CMMC: FedRAMP Requirements for Security Protection Assets

XQ + Meerkat Position Paper

Authors:

Chris Haigh, Meerkat Cyber

Brian Wane , XQ Message, Inc

Introduction

Safeguarding Controlled Unclassified Information (CUI) is a cornerstone of cybersecurity for organizations within the Defense Industrial Base (DIB). As DIB contractors pursue Cybersecurity Maturity Model Certification (CMMC) to meet Department of Defense (DoD) requirements, selecting compliant External Service Providers (ESPs) is critical. 

A key consideration is whether an ESP qualifies as a Cloud Service Provider (CSP), requiring Federal Risk and Authorization Management Program (FedRAMP) authorization, or a Security Protection Asset (SPA), which does not. 

This position paper clarifies that XQ Message, a zero trust data protection platform., is a SPA, not a CSP, as defined by NIST SP 800-145.

By examining XQ Message’s functionality, CMMC scoping guidelines, and FedRAMP requirements, we demonstrate why it is exempt from FedRAMP authorization, enabling DIB contractors to confidently integrate it into their CMMC-compliant environments.

Key Considerations

• Third-party tools, like XQ's Zero Trust Data solution, offer robust security features.

• CMMC compliance requires comprehensive data protection measures.

• CMMC FedRAMP requirements are for Cloud Service Providers (CSP) and only certain Security Protection Assets (SPA)

To determine whether XQ Message is a Cloud Service Provider (CSP) or a Security Protection Asset (SPA) under the Cybersecurity Maturity Model Certification (CMMC) framework and why it does not require FedRAMP authorization, we must analyze the definitions and roles based on the provided NIST references and CMMC requirements. 

Below explains the distinction, how XQ Message aligns with these definitions, and the implications for FedRAMP requirements.

1. Understanding Key Definitions

Cloud Service Provider (CSP) per NIST SP 800-145

According to NIST Special Publication 800-145, a Cloud Service Provider is an entity that offers cloud computing services, defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The essential characteristics of cloud computing include:

• On-demand self-service: Users can provision resources without human interaction from the provider.

• Broad network access: Services are accessible over the network via standard mechanisms.

• Resource pooling: Resources are shared across multiple customers with physical and virtual resources dynamically assigned.

• Rapid elasticity: Capabilities can scale rapidly to meet demand.

• Measured service: Resource usage is monitored, controlled, and reported for transparency.

CSPs typically operate under service models like Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), and their deployments can be public, private, hybrid, or community clouds.

Security Protection Asset (SPA) under the CMMC 2.1 framework

Under the final CMMC 2.1 framework, a Security Protection Asset is defined as an asset that provides security functions or capabilities within a contractor’s CMMC assessment scope. These assets are components of non-federal systems that either process, store, or transmit Controlled Unclassified Information (CUI) or provide security protection for such components (e.g., firewalls, intrusion detection systems, or encryption tools). SPAs are fully in scope for CMMC assessments, as they are critical to safeguarding CUI or Federal Contract Information (FCI), but are not necessarily subject to the same requirements as CSPs handling CUI.

FedRAMP Requirements

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services. It applies to CSPs that process, store, or transmit CUI or FCI for federal agencies, requiring them to meet NIST SP 800-53 controls at a Moderate or High baseline (or equivalent for DoD contractors under DFARS 252.204-7012). However, systems or services that do not meet the NIST SP 800-145 definition of cloud computing or do not process, store, or transmit CUI may not require FedRAMP authorization.

External Service Provider (ESP)

External people, technology, or facilities that the organization utilizes including Cloud Service Providers (CSPs), Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and Cybersecurity-as-a-Service (CasS) organizations. 

2. XQ Message as a Security Protection Asset, Not a CSP

XQ Message is a platform that provides quantum-safe encryption and secure data management solutions, focused on protecting data at rest, in transit, and in use through advanced encryption techniques. To determine whether XQ Message is a CSP or an SPA, we need to evaluate its functionality against the NIST SP 800-145 definition and CMMC requirements.

Cloud Service Provider (CSP) per NIST SP 800-145 

According to NIST Special Publication 800-145, a Cloud Service Provider is an entity that offers cloud computing services, defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 

Why XQ Message Is Not a Cloud Service Provider

Based on the NIST SP 800-145 definition and the provided glossary term, XQ Message does not operate as a CSP for the following reasons:

• Lack of Cloud Computing Characteristics: XQ Message primarily offers encryption and secure communication services, focusing on providing data security rather than providing a shared pool of configurable computing resources (e.g., servers, storage, or virtual machines). It does not utilize on-demand self-service provisioning of infrastructure, broad network access to pooled resources, rapid elasticity, or measured service for computing resources, which are hallmarks of cloud computing. Instead, it functions as a security layer that can be integrated into existing systems or applications – and could be deployed on-premises or in the cloud – in complete contrast to a CSP.

