The Department of Defense (DoD) CIO memo on FedRAMP equivalency, dated June 8, 2022, mandates that for a Cloud Service Offering (CSO) to be considered "FedRAMP Moderate equivalent," it must achieve 100% compliance with the FedRAMP Moderate security control baseline. The existence of an open Plan of Action and Milestones (POA&M) signifies that there are unresolved security findings. Therefore, the CSO has not met the mandatory 100% compliance threshold. This failure to meet the baseline is the primary regulatory reason the contractor is prohibited from using the service for Covered Defense Information (CDI) under DFARS 252.204-7012.

A. The open POA&Ms are the evidence of non-compliance, but the fundamental reason is the failure to meet the 100% compliance standard defined by the DoD.

B. DFARS 252.204-7019 concerns NIST SP 800-171 assessment score reporting, not the security requirements for cloud services, which are specified in DFARS 252.204-7012.

C. A Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO) is not required for equivalency; the requirement is meeting the baseline, which can be verified by a 3PAO.

1. U.S. Department of Defense, Office of the Chief Information Officer. (2022, June 8). Memorandum for Senior Pentagon Leadership; Commanders of the Combatant Commands; Defense Agency and DoD Field Activity Directors: Department of Defense Guidance for the Use of Cloud Computing Services that are FedRAMP Authorized or FedRAMP Equivalent. Section: "FedRAMP Moderate Equivalent," Page 2. This memo states, "To be considered FedRAMP Moderate equivalent, a CSP's CSO must achieve 100 percent compliance with the latest FedRAMP Moderate security control baseline... The CSP must have a Plan of Action and Milestones (POA&M) that documents and tracks all findings, and the CSP must have closed out all findings."

2. Defense Federal Acquisition Regulation Supplement (DFARS). (2023). 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Paragraph (b)(2)(ii)(D). This clause requires that when using an external cloud service provider for CDI, the provider must meet security requirements "equivalent to those established by the Government for the FedRAMP Moderate baseline."

3. Cybersecurity Maturity Model Certification (CMMC) Model Version 2.0. (2021, November). CMMC Level 2 (Advanced). The CMMC Level 2 requirements are aligned with NIST SP 800-171, the foundation of the DFARS 252.204-7012 clause, which in turn mandates FedRAMP equivalency for cloud services handling CDI.