Learn about CUI protection, commercial cloud services, FedRAMP requirements, CUI storage in Microsoft GCC, AWS, Google Cloud, etc. and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.
Table of Contents
Is it a compliance violation to use personal email or consumer collaboration tools such as Gmail, Slack, Dropbox, or WhatsApp to send or store CUI?
Summary: Using personal email accounts or consumer-grade collaboration tools to send, receive, or store CUI is a direct violation of NIST SP 800-171 Rev 2 and the contractor’s DoD contract obligations under DFARS clause 252.204-7012, because these platforms do not meet the FedRAMP Moderate authorization requirement applicable to cloud services handling CUI.
Platforms such as Gmail (consumer), commercial Slack, Dropbox, WhatsApp, iCloud, and standard OneDrive are not FedRAMP Moderate authorized and do not implement the security controls required under NIST SP 800-171 Rev 2. CUI transmitted through or stored in any of these tools is treated as a CUI spillage, the information must be immediately removed from the non-compliant platform, deleted from all non-compliant locations, and the incident must be documented.
If the disclosure was to an unauthorized party, it may constitute a reportable cyber incident under the contractor’s DoD contract obligations. Contractors must establish and enforce a formal Acceptable Use Policy that explicitly prohibits the use of personal or consumer-grade tools for any CUI-related communication or storage, include this prohibition in security awareness training, and technically enforce it where feasible through data loss prevention (DLP) controls. The Acceptable Use Policy must be documented in the System Security Plan (SSP).
Can CUI be stored in commercial cloud services under CMMC?
Summary: CUI may be stored in cloud services under CMMC, but only in cloud service offerings that meet or exceed a FedRAMP Moderate baseline authorization, the cloud provider must either hold an active FedRAMP Authorization to Operate (ATO) at the Moderate baseline or provide documented evidence of FedRAMP Moderate equivalency, as required by DFARS clause 252.204-7012.
Standard commercial cloud services, including consumer-grade Microsoft 365 (commercial), standard Google Workspace, standard AWS, and standard Dropbox, do not meet this requirement. Storing CUI in non-compliant cloud services is a direct violation of contractor obligations and a commonly cited gap in CMMC assessments.
The FedRAMP Marketplace (marketplace.fedramp.gov) is the authoritative source for identifying cloud services with current ATO status. For services not listed but claiming FedRAMP Moderate equivalency, the provider must submit evidence from an accredited FedRAMP Third-Party Assessment Organization (3PAO) demonstrating their security controls meet the FedRAMP Moderate baseline. Contractors are responsible for verifying and documenting their cloud service providers’ FedRAMP status in their System Security Plan (SSP).
What is the FedRAMP Moderate authorization requirement for cloud service providers handling CUI?
Summary: Any cloud service offering used by a defense contractor to process, store, or transmit CUI must meet the FedRAMP Moderate baseline security requirements, as mandated under DFARS clause 252.204-7012 and the broader CMMC compliance framework.
FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government’s standardized approach to authorizing cloud services for federal use. The Moderate baseline corresponds to NIST SP 800-53 Moderate impact controls, roughly 325 security controls, and is designed to protect sensitive but unclassified government information including CUI.
A cloud service offering meets this requirement by either: holding an active FedRAMP ATO at the Moderate (or High) baseline, listed on the FedRAMP Marketplace; or obtaining a FedRAMP Moderate equivalency determination, which requires an independent assessment by an accredited FedRAMP 3PAO and documented evidence provided to the contractor. FIPS 140-validated encryption is a requirement within the FedRAMP Moderate control set, so any FedRAMP Moderate-authorized service implicitly satisfies the CMMC encryption requirement for CUI in transit and at rest within that service.
What is FedRAMP Moderate equivalency and how does a cloud provider demonstrate it?
FedRAMP Moderate equivalency is a determination by an accredited FedRAMP Third-Party Assessment Organization (3PAO) that a cloud service offering meets the security control requirements of the FedRAMP Moderate baseline, providing a pathway for cloud providers to demonstrate DoD compliance without completing the full formal FedRAMP authorization process.
The DoD published specific guidance on FedRAMP Moderate equivalency requirements in a memorandum from the DoD CIO. Under this guidance, a cloud provider seeking to demonstrate equivalency must engage an accredited FedRAMP 3PAO to independently assess their security controls against the FedRAMP Moderate baseline, produce a formal assessment report, and provide that report as evidence to their contractor clients.
The contractor then includes this evidence in their System Security Plan (SSP) as documentation that their cloud service meets the DFARS 252.204-7012 cloud security requirement. Equivalency is not self-declared, a cloud provider cannot simply state they meet FedRAMP Moderate requirements without independent 3PAO verification. Contractors who rely on self-declared equivalency without 3PAO documentation risk a compliance finding during their CMMC assessment.
