CMMC Compliant File Sharing: How to Share CUI Without Expanding Your Scope

Q: Is FedRAMP In Process enough for CUI?

No. FedRAMP In Process is not the same as Authorized. It can be useful diligence context, but verify current Marketplace status, package scope, and your contract requirements before putting CUI into the service.

Q: Does a file-sharing tool reduce CMMC scope?

It can, but only if it actually contains the CUI workflow. If users download, sync, email, print, or re-store CUI in ordinary business systems, those systems can enter scope and erase the benefit.

Q: Does CMMC Level 1 require the same file-sharing controls as Level 2?

No. Level 1 is for Federal Contract Information and basic safeguarding; Level 2 applies to CUI and incorporates the 110 NIST SP 800-171 Revision 2 requirements. The first decision is whether you handle CUI or only FCI.

By The Defense Compliance Report Editorial Team · Last verified: June 5, 2026

Editorial research, not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with, endorsed by, or sponsored by the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, FedRAMP, Microsoft, or any U.S. government agency.

Disclosure: We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Here’s the bottom line.There is no single product you can buy that is “CMMC compliant file sharing” on its own. For Controlled Unclassified Information (CUI), the safer way to think about it is this: a file-sharing method is defensible when it keeps CUI inside your CMMC Level 2 boundary, supports the NIST SP 800-171 Revision 2 requirements that CMMC Level 2 incorporates, protects CUI confidentiality in transit and at rest using FIPS-validated cryptography wherever cryptography is used to protect confidentiality, gives you named-user audit logs, and is documented in your System Security Plan (SSP) with a Customer Responsibility Matrix (CRM) from the provider.

The conditions change the answer. If you only handle Federal Contract Information (FCI) and no CUI, CMMC Level 1 is a lighter lift and most of this page doesn’t apply to you. If any of your CUI is export-controlled — ITAR or EAR technical data — you almost certainly need GCC High or another U.S.-person-only environment, not a generic “secure” tool. And the file type matters: engineering drawings, specs, and source code often qualify as Controlled Technical Information (CTI), which is a CUI Specified category governed by DFARS 252.204-7012 itself.

The assessor doesn’t grade your software. They grade your boundary and your evidence. That single shift is why an expensive tool can still fail an assessment, and why a narrow, well-documented workflow can pass.

Start here: which path fits your situation?

The fast verdict. The full breakdown — scope impact, evidence, and failure modes — is the architecture matrix further down.

Your situation	Best first path	Why	Watch out for
“We just need to send and receive CUI files with primes/subs.”	FedRAMP-authorized managed file transfer (MFT) or secure portal	Solves the transfer workflow without migrating your whole company	CUI still leaking into email or onto laptops
“CUI lives in our email, Teams, SharePoint, and daily work.”	GCC High or a broader managed CUI environment	File sharing isn’t isolated — the whole collaboration path is in scope	Assuming the platform alone makes you compliant
“We want to wall CUI off from the rest of the business.”	A secure CUI enclave	Can shrink your assessment boundary	Users pulling CUI back into normal systems
“External subs and suppliers need easy access to CUI.”	FedRAMP portal or encrypted overlay, with strong evidence	This is where GCC High creates friction by design	Public links you can’t audit or revoke
“We’re using consumer Dropbox, Google Drive, or WeTransfer.”	Stop using them for CUI	Uncontrolled flow and weak evidence are nearly impossible to defend	Treating “it’s encrypted” as the whole answer
“We only handle FCI, not CUI.”	CMMC Level 1 basic safeguarding	Don’t overbuild a Level 2 environment you don’t need	Misidentifying CUI you actually do hold

Not sure which row is really you?

A two-minute check beats a five-figure mistake. Tell us your CMMC level, what you share, who receives it, and your timeline.

Check which CMMC file-sharing path fits your workflow →

What does “CMMC compliant file sharing” actually mean?

“CMMC compliant file sharing” means your file-sharing workflow can be defended inside your CMMC assessment scope — not that a product carries a CMMC label. The Cybersecurity Maturity Model Certification (CMMC) is assessed at the level of your organization’s environment, against the 110 security requirements in NIST SP 800-171 Revision 2 (for Level 2). A vendor can support compliance, but your configuration, your access controls, your documentation, and your evidence are what get assessed.

