CMMC and FedRAMP get conflated constantly. A defense contractor reads the contract, sees both acronyms, and assumes one substitutes for the other. It does not. The two frameworks govern different things, and most defense contractors handling Controlled Unclassified Information (CUI) are subject to both at the same time.
Here is what each framework actually does, how they connect, and which one applies to your business.
What CMMC is
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program that certifies whether a defense contractor handles government information securely. It applies to your organization, not to the tools you use.
CMMC has three levels:
- Level 1: 17 basic controls. Required for any contractor handling Federal Contract Information (FCI). Self-attested.
- Level 2: 110 controls from NIST SP 800-171. Required for any contractor handling CUI. This is where most of the defense industrial base lives. Third-party assessment by a C3PAO is required.
- Level 3: 134 controls including NIST SP 800-172 enhancements. Required only for contracts involving the most sensitive CUI. Assessed by the DoD itself.
CMMC certification is a prerequisite for contract award under DFARS 252.204-7021. No certification, no contract.
What FedRAMP is
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that authorizes cloud service providers to handle federal data. It applies to cloud products, not to the organizations that buy them.
FedRAMP has three authorization levels (Low, Moderate, High) corresponding to the sensitivity of the data the cloud service is approved to handle. The control sets are derived from NIST SP 800-53.
FedRAMP authorization is what allows a cloud provider to sell to federal agencies. AWS GovCloud, Microsoft GCC High, and Google Workspace with Assured Controls all carry FedRAMP authorizations. Most commercial cloud services do not.
How they connect
CMMC governs your organization. FedRAMP governs the cloud services you use. The bridge between them is DFARS 252.204-7012, the contract clause that has been on the books since 2017.
DFARS 252.204-7012 says that if your organization processes, stores, or transmits CUI in a cloud service, that cloud service must meet “security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline.”
So a CMMC Level 2 certified contractor that uses a cloud-based email provider for CUI must use a provider that is FedRAMP Moderate authorized or has been independently assessed as equivalent. The contractor handles CMMC certification. The cloud provider handles FedRAMP authorization. Both are required.
This is the most common point of confusion. Buying GCC High does not give you CMMC certification. It only satisfies the cloud-provider half of the equation. Your organization still has to implement and document the 110 NIST 800-171 controls, undergo the C3PAO assessment, and earn the certification yourself.
Where the cloud provider’s authorization stops
A FedRAMP-authorized cloud service narrows risk around infrastructure, service operations, and inherited controls. It does not cover how your company operates inside that service. CMMC Level 2 still evaluates the parts of the environment that are unambiguously yours:
- User administration. Who gets access, how privileges are approved, whether inactive accounts are removed.
- Endpoint discipline. The devices your staff use, how they are managed, whether they align with your policies.
- Data handling. Where CUI is allowed to be stored, shared, exported, and retained, including in side channels your provider cannot see.
- Incident execution. Not whether the provider has a security team, but whether your company can detect, escalate, document, and respond inside your own environment.
- Evidence quality. Policies, procedures, tickets, logs, screenshots, and records that match day-to-day practice.
A FedRAMP cloud service is part of your control story. It is not the whole story. During assessment, “our vendor handles security” is not an answer. You need to be able to say which controls are inherited, which are shared, and which are fully yours, and have evidence for each. If a provider gives encryption, logging, or infrastructure hardening, your side still has to show configuration decisions, administrative oversight, and user-facing procedures.
Which framework applies to you
You need CMMC certification if:
- You hold or are bidding on DoD contracts.
- You handle Federal Contract Information (Level 1) or CUI (Level 2 or 3).
You need to use FedRAMP-authorized cloud services if:
- You handle CUI in any cloud service. The DFARS clause makes this a contractual requirement, regardless of which CMMC level applies to you.
- Your contract specifies cloud services for federal data more broadly.
You need FedRAMP authorization for your own product only if:
- You sell cloud services to federal agencies. In this case FedRAMP authorization applies to your product, not to you as a buyer.
Most defense contractors fall into the buyer category for FedRAMP, not the provider category. Your job is to use FedRAMP-authorized services, not to obtain FedRAMP authorization yourself.
