For years, defense contractors assumed that simply using a cloud service that claimed to meet “FedRAMP equivalent” security requirements was enough to satisfy DFARS 252.204-7012.

On December 21, 2023, the Department of Defense put that assumption to rest. The memo, formally titled Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings, defines what "FedRAMP Moderate equivalent" actually means. The answer is far more demanding than most contractors realized.

Below we cover: what the memo clarifies, what it requires, who it applies to, and what it means for your current cloud environment, especially if you need CMMC to maintain contract eligibility.

FedRAMP “equivalent” first introduced in DFARS 252.204-7012 

Before we dive into the memo, here’s some context on what regulation the memo clarifies.

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) is a contract clause included in virtually every DoD contract that involves controlled unclassified information (CUI). The clause has several components, but the one most relevant to cloud services is this:

"If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause."

Three parts stand out in this language:

1. The requirement is "FedRAMP Moderate equivalent," not FedRAMP Moderate Authorized. That single word, equivalent, created an opening widely known as the "FedRAMP equivalency loophole." Because cloud service providers (CSPs) could self-attest their internal security controls were "equivalent," without undergoing formal authorization or any third-party validation, many fell short of the actual rigor of the FedRAMP Moderate baseline.
2. The requirement extends to paragraphs (c) through (g). These paragraphs cover cyber incident reporting, malicious software handling, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. The CSP, not just the contractor, must comply with all of them.
3. The contractor must "require and ensure." While DFARS 7012 explicitly made contractors responsible for their CSP’s compliance, it never defined what that actually meant in practice. Without clear guidance on how a contractor was supposed to verify a CSP's compliance, many simply took vendors at their word or accepted security questionnaires or compliance reports, like SOC 2, as proof of equivalency.

The December 2023 memo closed that loophole and defined exactly what was demanded of both contractors and cloud vendors they trust with covered defense information.

The DoD “FedRAMP Equivalency” memo: What it actually says

The memo was issued by the DoD Chief Information Officer and made effective immediately upon release. Its purpose was to clarify the meaning of "FedRAMP Equivalency" in DFARS 252.204-7012 once and for all.

The core definition the memo establishes is this: a cloud service offering is FedRAMP Moderate equivalent only if it achieves 100% compliance with the FedRAMP Moderate baseline, validated through an assessment by a FedRAMP-recognized Third Party Assessment Organization (3PAO) and supporting documentation presented to the contractor. 

That's much more rigorous than what many assumed "equivalent" meant in DFARS 7012.

What FedRAMP Equivalency actually requires of Cloud Service Providers

To meet the FedRAMP Equivalency standards defined by the memo, a CSP must:

1. Achieve 100% compliance with the FedRAMP Moderate baseline

All 323 security controls must be fully implemented. There is no partial credit and no allowance for certain controls to be implemented after the assessment.

2. Be assessed by a FedRAMP-recognized 3PAO

Self-attestation is explicitly not permitted. The CSP must hire an accredited 3PAO to conduct an assessment annually. No internal audit, no vendor-provided evidence, no letter from an IT team satisfies this requirement.

3. Produce a complete Body of Evidence (BoE) and share with the contractor

The 3PAO assessment generates a documentation package that includes:

• A System Security Plan (SSP) covering all 323 control families
• A Security Assessment Plan (SAP) documenting assessment methodology and scope
• A Security Assessment Report (SAR) with detailed findings and scan and penetration test results
• A Continuing Operational Plan of Action and Milestones (POA&M) detailing their Continuous Monitoring Strategy 

This BoE must be shared with the contractor who is responsible for validating that it meets the memo’s Moderate Equivalent standards.

4. Have zero control-related Plans of Action and Milestones (POA&Ms)

This is the requirement that catches most people off guard. Under standard FedRAMP Moderate Authorization, a CSP can receive an Authorization to Operate (ATO) even with open items on a POA&M because an Authorizing Official accepts the residual risk. 

But under FedRAMP Moderate equivalency, no such risk acceptance exists. All controls must be fully implemented before the 3PAO assessment concludes.

That means POA&Ms documenting a gap in control implementation are prohibited. Only operational POA&Ms for routine maintenance are permitted as part of the BoE.

