
15. Risk Exposure Table
16. Security Test Case Procedures
17. Infrastructure Scan Results conducted monthly and validated annually by 3PAO
18. Database Scan Results conducted monthly and validated annually by a FedRAMP-recognized 3PAO
19. Auxiliary Documents (e.g., evidence artifacts) Penetration Test Reports
20. Plan of Action and Milestones (POA&M)
21. Continuous Monitoring Strategy (required by CA-7)
22. Continuous Monitoring Monthly Executive Summary, validated annually by a FedRAMP-recognized 3PAO”

If that sounds like a lot to get from a vendor, it is, and the DIB company is on the hook to provide this to the C3PAO auditor.

ITAR and Additional Requirements

However, the above points are not the end of the government requirements.

ITAR, which is administered by the State Department, imposes additional requirements for DIB companies that supply ITAR products/services.

Data must be in the US, typically achieved through a Government Community Cloud (GCC High or AWS GovCloud). Only US persons can provide IT administrative support. Managed security services like Managed Detection and Response (MDR) and Co-Managed SOC are considered administrative support and must be performed by US citizens. Relevant teams must have US Federal security clearances and a Facility Clearance with the Defense Counterintelligence and Security Agency (DCSA).

Trustwave's Commitment

Trustwave has made significant investments to achieve and maintain FedRAMP authorization, including:

• Engaging in a multi-year process to win FedRAMP authorization, and that status must be re-certified every year, including ongoing POAM or resolution document of remediation of findings, which is also resource-intensive.
• The platform resides in AWS GovCloud, a government community cloud that has a higher level of security than a typical AWS or Azure-based cloud environments.
• US Only personnel, who are technically certified, and constantly updating and getting more certifications.

• Security Cleared Personnel.
• GCC High: Trustwave also successfully completed the Microsoft certification process to be allowed into Azure Government Cloud, also known as GCC High.

Choosing a fully FedRAMP-authorized service provider like Trustwave eliminates the immense compliance burden on DIB companies, ensuring seamless alignment with CMMC and ITAR requirements. By leveraging Trustwave’s deep federal credentials and secure infrastructure, organizations can focus on their mission—while Trustwave handles the heavy lift of cybersecurity compliance.