|
Boundless
Book a demo
Boundless
⟵ Back to library

FedRAMP Moderate Is Not CMMC Certification. Here’s What It Actually Does for You.

  • Blog
  • The Boundless Crew

The Cisco Meraki for Government FedRAMP Moderate authorization is the single most important infrastructure event for DIB contractors in the last two years. It is also one of the most misunderstood.

We’ve seen vendors selling the GovCloud migration as a CMMC compliance shortcut. We’ve seen contractors believe that if they move their network into Meraki for Government, the audit is mostly done. We’ve seen one C3PAO almost walk off an engagement because the contractor’s networking vendor had positioned FedRAMP authorization as equivalent to certification.

This post is the explainer that should have come with the announcement.

The short version

FedRAMP authorization is granted to a cloud service provider. CMMC certification is granted to your organization. They assess different things and they don’t substitute for each other.

The Cisco Meraki for Government FedRAMP Moderate authorization tells the federal government that Cisco’s GovCloud platform meets a specific baseline of controls. That helps you because some of the controls Cisco has implemented at the platform layer are controls your assessor doesn’t need to re-evaluate at your layer.

It does not certify your organization. Your C3PAO does that, after you’ve implemented the rest of the controls that FedRAMP doesn’t cover.

The migration is real value, but it’s value at a specific layer of the stack. Knowing exactly which layer is the difference between a good audit and a bad one.

What FedRAMP authorization actually grants

FedRAMP (Federal Risk and Authorization Management Program) is a federal program that standardizes how cloud service providers (CSPs) demonstrate they meet security controls drawn from NIST SP 800-53. FedRAMP has three impact levels: Low, Moderate, and High. The Moderate baseline covers most non-classified federal workloads.

When a CSP like Cisco achieves FedRAMP Moderate authorization for a service, three things follow:

  1. The federal government has independently assessed the CSP against the FedRAMP Moderate control baseline.
  2. The CSP maintains a documented set of inherited controls that customers operating on the platform can claim partial or full coverage from in their own compliance posture.
  3. The CSP publishes a System Security Plan and supporting documentation that customer auditors can use to validate the inherited control claims.

For Cisco Meraki for Government specifically, this means:

  • Cisco’s data centers hosting the GovCloud dashboard are FedRAMP Moderate.
  • The Meraki Cloud Networking Platform service offering is FedRAMP Moderate.
  • Customers running their Meraki organization on dashboard.gov-meraki.com can inherit a specified set of platform controls.

This is the part that helps you. The part that confuses people is what comes next.

CMMC is a different program with different scope

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program that requires DIB contractors to demonstrate cybersecurity maturity before they can win contracts that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

CMMC has three levels:

  • Level 1 addresses 17 basic practices for FCI handling.
  • Level 2 addresses the 110 practices in NIST SP 800-171 Rev 2 and applies to most CUI-handling contractors.
  • Level 3 adds enhanced controls and applies to a smaller set of high-sensitivity programs.

CMMC Level 2 is the level most DIB contractors are scoping toward. It is assessed by a C3PAO (CMMC Third-Party Assessment Organization) for most Phase 2 contracts.

The 110 practices in CMMC Level 2 cover fourteen domains:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Your C3PAO will assess all 110 practices. Some practices are network controls. Most aren’t.

What FedRAMP authorization does for CMMC

Here’s where the value of Meraki for Government becomes concrete.

A subset of the CMMC Level 2 practices are network controls that the GovCloud directly supports through inherited platform controls or platform features. The practices most materially helped:

  • SC.L2-3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. Meraki for Government Auto VPN is FIPS-validated. This is the inherited control that matters most.
  • SC.L2-3.13.11: Employ FIPS-validated cryptography. Same FIPS-validated Auto VPN supports this.
  • AC.L2-3.1.13: Employ cryptographic mechanisms to protect remote access sessions. FIPS-validated transport extends to remote access scenarios.
  • AU.L2-3.3.1 and AU.L2-3.3.2: Audit logging requirements. The Meraki dashboard event log supports network-layer audit evidence.
  • CM.L2-3.4.1 and CM.L2-3.4.2: Baseline configurations and security configuration settings. The FIPS 140 compliance dashboard in GovCloud provides native, audit-ready evidence.
  • SI.L2-3.14.6: Monitor inbound and outbound communications traffic. Meraki dashboard visibility plus optional IDS/IPS in MX Advanced Security.

Out of 110 practices, that’s roughly 8 to 12 practices where the GovCloud migration produces direct, network-layer evidence.

The remaining ~100 practices are your organizational, procedural, and non-network technical controls. They are not addressed by a network migration.

What FedRAMP authorization does not do for CMMC

This is the part vendor positioning gets wrong.

