No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements

Client Alert | 2 min read | 01.09.24

The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline “equivalent” and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.

DFARS 7012 states that contractors must ensure that an external CSP meets security requirements equivalent to the FedRAMP Moderate baseline before contractors may use a CSP to process, store, or transmit Covered Defense Information (CDI). See DFARS 252.204-7012(b)(2)(ii)(D).

For CSPs that are not Moderate/High-Authorized, the memorandum requires completion of the following steps to demonstrate FedRAMP equivalency:

obtain an assessment against the FedRAMP Moderate baseline conducted by a FedRAMP-recognized third-party assessment organization (FedRAMP 3PAO) showing “100%” compliance with the Moderate baseline controls;
prepare and present supporting documentation to the contractor and DoD for review, including a System Security Plan, Security Assessment Plan, Security Assessment Report (prepared by FedRAMP 3PAO), and any Plan of Action & Milestones (POA&Ms) documenting controls not fully implemented;
fully close out all POA&Ms resulting from the FedRAMP assessment (i.e., fully implement all controls); and
undergo an annual assessment, conducted by a FedRAMP 3PAO, validating continued compliance with DFARS 7012 and DFARS 252.204-7020.

The memorandum explains that the onus is on the contractor to ensure that CSPs conform with the above requirements.

The memorandum also specifies incident reporting requirements for CSPs and the responsibility of contractors to confirm CSPs have incident response plans (IRPs), follow their IRPs, and can provide notification to the contractor following a cyber incident. Notably, the memorandum states that the contractor, not the CSP, bears the responsibility of reporting cloud-related incidents.

Accordingly, contractors should consider re-evaluating any cloud services or products leveraged to process, store, or transmit CDI, to determine whether FedRAMP Moderate equivalent CSPs can meet the listed security and incident response requirements above.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Nkechi Kanu
Partner
- Washington, D.C.
  - D | +1 202.624.2872
bmthbnVAY3Jvd2VsbC5jb20=
Jacob Harrison
Associate
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2533
amhhcnJpc29uQGNyb3dlbGwuY29t

Insights

Client Alert | 5 min read | 12.12.25

Eleventh Circuit Hears Argument on False Claims Act Qui Tam Constitutionality

On the morning of December 12, 2025, the Eleventh Circuit heard argument in United States ex rel. Zafirov v. Florida Medical Associates, LLC, et al., No. 24-13581 (11th Cir. 2025). This case concerns the constitutionality of the False Claims Act (FCA) qui tam provisions and a groundbreaking September 2024 opinion in which the United States District Court for the Middle District of Florida held that the FCA’s qui tam provisions were unconstitutional under Article II. See United States ex rel. Zafirov v. Fla. Med. Assocs., LLC, 751 F. Supp. 3d 1293 (M.D. Fla. 2024). That decision, penned by District Judge Kathryn Kimball Mizelle, was the first success story for a legal theory that has been gaining steam ever since Justices Thomas, Barrett, and Kavanaugh indicated they would be willing to consider arguments about the constitutionality of the qui tam provisions in U.S. ex rel. Polansky v. Exec. Health Res., 599 U.S. 419 (2023). In her opinion, Judge Mizelle held (1) qui tam relators are officers of the U.S. who must be appointed under the Appointments Clause; and (2) historical practice treating qui tam and similar relators as less than “officers” for constitutional purposes was not enough to save the qui tam provisions from the fundamental Article II infirmity the court identified. That ruling was appealed and, after full briefing, including by the government and a bevy of amici, the litigants stepped up to the plate this morning for oral argument....

Client Alert | 8 min read | 12.11.25
Director Squires Revamps the Workings of the U.S. Patent Office
Client Alert | 8 min read | 12.10.25
Creativity You Can Use: CJEU Clarifies Copyright for Applied Art
Client Alert | 4 min read | 12.10.25
Federal Court Strikes Down Interior Order Suspending Wind Energy Development

View All Insights