CMMC became a codified program when 32 CFR Part 170 took effect on December 16, 2024, and it became a contract requirement when the matching acquisition rule — DFARS 252.204-7021 — took effect on November 10, 2025, the first day of the phased rollout. The full rule is posted on the eCFR.

Five things make file sharing defensible for CUI

Pulled from the controlling regulatory text, not a vendor datasheet.

#	Requirement	What it means for file sharing	Primary source
1	CUI in the cloud meets FedRAMP Moderate (or DoD-reviewed equivalent)	If an external cloud service stores, processes, or transmits CUI, it must meet security “equivalent to” the FedRAMP Moderate baseline and comply with the cyber-incident, malware, media, and forensic obligations in DFARS 7012 (c)–(g).	DFARS 252.204-7012(b)(2)(ii)(D)
2	CUI protected in transit and at rest; FIPS-validated cryptography where used	Encrypt CUI in transit (§3.13.8) and at rest (§3.13.16); when cryptography is what protects CUI confidentiality, the module must be FIPS-validated (with a certificate number), not merely “FIPS-compliant” or “AES-256” (§3.13.11).	NIST SP 800-171 Rev. 2 §§3.13.8, .11, .16
3	Access control, MFA, least privilege	Only authorized, authenticated users reach CUI; external sharing is controlled and revocable.	NIST SP 800-171 Rev. 2 §3.1.x, §3.5.x
4	Audit logs you can produce as evidence	You can show who uploaded, downloaded, shared, deleted, or changed access — traceable to a named user.	NIST SP 800-171 Rev. 2 §3.3.x
5	Documented as a CSP/ESP in your SSP, with a CRM	The service is documented in your System Security Plan (SSP) with a Customer Responsibility Matrix (CRM) splitting what the provider covers from what you cover.	32 CFR § 170.19

Not all CUI is the same — and your file type sets the bar

This is where many contractors trip. CUI splits into two groups, and the group changes which environments are acceptable.

CUI Basic is the default. You safeguard it under the baseline rules in 32 CFR Part 2002 and apply NIST SP 800-171.
CUI Specified carries extra handling rules written into a specific law or regulation. Controlled Technical Information (CTI)— engineering drawings, specifications, source code, technical reports — is marked CUI//SP-CTI and is governed by DFARS 252.204-7012 itself. Export-controlled data may be marked CUI//SP-EXPT when the governing authority is a specific export-control statute. For ITAR/EAR workflows, verify the CUI category, governing authority, markings, recipient eligibility, support-staff access, and data-location requirements before trusting a generic secure tool.

A practical rule: drawings, specs, and source code canbe CTI when they fit that definition, and RFQ packages often contain those artifacts — so check the contract markings and the actual file contents before treating a workflow as routine.

Level 1 vs Level 2 vs Level 3 — know which one you’re solving for

Most file-sharing questions live at Level 2. CMMC Level 1 covers FCI with basic safeguarding (a self-assessment). CMMC Level 2 is for CUI and incorporates all 110 NIST SP 800-171 Rev. 2 requirements, organized into 14 control families— assessed either by self-assessment or by a Certified Third-Party Assessment Organization (C3PAO), depending on what the contract requires. CMMC Level 3 adds a subset of NIST SP 800-172 requirements for the most sensitive CUI and is assessed by DCMA DIBCAC.

Is there a “CMMC certified file-sharing product”?

No — not in the way buyers mean it. No product is “CMMC certified.” CMMC certifies organizations, not software. Even a fully FedRAMP-authorized platform only addresses a fractionof the 110 requirements; the rest — configuration, documentation, endpoint control, user behavior — is on you.

One honest, uncomfortable admission:buying a “compliant” file-sharing tool will not make your company compliant, and any vendor implying otherwise is selling you a feeling. To put it in perspective, PreVeil states its encrypted email-and-file platform supports roughly 102 of the 110 controls; Virtru states its encryption layer addresses around 27 of the 110. Both are provider-stated mappings that describe a subset— and they’re not yours until you implement and document them.

That’s also the good news. If your CUI workflow is narrow — a few drawing exchanges with one prime — a well-documented file-transfer portal or a small enclave can be enough, and far cheaper than migrating your whole company to GCC High. The job isn’t to find the magic logo. It’s to match the right architecture to your actual CUI flow.