5. Submit the BoE to DIBCAC or C3PAO upon request

If a contractor is undergoing a DIBCAC High assessment or CMMC Level 2 or Level 3 assessment, the CSP must provide the full BoE to the Defense Industrial Base Cybersecurity Assessment Center or C3PAO on demand.

6. Maintain continuous monitoring

The memo requires ongoing validation, not a one-time snapshot of compliance. Monthly vulnerability scans, annual penetration tests, and continuous monitoring monthly executive summaries validated annually by the 3PAO as well as annual reassessments are required to maintain equivalency status.

FedRAMP Equivalency vs. FedRAMP Authorization: What's the difference?

This distinction matters enormously and is the source of significant confusion in the industry.

The counter-intuitive implication is that FedRAMP Moderate Equivalency may sound less rigorous than FedRAMP Moderate Authorization, but it actually can be more rigorous. A CSP with a FedRAMP Moderate ATO may have open POA&Ms that its Authorizing Official accepted. That same CSP would fail the equivalency standards if those POA&Ms reflect unimplemented controls.

A CSP with a valid FedRAMP Moderate or Higher ATO listed on the FedRAMP Marketplace automatically satisfies DFARS 252.204-7012. FedRAMP Authorization is always sufficient; there is no need for a contractor, C3PAO, or the DIBCAC to validate a BOE. 

The equivalency pathway exists for CSPs that cannot or have not gone through the full FedRAMP authorization process but want to demonstrate compliance with DoD requirements.

Who does the FedRAMP Equivalency memo apply to?

This is the most misunderstood aspect of the memo, and getting it wrong has real compliance consequences.

The FedRAMP Moderate Equivalency standards apply to the Cloud Service Provider, not to the defense contractor using the cloud service. BUT the defense contractor has obligations to require and ensure the CSP’s compliance, which translates into a lot of work. 

When DFARS 252.204-7012 says a CSP must meet criteria for FedRAMP Moderate Equivalency, it means:

• The CSP must obtain the 3PAO assessment
• The CSP must implement all 323 controls
• The CSP must maintain zero control-related POA&Ms
• The CSP must provide the Body of Evidence
• The CSP must meet the DFARS 7012 requirements in paragraphs (c) through (g)

When it says a contractor must "require and ensure" that their CSP meets FedRAMP Moderate equivalency criteria, it means: The contractor's obligations under the memo are:

• The contractor must obtain and review the BoE to verify their CSP actually meets the Equivalency standards
• The contractor must provide a Customer Responsibility Matrix (CRM) to DIBCAC, 3PAO, and C3PAO assessors to support assessments
• The contractor must contractually require the CSP to maintain equivalency
• The contractor must ensure the CSP complies with paragraphs (c) through (g) of DFARS 252.204-7012 
• The contractor must report any incidents in the event of CSO compromise
• The contractor must bear responsibility if their CSP fails to maintain compliance and an incident occurs

This is a critical shift from pre-memo practice, where many contractors simply took a CSP's word that their service was "FedRAMP equivalent." The memo makes the contractor legally responsible for verifying and maintaining their CSP's compliance status.

How the FedRAMP Equivalency memo connects to CMMC

The December 2023 memo was issued under DFARS 252.204-7012, but its implications extend directly into CMMC.

The CMMC Final Rule (32 CFR Part 170, effective December 2024) and the implementing DFARS 7021 rule (effective November 10, 2025) make it explicit: external cloud service providers that store, process, or transmit CUI are in scope for CMMC assessments.

During a CMMC Level 2 or 3 assessment, the C3PAO or DIBCAC assessor will evaluate whether the cloud environment used by the contractor meets FedRAMP Moderate equivalency under the December 2023 definition.

This means a contractor pursuing CMMC Level 2 certification or higher cannot simply point to a CSP's marketing claims about "government-grade security." The C3PAO will look for:

• Is the CSP FedRAMP Moderate (or higher) Authorized on the FedRAMP Marketplace? (Simplest path)
• If not, does the CSP have a 3PAO-assessed Body of Evidence demonstrating 100% compliance with zero control-related POA&Ms?

