CMMC Level 2 requires CSPs that process, store, or transmit CUI to meet FedRAMP Moderate (or equivalent) authorization, not FedRAMP High. FedRAMP High is not a CMMC requirement but may be required by contract or specific agencies.
Exact Extracts:
DoD CMMC Scoping Guide: “External Cloud Service Providers must meet FedRAMP Moderate equivalency when storing, processing, or transmitting CUI.”
CMMC Assessment Guide: “The baseline requirement for CUI in cloud environments is FedRAMP Moderate; higher levels may be contractually required.”
Why other options are not correct:
A: Equivalency is allowed, but only to FedRAMP Moderate level.
C/D: Incorrect, because CMMC Level 2 does not mandate FedRAMP High.
[References:, CMMC Assessment Guide – Level 2, Version 2.13: External Service Providers and FedRAMP Moderate equivalency requirements., DoD Cloud Computing SRG (referenced in CMMC documentation): CUI requires FedRAMP Moderate baseline., , , ]
Submit