Not sure whether you need an enclave, GCC High, or just a secure transfer channel?

Tell us your level, what you share, who receives it, and your timeline, and we’ll match you with source-checked CMMC provider options for your situation. Please don’t include CUI, drawings, technical data, or contract numbers in the form.

Get matched with source-checked provider categories →

Which CMMC file-sharing approach should you use?

The right approach depends on whether your problem is narrow transfer, daily collaboration, or scope containment. Use a FedRAMP-authorized file-transfer portal or MFT when the job is controlled external exchange. Use GCC High when CUI lives across everyday email, files, and chat. Use a secure enclave when you can genuinely isolate CUI from the rest of the business.

The CMMC file-sharing architecture and evidence matrix

Editorial verdicts based on DFARS 252.204-7012; 32 CFR § 170.19; NIST SP 800-171 Rev. 2. “Evidence to request” is what your SSP and assessment will need regardless of which option you pick. On mobile, scroll the table sideways.

Approach	Best fit	Don’t use it when…	Scope impact	Evidence to request	Main failure mode	Our verdict
FedRAMP-authorized MFT / secure file portal	Sending and receiving CUI files with primes, subs, suppliers — drawings, RFQs, large files, recurring drops.	CUI also lives in regular email, laptops, Teams chat, or consumer drives outside the portal.	The service is a CSP touching CUI: document its role, authorization, CRM, and fit in the SSP.	FedRAMP package ID, CRM, service description, data-flow diagram, log export, incident-reporting commitment, FIPS details.	Users bypass the portal and email CUI “just this once.”	Best first move when the real problem is transfer, not full collaboration.
Microsoft 365 GCC High (SharePoint / OneDrive / Teams)	Daily CUI collaboration across files, email, chat, identity — especially with ITAR/export-controlled CUI.	Your main need is frictionless sharing with commercial partners who aren’t in GCC High (it can’t, by design).	Tenant, identity, endpoints, admin, and logging all become part of the CUI environment.	Microsoft CRM, eligibility proof, FedRAMP Marketplace entry, tenant-config evidence, guest-sharing policy, DLP/labeling, audit logs.	“GCC High = compliant.” It supports compliance; your implementation is what’s assessed.	Best when CUI is an everyday environment, not a one-off transfer.
Microsoft 365 GCC	Some government-cloud collaboration where the CUI category and contract allow it.	CUI is export-controlled (ITAR), nuclear, or otherwise needs stronger sovereignty controls.	Same as GCC High: tenant, endpoints, identity, operations in scope.	Microsoft CRM, FedRAMP Marketplace entry, contract/data-category analysis, external-sharing controls.	Using GCC for a data category it wasn’t built to hold.	Possible in narrower cases; verify your CUI category before relying on it.
CUI enclave / encrypted workspace (FedRAMP authorization or DoD-reviewed FedRAMP Moderate-equivalency)	Small/mid DIB that wants a purpose-built CUI channel without migrating the whole company.	CUI keeps leaking back into normal inboxes, local downloads, or commercial drives.	Concentrating CUI here can shrink your boundary — the single biggest scope lever.	FedRAMP Marketplace package ID or equivalency Body of Evidence and 3PAO assessment, plus CRM, FIPS module certificates, log export, and which controls remain yours.	Treating the enclave as “done” while CUI still moves outside it.	Strong fit when CUI can be operationally contained.
Encrypted overlay on existing email/M365	Narrow external CUI exchange where recipients need low friction and the overlay truly contains the workflow.	CUI still lands in normal inboxes, gets downloaded locally, or sits in commercial file shares.	The overlay’s boundary and evidence must be crisp; it’s a layer, not a full environment.	FedRAMP status, architecture/data-flow diagram, admin logs, export/deletion evidence, FIPS crypto evidence.	Mistaking encryption for access control, logging, and scoping.	Useful when the workflow is narrow and enforceable; risky as a bandage over uncontrolled CUI.
Self-managed SFTP / on-prem file server with VPN	Technical teams with recurring bulk transfer and the staff to run identity, logging, patching, and incident response.	You lack security staff, monitoring discipline, or the ability to produce evidence on demand.	You own nearly every operational control directly.	Server hardening baseline, MFA/identity, audit logs, encryption/FIPS evidence, access reviews, patch records, deletion process.	Looks simple until the assessor asks for config baselines and logs.	Viable, but rarely the easiest path for a small DIB shop.
Consumer/commercial links (personal Dropbox, Google Drive, WeTransfer, public links)	Non-CUI business files only.	CUI is involved — full stop.	High risk of uncontrolled CUI flow, public-link exposure, and weak evidence.	Usually insufficient for CUI without a documented compliant boundary.	Public links and unmanaged recipients you can’t audit or revoke.	Default answer: do not use for CUI.