A CSP that fails this test puts the entire contractor's CMMC certification at risk.

For a full breakdown of how CMMC certification works, see our CMMC Compliance Guide.

Which cloud services meet the FedRAMP Moderate Equivalency standards?

Here is where the memo's implications become concrete for most defense contractors.

Microsoft 365 GCC High (Government Community Cloud High)

GCC High holds a FedRAMP High ATO, exceeding the FedRAMP Moderate standard. It runs on Azure Government (physically separated from commercial Azure), enforces U.S.-person-only access, and is designed specifically for the Defense Industrial Base. GCC High is the most commonly used environment for contractors handling export-controlled CUI.

For a full overview, see our What Is GCC High guide.

Microsoft 365 GCC (Government Community Cloud)

GCC holds a FedRAMP Moderate ATO and is listed on the FedRAMP Marketplace. It meets the DFARS 252.204-7012 requirement for most CUI categories. However, GCC runs on shared commercial Azure infrastructure (with a government-segregated partition) and does not enforce U.S.-person-only access. It is not appropriate for ITAR/EAR export-controlled data.

For a detailed comparison, see our GCC vs. GCC High guide.

AWS GovCloud (US)

AWS GovCloud is FedRAMP High Authorized and meets DFARS 252.204-7012. It's an infrastructure platform (IaaS), not a productivity suite like Microsoft 365. Contractors using AWS GovCloud for CUI workloads satisfy the CSP requirement for those specific workloads.

Google Workspace with Assured Controls (FedRAMP High)

Google Cloud has FedRAMP High Authorization for Workspace when configured with Assured Controls Plus. This requires specific configuration and appropriate licensing, but it satisfies the FedRAMP Equivalency standards for productivity use cases.

Other CSPs with DoD FedRAMP Moderate Equivalency

Other CSPs have undergone 3PAO assessments and submitted BoE documentation to DIBCAC to demonstrate equivalency outside of formal FedRAMP authorization. JAMIS Software Corporation, for example, achieved this status for its Prime ERP platform.

Which cloud services do NOT meet the FedRAMP Moderate Equivalency standards?

Microsoft 365 Commercial

This is the critical takeaway from the December 2023 memo. Microsoft 365 Commercial, the standard business subscription used by most organizations, does not hold a FedRAMP Moderate or High authorization and has not been assessed by a FedRAMP 3PAO against the FedRAMP Moderate baseline. Prior to the memo, some contractors argued that M365 Commercial was "equivalent" based on Microsoft's general security posture. That argument is no longer defensible.

Storing, processing, or transmitting CUI in Microsoft 365 Commercial while subject to DFARS 252.204-7012 is non-compliant. It will also disqualify you during a CMMC Level 2 or 3 assessment.

For a deeper look at these options, see our GCC High vs Commercial vs Google Workspace guide.

Any CSP claiming "FedRAMP equivalent" without a 3PAO assessment

The memo is explicit: self-attestation does not satisfy the FedRAMP equivalency standards. Any cloud vendor that claims FedRAMP Moderate equivalency based on internal audits, SOC 2 reports, ISO 27001 certification, vendor-completed security questionnaires, or anything else other than a a formal 3PAO assessment and complete Body of Evidence does not meet the requirements of DFARS 7012 or CMMC Level 2 or higher. 

Common misconceptions about FedRAMP Equivalency

The memo cleared up the regulatory definition, but misconceptions about FedRAMP Moderate Equivalency still circulate widely in the defense contractor community. Here are the five most common ones.

Misconception 1: "FedRAMP equivalent" means the same thing as "FedRAMP Authorized."

Not quite. Authorization and Equivalency are two separate pathways.

• A FedRAMP-authorized CSP has gone through the formal authorization process, received agency sponsorship, and is listed on the Marketplace.
• An equivalent CSP has undergone a private 3PAO assessment against the same controls and submitted its BoE to DIBCAC.

Both satisfy DFARS 252.204-7012, but the processes, documentation, and ongoing requirements differ.

Misconception 2: My CSP claims FedRAMP equivalency, so I'm covered.

Vendor claims are not documentation. Before relying on a CSP's equivalency claim, a contractor must request and review the full Body of Evidence: the SSP, SAP, SAR, and Continuous Monitoring evidence.