A quick comparison
| CMMC | FedRAMP | |
|---|---|---|
| Applies to | Defense contractors | Cloud service providers |
| Control framework | NIST SP 800-171 (Level 2) | NIST SP 800-53 |
| Levels | 1, 2, 3 | Low, Moderate, High |
| Assessment | C3PAO (Level 2), DoD (Level 3) | 3PAO with agency or JAB sponsorship |
| Trigger | DoD contract handling FCI or CUI | Selling cloud services to federal agencies |
| Required for contract award? | Yes (DFARS 252.204-7021) | Only for cloud providers selling to government |
| Ongoing model | Recurring certification cycle with annual affirmations | Continuous monitoring with regular package updates |
What this means in practice
If you are a defense contractor handling CUI, you need to:
- Map your data flows. Identify every system where CUI is created, stored, processed, or transmitted. Email is almost always one of them. So is file sharing.
- Confirm cloud services are FedRAMP Moderate or equivalent. For email specifically, this rules out commercial Microsoft 365 and commercial Google Workspace. See which email providers actually meet the requirement.
- Implement the 110 NIST 800-171 controls in your environment. Many of these controls (access management, audit logging, incident response, training) have nothing to do with cloud services and must be implemented by your organization regardless of which tools you use.
- Document your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) describing how each control is met.
- Schedule and pass a C3PAO assessment.
Two frameworks. Two distinct sets of obligations. You cannot substitute one for the other, and you cannot skip either if your contracts require CUI handling.
Three pitfalls that drive up cost for SMBs
The contractors who struggle most with this split are usually dealing with one of three patterns:
They protect too much of the business as if all of it handles CUI. That drives up licensing, endpoint management, policy complexity, and user friction. If CUI can be contained in a smaller boundary, keep it there. Every system in scope adds evidence burden and operational risk.
They assume a FedRAMP-authorized provider solves their CMMC burden. It helps with inherited controls. It does not replace your own policies, user administration, incident handling, and proof of execution. Cloud authorization narrows what you have to build. It does not eliminate what you have to operate.
They build an environment their team cannot operate consistently. Assessors look for repeatable practice, clear ownership, and evidence that matches the written process. Complexity breaks that alignment. The best compliance architecture for an SMB is usually the one your staff can run consistently six months after the assessor leaves.
For most SMB defense contractors, the smart move is narrower than leadership expects. Put CUI in a controlled boundary. Use cloud services that reduce inherited risk and cut down on custom explanations. Keep the number of systems, admins, and exceptions low.
Common confusions
“FedRAMP High is more secure than FedRAMP Moderate, so I should use a FedRAMP High provider.” Moderate is the CMMC requirement. High is overkill for most defense contractors and usually comes with significantly higher cost. Microsoft GCC High is the obvious example, with first-year deployment costs that can exceed $100,000 for a small contractor.
“My provider is SOC 2 compliant, so we are FedRAMP equivalent.” SOC 2 is not equivalent to FedRAMP Moderate. The control sets, scope, and assessment rigor are different. SOC 2 is a financial-audit framework adapted for tech; FedRAMP is a government security program. Defense contracts do not accept SOC 2 in place of FedRAMP equivalency.
“FedRAMP-authorized providers are CMMC-certified by default.” No. FedRAMP and CMMC are different programs administered by different bodies. A FedRAMP-authorized provider may help you meet CMMC requirements, but it does not certify you.
“If we use FedRAMP services for CUI, we don’t need CMMC certification.” You still need certification. FedRAMP only addresses the cloud-provider half of the requirement. Your own organizational practices still need to be assessed by a C3PAO.
“FedRAMP equivalency is the same as a FedRAMP authorization.” Not quite. A formal FedRAMP authorization is listed on the FedRAMP Marketplace. Equivalency is an independent assessment that the provider’s controls meet the FedRAMP Moderate baseline, but is not a Marketplace listing. DoD has accepted equivalency in some cases, but you should confirm with your contracting officer that your provider’s documentation is sufficient.
The bottom line
CMMC certifies your organization. FedRAMP authorizes cloud services. DFARS 252.204-7012 connects the two by requiring CUI in cloud services to sit on FedRAMP Moderate (or equivalent) infrastructure. Most defense contractors handling CUI need both: their own CMMC certification and FedRAMP-authorized tooling for any cloud service touching CUI.
The good news is that the bridge clause makes the requirement clear. The bad news is that meeting it usually means moving off commercial cloud services and into a much smaller pool of authorized providers, often at enterprise prices designed for organizations many times your size.
Compliance tools should be priced for the companies that need them, not just the enterprises that can absorb the cost. That’s what we’re building at IRONKEEP.
Get the CMMC Level 2 readiness checklist
30 items across 11 control families, with what a C3PAO expects to see for each one. Subscribers also lock in founding member pricing when IRONKEEP launches.
Founding member pricing goes away at launch.