Does Microsoft 365 commercial qualify for storing CUI under CMMC?
Microsoft 365 commercial, the standard enterprise or business offering, does not qualify for processing, storing, or transmitting CUI under CMMC, because it does not meet the FedRAMP Moderate authorization requirement applicable to cloud service offerings handling Controlled Unclassified Information.
Microsoft 365 commercial operates on shared commercial infrastructure that has not received a FedRAMP Moderate authorization for government-sensitive data. CUI placed in commercial Microsoft 365 mailboxes, OneDrive, SharePoint, or Teams channels is considered out of compliance with DFARS clause 252.204-7012 and CMMC security requirements.
Contractors who currently use commercial Microsoft 365 for business operations must ensure that CUI does not enter those environments under any circumstances. Microsoft itself provides guidance that Microsoft 365 GCC (Government Community Cloud) at the Moderate level and Microsoft 365 GCC High are the appropriate alternatives for CUI and defense-sensitive data. If CUI has been stored in commercial Microsoft 365, standard CUI spillage procedures must be followed immediately.
Which Microsoft cloud environments (GCC, GCC High) qualify for CUI storage under CMMC?
Summary: Microsoft offers two government cloud environments that qualify for storing CUI under CMMC: Microsoft 365 GCC (Government Community Cloud) and Microsoft 365 GCC High, with different applicability based on the sensitivity of CUI and specific contract requirements.
Microsoft 365 GCC is appropriate for contractors handling CUI that does not fall under the most sensitive defense categories. GCC is a FedRAMP Moderate authorized environment hosted on Microsoft’s government cloud infrastructure, with data stored in U.S. data centers and access restricted to screened personnel.
Microsoft 365 GCC High meets a higher standard, operating at the FedRAMP High baseline and rated at DoD Impact Level 5 (DISA IL5). GCC High is purpose-built for ITAR-controlled data, export-controlled CUI, and the most sensitive defense information. GCC High uses Azure Government infrastructure, requires all supporting personnel to be U.S. persons, and is the mandatory environment for contractors handling Controlled Technical Information (CTI) or any CUI associated with critical defense programs. Standard Microsoft 365 commercial does not qualify for CUI of any category.
Do AWS GovCloud and Google Cloud qualify for CMMC-compliant CUI storage?
Summary: AWS GovCloud (US) qualifies for storing CUI under CMMC when properly configured, as it holds a FedRAMP High Authorization to Operate (ATO) and provides U.S.-region-only, U.S.-person-operated infrastructure. Google Cloud’s government-focused offering holds FedRAMP Moderate and High authorizations for select services and may qualify depending on the specific services used and CUI categories involved.
AWS GovCloud (US), available in the US-West and US-East GovCloud regions, is AWS’s purpose-built government cloud supporting FedRAMP High, DoD IL2 through IL5, and ITAR-controlled workloads. Contractors must configure their GovCloud environments correctly, FedRAMP authorization applies to the cloud infrastructure, not to every workload a customer runs on it; customer-implemented controls must also be in place.
For Google Cloud, contractors should verify each specific Google Cloud service’s FedRAMP authorization status on the FedRAMP Marketplace before placing CUI in it, as authorization varies by service. In all cases, the contractor remains responsible for implementing their share of the security controls under the cloud provider’s Shared Responsibility Matrix and documenting the configuration in their System Security Plan (SSP).
What is the difference between CMMC and FedRAMP, and do they overlap?
Summary: CMMC and FedRAMP are related but distinct federal cybersecurity frameworks: CMMC applies exclusively to defense contractors and governs contractor information systems, while FedRAMP applies government-wide to cloud service providers that host federal data, and where a contractor stores CUI in a cloud service, both frameworks apply simultaneously.
The overlap occurs when a defense contractor stores CUI in a cloud environment, the contractor must comply with CMMC for their own information systems and practices, while the cloud provider hosting their CUI must comply with FedRAMP Moderate or higher. CMMC does not directly regulate cloud providers; it requires contractors to use cloud services that meet FedRAMP standards.
A defense contractor who both develops software and offers cloud hosting to other contractors might have dual obligations, CMMC for their own contract performance environment and FedRAMP (via a separate process) for the cloud services they provide. CMMC compliance does not satisfy FedRAMP requirements, and FedRAMP authorization does not eliminate CMMC obligations, they address different entities and different scopes within the same security ecosystem.
Explore Blogs, Webinars and other Resources
Trusted by Reputed Companies
What Our Clients Say
We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center
Our Growing List of Credentials
0
+
Assessments
0
+
Clients
0
+
Assessment Libraries
0
+
Years of Experience
0
+
No. of Staff Trained
0
+
HIPAA
0
+
SOC 2 Readiness
0
+
Pen Testing
0
+
ISO 27001 Certifications
0
+
Dollars Saved in Compliance Penalties