The DFARS states, “the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.” If the cloud provider is not FedRAMP certified, how can a contractor ensure that the cloud provider meets security requirements equivalent to FedRAMP Moderate?
The best advice is to use a FedRAMP certified cloud service provider. The FedRAMP Moderate baseline is well established and understood by Cloud Service Providers (CSPs) that provide such service to the (United States Government (USG). Again the best solution would be to use a CSP service approved by FedRAMP at the “Moderate” level. However, if co-tenancy is not possible, it is acceptable to use a similar service that has not formally been approved by FedRAMP if the CSP can demonstrate to the contractor that it is equivalent. The demonstration of equivalency will need to be satisfied before the service can be used.
Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1
The URL for FedRAMP service providers: https://www.fedramp.gov/cloud-service-providers/