How FedRAMP Moderate-Aligned Cloud Solutions Boost Data Security for Defense Manufacturers

Cyberattacks are dominating today’s headlines, as digitization poses more security risks for the private and public sectors. In 2024, Change Healthcare, a unit of UnitedHealth Group, experienced a ransomware attack which exposed Social Security numbers, medical records, and addresses of millions of patients.¹ In 2025, the Interlock Ransomware Group targeted National Defense Corporation (NDC) and its subsidiary AMTEC, exfiltrating data that was subsequently leaked to the dark web. Although there is no public indication that classified data was directly exposed, procurement documents, logistics details, and supply chain information are known to have been compromised, creating long-term risk across the defense industrial base (DIB).²

With these security breaches on the rise, data protection is a key consideration for product manufacturers as they make the transition to cloud-based solutions. Defense and aerospace companies, in particular, are subject to export control regulations (e.g., ITAR and EAR) that restrict access and transfer of controlled data—often requiring strong technical and administrative security measures for compliance. Additionally, federal agencies generally require cloud services that host federal data to be FedRAMP authorized, and Department of Defense (DoD) contractors may be required by government contracts to use FedRAMP Moderate-authorized or -equivalent cloud services for certain data.

So exactly what is FedRAMP and how can a Cloud PLM solution aligned with FedRAMP requirements benefit your business?

What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government program that provides a standardized approach to evaluating and monitoring the security of cloud platforms that are used by U.S. federal agencies. FedRAMP enables government entities to secure data and supports continuous monitoring and standardized reporting of cybersecurity risks. It also ensures that the proper safeguards are always in place.

FedRAMP was established by an Office of Management and Budget (OMB) memo in 2011, with the program office implemented at General Services Administration (GSA) in 2012. It is governed through federal collaboration including GSA, DoD, Department of Homeland Security (DHS), and informed by National Institute of Standards and Technology (NIST) standards.

Requirements for FedRAMP Compliance

Cloud service providers must demonstrate that their product meets FedRAMP compliance requirements. FedRAMP baselines are derived from NIST SP 800-53 controls, categorized using Federal Information Processing Standards (FIPS) 199, and assessed using NIST SP 800-53A procedures. These requirements include:

• Implementation of proper security controls
  The level of security controls (i.e., low, moderate, and high) is determined by the type of data contained in the cloud platform and the potential impact of a security breach on confidentiality, integrity, and availability of data.
  • Low impact level: The loss of confidentiality, integrity, and/or availability of data could have a limited adverse effect on an organization’s operations, assets, or individuals.³
  • Moderate impact level: The loss of confidentiality, integrity, and/or availability of data could have a serious adverse effect on an organization’s operations, assets, or individuals. This impact level applies to approximately 80% of FedRAMP-approved applications.³
  • High impact level: The loss of confidentiality, integrity, and/or availability of data could have a severe or catastrophic adverse effect on an organization’s operations, assets, or individuals. This typically applies to law enforcement, emergency services, financial, and health institutions.³
• Completion of system security plan (SSP)
  An SSP describes how security controls are addressed, how the system is structured, and the security authorization boundaries that are put in place.
• Review by a FedRAMP third-party assessment organization (3PAO)
  3PAOs are independent organizations that verify a cloud service provider’s security implementations and assess the overall security risk of the cloud environment.
• Development of a plan of action and milestones (POA&M)
  A solid plan needs to be in place to address any security weaknesses that are identified. This includes the provision of staffing and additional resources.
• Implementation of a continuous monitoring program, including monthly vulnerability scans
  Cloud service providers should implement a program to continuously monitor any risks or vulnerabilities to the system and assess the effectiveness of the security controls that are deployed.

Benefits of Using a Cloud PLM Solution Aligned With FedRAMP Requirements

As more aerospace and defense companies adopt cloud-based product lifecycle management (PLM) solutions, they need to be cognizant of industry regulations and the ability of the solution to meet their requirements. The use of a PLM solution aligned with FedRAMP requirements provides manufacturers with greater insight into cloud security controls and instills added confidence that their product information is protected from imminent cyber threats. It also creates new opportunities for companies looking to diversify their product portfolio and expand their customer base in the government sector.

PTC Arena Federal: FedRAMP Moderate Equivalency

As the preferred Cloud PLM software provider for companies serving the government, Arena by PTC has invested in implementation of the PTC Arena Federal Cloud Service Offering (CSO) aligned with the security requirements outlined in the December 21, 2023, Department of Defense memo entitled “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings.” The PTC Arena Federal CSO maintains the following body of evidence as required by the December 2023 memo:

• Information Security Policies and Procedures (covering all control families)
• User Guide Digital Identity Worksheet
• Rules of Behavior (RoB)
• Information System Contingency Plan (ISCP)
• Incident Response Plan (IRP)
• Configuration Management Plan (CMP)
• Control Implementation Summary (CIS) Workbook
• Federal Information Processing Standard (FIPS) 199
• Separation of Duties Matrix
• Applicable Laws, Regulations, and Standards
• Integrated Inventory Workbook

FedRAMP Moderate Equivalency vs. the ATO Path

FedRAMP Moderate equivalency and a formal FedRAMP Authorization to Operate (ATO) are built on the same federal Moderate security standards. Although the underlying Moderate control baseline may be the same, a FedRAMP ATO is a formal government authorization, while “equivalency” is a separately evidenced claim used in certain DoD/DFARS contexts. An ATO requires sponsorship from a federal agency and formal approval through the FedRAMP program.

Equivalency is not a FedRAMP authorization. In DoD/DFARS contexts, it refers to meeting FedRAMP Moderate baseline requirements as validated by a FedRAMP-recognized Third Party Assessment Organization (3PAO). The PTC Arena Federal CSO was subjected to such an assessment.

Why Arena PLM Chose FedRAMP Moderate Equivalency

For Arena PLM, FedRAMP Moderate equivalency enables us to deliver a security posture aligned with federal expectations while maintaining speed, flexibility, and responsiveness to customer needs. It supports federal contractors and regulated organizations that require Moderate-level controls, without the longer timelines associated with formal agency sponsorship. At the same time, this approach positions Arena PLM to pursue a full FedRAMP ATO in the future should customer demand and agency partnership align.

Interested in learning more about Arena’s secure Cloud PLM system? Visit our Cybersecurity and Export Controls Compliance web page.

References

1. https://www.upguard.com/blog/biggest-data-breaches-us
2. https://secureframe.com/blog/recent-cyber-attacks
3. https://www.fedramp.gov/understanding-baselines-and-impact-levels/