The GovCloud migration does not address:

  • Your Access Control policies at the user level (account provisioning, deprovisioning, separation of duties, session management beyond the network).
  • Your Awareness and Training program (training records, role-based curriculum, ongoing reinforcement).
  • The full breadth of Configuration Management (host-level config, endpoint config, OS hardening, software inventory, baseline drift detection beyond the network layer).
  • Identification and Authentication at the user and device level (multi-factor authentication for users, device authentication policies).
  • Incident Response procedures, runbooks, exercises, and tracking.
  • Maintenance policies (patch management, vendor access, maintenance logs).
  • Media Protection (data classification, marking, sanitization, transport).
  • Personnel Security (background checks, role definitions).
  • Physical Protection (facility access, visitor logs, environmental controls).
  • Risk Assessment (formal risk assessment program, vulnerability management lifecycle).
  • Security Assessment (continuous monitoring program, control assessment cadence).
  • System and Services Acquisition (procurement controls for third-party services and software).

Your C3PAO assesses every one of these. Your remediation work for Level 2 will touch every one of these. A network migration helps with none of them.

The point is not that FedRAMP authorization is unimportant. It is materially important for the controls it does address, and the FIPS-validated Auto VPN is genuinely the only correct way to handle CUI in transit on Meraki today. The point is that it is not a substitute for the rest of the work.

How to use FedRAMP inheritance correctly in your CMMC scope

If you’re scoping toward a Level 2 assessment and your network is moving (or has moved) to Meraki for Government, here’s the right way to claim and document the inheritance:

  1. Identify the specific controls you are inheriting. Don’t claim “FedRAMP” as a blanket. Map specific controls (SC.L2-3.13.11, AU.L2-3.3.1, CM.L2-3.4.1, etc.) to specific platform features (FIPS-validated Auto VPN, dashboard event logs, FIPS 140 compliance dashboard).
  2. Pull the inherited control documentation from Cisco. Cisco’s FedRAMP package is the source. Your C3PAO will want to see the package or the relevant sections.
  3. Document your configuration evidence. The fact that the platform is FedRAMP authorized doesn’t help if your configuration on the platform doesn’t meet the practice. Show your FIPS 140 dashboard output. Show your security policy. Show your audit logs.
  4. Be clear about scope boundaries. Your network is one part of your CMMC scope. Document which assets and data flows are in the network scope and which are out (endpoints, cloud applications, third-party SaaS, etc.).
  5. Let your C3PAO drive the inheritance claim language. Different assessors will document inheritance slightly differently. Don’t pre-write their assessment.

How to talk to vendors about this

If you’re evaluating vendors for the migration or for compliance work, ask these questions. The answers tell you whether they understand what they’re selling.

“What specific NIST 800-171 practices does the GovCloud migration help me with?” A correct answer names 8 to 12 specific practices and explains why. A wrong answer is “FedRAMP Moderate covers Level 2” or any variation of that.

“What practices does the migration not help with?” A correct answer names roughly 100 practices and groups them by domain. A wrong answer is hedging or “you’d have to ask your C3PAO.”

“Will the migration get us through CMMC certification?” A correct answer is “No. It helps with the network controls. Your C3PAO certifies the rest based on the remediation work you do across the other domains.” A wrong answer is “Yes” in any form.

“What documentation do you produce that my C3PAO can use as evidence?” A correct answer lists specific artifacts: pre-migration baselines, post-migration baselines, change logs, FIPS 140 dashboard outputs, control mapping summaries. A wrong answer is vague.

“Do you do C3PAO assessment work?” A correct answer is “No, we do not. We migrate the network and produce evidence. Your C3PAO certifies.” A wrong answer is “We can be your assessor too” — that is a conflict of interest, and you should not engage that vendor for both jobs.

The practical bottom line

FedRAMP Moderate authorization of Cisco Meraki for Government is a substantial, useful event. It means:

  • You can run CUI-handling networks on Meraki with FIPS-validated cryptography.
  • You can inherit a meaningful set of platform controls in your CMMC documentation.
  • You can produce audit-ready network configuration evidence from the FIPS 140 dashboard.

It does not mean:

  • You are CMMC certified.
  • Your audit is mostly done.
  • You can skip the remediation work for the other twelve CMMC domains.

If you’re scoping toward a Level 2 assessment, the network migration is one workstream of several. It is an important workstream because the FIPS-validated Auto VPN is the only correct path for CUI in transit on Meraki, but it is not the whole job.

The contractors who get this right end up with two partners: a network migration partner who delivers audit-ready evidence at the network layer, and a CMMC consultant or C3PAO who handles assessment and the other twelve domains. Those are different jobs that require different skill sets.

If your current vendor isn’t drawing that line clearly, that’s the signal to get a different vendor.

Boundless migrates Meraki networks and produces audit-ready configuration evidence for DIB contractors preparing for CMMC Level 2. We do not perform C3PAO assessments. We work alongside your C3PAO partner, or introduce you to one if you don’t have one yet.

Learn More about Boundless Migration

You might also like

Stay up to speed.
Subscribe to our newsletter.

FedRAMP Moderate Is Not CMMC Certification. Here’s What It Actually Does for You.

ProductS
PARTNERS
Company
AICPA SOC aicpa.org/soc4so
Boundless

1207 Delaware Ave #552, Wilmington, Delaware 19806

Americas: +1 (347) 464 6510 - EMEA: +33 (0) 181 22 12 80

Facebook-f Youtube Linkedin-in