If the CSP cannot produce these documents, or if they were produced without 3PAO validation and assessment, the claim is not valid.

Misconception 3: FedRAMP equivalency requirements apply to me as the contractor.

The 100% compliance with FedRAMP Moderate baseline, 3PAO assessment, no-POA&M requirements, and BoE documentation are obligations of the cloud service provider, not the contractor. The contractor's obligation is to verify and contractually require compliance from its CSP and report any incidents. 

Misconception 4: Using a FedRAMP Moderate Authorized or equivalent service is the same as using a FedRAMP High Authorized service.

For DFARS 252.204-7012, the minimum bar is FedRAMP Moderate Authorized or equivalent. FedRAMP High exceeds the requirement. You can think of it in terms of Microsoft’s government cloud offerings: while GCC High (FedRAMP High Authorized) exceeds the Equivalency standards, GCC (FedRAMP Moderate Authorized) meets them.

Misconception 5: The memo only matters if I'm being assessed for CMMC.

DFARS 252.204-7012 has been in effect since 2016. The equivalency requirement exists independently of CMMC. Whether or not you are pursuing CMMC certification, if your contract includes DFARS 252.204-7012 and you use a cloud service for CUI, that cloud service must meet the Equivalency standards defined by the December 2023 memo.

What Defense Contractors need to do now

Given the clarity established by the December 2023 memo and with Phase 1 of CMMC enforcement well underway and Phase 2 beginning November 10, 2026, here are the concrete steps every defense contractor should take.

Step 1: Audit your cloud services.

List every external cloud service where CUI may be stored, processed, or transmitted. This includes email platforms, file storage, project management tools, collaboration software, and any SaaS applications used in contract performance.

Step 2: Verify FedRAMP status.

For each CSP on your list, check the FedRAMP Marketplace to see if it holds a current FedRAMP Moderate or Higher Authorization. If it does, you have your documentation. If it does not, proceed to Step 3.

Step 3: Request the Body of Evidence.

If your CSP claims equivalency without marketplace listing, formally request the full BoE: SSP, SAP, SAR (prepared by a FedRAMP-recognized 3PAO), and Continuous Monitoring evidence. If the CSP cannot provide these documents, they do not meet the Equivalency standards.

Step 4: Migrate non-compliant workloads.

If CUI currently lives in Microsoft 365 Commercial or any other non-compliant cloud environment, begin planning migration to a FedRAMP Authorized or equivalent alternative. GCC or GCC High are the most common paths for Microsoft users. AWS GovCloud and Google Workspace with Assured Controls are alternatives.

Step 5: Update your contracts with CSPs.

DFARS 252.204-7012 requires contractors to contractually require CSP compliance. Ensure your service agreements with cloud providers include explicit FedRAMP Moderate Equivalency obligations and incident reporting cooperation, forensic analysis, and other requirements consistent with paragraphs (c) through (g) of DFARS 7012.

Step 6: Document your due diligence for CMMC assessments.

During a CMMC Level 2 assessment, your C3PAO will evaluate CSP compliance as part of your overall assessment. Maintain documentation of your CSP verification activities: the FedRAMP Marketplace check or BoE review, and the contractual obligations you've placed on your provider.

Make FedRAMP Equivalency and all parts of CMMC simple with Secureframe

Meeting the FedRAMP Moderate equivalency standard is one of the more technically demanding pieces of CMMC compliance. But it doesn't have to mean managing multiple vendors and their documentation, manually configuring security baselines, and hoping your cloud environment holds up under assessment.

Secureframe Defense helps defense contractors automatically store and access CUI securely, collect evidence, generate documentation, and maintain continuous compliance for CMMC assessments. As an authorized GCC High reseller, Secureframe Defense handles licensing on top of automated cloud provisioning and configuration directly. Secureframe can automatically deploy a CMMC-aligned GCC High (or Google Workspace) environment with security baselines applied by default, so your cloud infrastructure is assessment-ready from day one instead of months down the road.

Enclave deployment, control implementation, documentation, and compliance monitoring—all in one solution.

See how Secureframe automates CMMC compliance end to end →