• Service Model: XQ Message does not align with traditional SaaS, PaaS, or IaaS models. It provides a security service (encryption and data protection) rather than a platform for hosting applications, infrastructure, or software. For example, it may enable secure file sharing or messaging, but does not manage the underlying infrastructure in the way a CSP like AWS, Azure, or Google Cloud does.

• Deployment Scope: XQ Message is deployed as a tool or service within a customer’s environment (on-premises or cloud-based) rather than operating as a standalone cloud platform. It does not own or control the network infrastructure hosting the data, which is a key characteristic of a CSP. Because of its sophisticated implementation, XQ employees are unable to even decrypt underlying data. 

Why XQ Message Qualifies as a Security Protection Asset

XQ Message aligns with the CMMC definition of a Security Protection Asset because:

• Security Functions: XQ Message provides encryption and secure data management capabilities, which are explicitly designed to protect CUI or FCI. These functions fall under the CMMC definition of assets that “provide security functions or capabilities” to safeguard sensitive data.

• Integration into CMMC Scope: When XQ Message is used within a contractor’s environment to secure CUI (e.g., encrypting data to be transmitted or stored in a contractor’s infrastructure–XQ does not ever transmit or store the data), it is considered part of the CMMC assessment scope as an SPA. 

• For example, it may be used to meet NIST SP 800-171 controls like SC.L2-3.13.16 (Data at Rest) or SC.L2-3.13.11 (CUI Encryption).

• Support for Compliance: XQ Message’s focus on encryption and data security supports CMMC requirements, such as those in NIST SP 800-171, without itself being the system that processes, stores, or transmits CUI. Instead, it enhances the security of those systems, making it an SPA rather than a primary data-handling platform.

3. FedRAMP Implications for XQ Message

FedRAMP authorization is required for CSPs that process, store, or transmit CUI or FCI in a cloud environment, as mandated by DFARS 252.204-7012 for DoD contractors. However, XQ Message does not require FedRAMP authorization for the following reasons:

• Not a CSP: As established, XQ Message does not meet the NIST SP 800-145 definition of a cloud service provider. It is a security tool or service, not a provider of cloud computing resources. Therefore, it falls outside the scope of FedRAMP requirements, which apply specifically to CSPs.

• Role as an SPA: CMMC guidance clarifies that SPAs providing security functions (e.g., encryption tools) are in scope for CMMC assessments but do not require FedRAMP authorization unless they process, store, or transmit CUI in a cloud environment. XQ Message is used to secure data within a contractor’s environment (e.g., on-premises or in a FedRAMP-authorized CSP like AWS GovCloud) and never stores or transmits CUI, and so does not need to be independently FedRAMP-authorized, as it is not handling CUI.

• CMMC Scoping Guidance: According to CMMC documentation, CSPs that handle CUI must meet FedRAMP Moderate (or equivalent) requirements, but SPAs that provide security protections (and do not process, store, or transmit CUI) are evaluated as part of the contractor’s CMMC assessment scope, to the extent their services fall under the 110 L2 controls. XQ Message’s role as an encryption or security tool means it is assessed for compliance with NIST SP 800-171 controls (e.g., cryptographic controls) rather than requiring a separate FedRAMP authorization.

  
  

4. Practical Implications for CMMC Compliance

For organizations using XQ Message to achieve CMMC compliance:

• Scoping: XQ Message should be included in the CMMC assessment scope as an SPA if it is used to protect CUI or FCI. The contractor must document how XQ Message meets relevant NIST SP 800-171 controls (e.g., SC.L2-3.13.16 and SC.L2-3.13.11) in their System Security Plan (SSP).

• Assessment: During a CMMC Level 2 or Level 3 assessment, the contractor must demonstrate that XQ Message is configured and implemented to meet NIST SP 800-171 requirements. For example, encryption algorithms must align with FIPS 140-2/3 standards, and access controls must be enforced.

Conclusion

XQ Message is not a Cloud Service Provider as defined by NIST SP 800-145 because it does not provide a shared pool of configurable computing resources or operate under a SaaS, PaaS, or IaaS model. Instead, it functions as a Security Protection Asset under CMMC, providing encryption and data security capabilities to protect CUI or FCI within a contractor’s environment. As an SPA, XQ Message does not require FedRAMP authorization unless it processes, stores, or transmits CUI in a cloud environment, which is not its primary function. Contractors using XQ Message must include it in their CMMC assessment scope and ensure it meets relevant NIST SP 800-171 controls, but they are not required to seek FedRAMP certification for XQ Message itself.

Sources:

• NIST SP 800-145: https://csrc.nist.gov/pubs/sp/800/145/finalubuntu.com

• NIST Glossary (Cloud Service Provider): https://csrc.nist.gov/glossary/term/cloud_service_provider

• CMMC Guidance:,mwe.compwc.com