Physical encrypted media or courier is a rare edge case — chain-of-custody and media-marking controls apply — but it’s not a modern collaboration strategy.

If your problem is file transfer only

A FedRAMP-authorized MFT or secure portal fits that: upload/download audit trails, recipient identity, a defensible boundary. The catch: it only solves CUI that goes through the portal. If CUI is also sitting in your inbox or on a laptop, you haven’t solved the problem — you’ve added a tool.

If CUI lives in your everyday collaboration

If CUI is in email, Teams, SharePoint, synced folders, and on laptops, your “file-sharing problem” is actually an environmentproblem. That’s the case for GCC High or a broader managed CUI environment. See our deeper coverage on CMMC secure enclaves and enclave vs. enterprise compliance.

If you share with external subs and suppliers

External sharing is where most plans quietly break. You need recipient authorization, MFA, link expiration, download controls, revocation, and logs — plus DFARS 252.204-7012 flow-down to your subcontractors handling the same CUI. This is also where GCC High’s design creates friction.

Want help picking the right category for your actual CUI path?

Tell us what you share, who receives it, and your CMMC deadline. We’ll match you with provider categories suited to your workflow.

Compare provider categories matched to your workflow →

Does CMMC file sharing have to be FedRAMP authorized?

Not every situation is automatically a FedRAMP question — but cloud file sharing for CUI usually is. If an external cloud service stores, processes, or transmits covered defense information, DFARS 252.204-7012 requires that service to meet security “equivalent to” the FedRAMP Moderate baseline, plus the incident-reporting and forensic obligations in paragraphs (c) through (g).

CSP vs ESP vs MSP vs CRM, in plain English

Term	What it actually is	Why it matters for file sharing
CSP	A cloud service that stores, processes, or transmits your CUI.	The DFARS 7012 FedRAMP-equivalency requirement applies to it.
ESP	An outside provider of people, technology, or services used in your CMMC environment.	Under 32 CFR § 170.19, when an ESP handles CUI or security-protection data, it’s documented and assessed within your scope.
MSP / MSSP	A managed IT or security provider running part of your environment.	May not be a CSP itself, but its services can still be in scope if it touches CUI or security data.
CRM	The document showing what the provider covers vs. what you must implement.	Without it, you can’t build clean assessment evidence. 32 CFR § 170.19 expects it in your SSP.

Cross-checked against the rule: 32 CFR § 170.19 states that a CSP processing, storing, or transmitting CUI must meet the DFARS 252.204-7012 FedRAMP requirements, and that ESP services are assessed within your scope when they handle CUI or security-protection data, documented in the SSP and the provider’s CRM.

The FedRAMP status decoder — “FedRAMP” means four different things

This is the distinction that fails assessments. When a provider says “FedRAMP,” ask which one.

What a vendor may claim	What it actually means	Satisfies DFARS 7012 for CUI?
FedRAMP Authorized (Moderate or High)	Holds an Authorization to Operate; listed on the FedRAMP Marketplace for specific services.	Yes — for the authorized services and scope. Verify the exact edition/region.
FedRAMP Moderate Equivalent	A FedRAMP-recognized 3PAO assessed the offering against the latest FedRAMP Moderate baseline at 100% compliance, with all assessment POA&Ms closed, and made a Body of Evidence available to the contractor. The DoD’s December 21, 2023 memo puts the onus on the contractor to validate it.	Yes — when that evidence genuinely exists.
FedRAMP Ready / In Process	Independently assessed for readiness; authorization not yet granted.	Not by itself. Readiness ≠ authorization.
“FedRAMP equivalent” (self-asserted)	Marketing language; no 3PAO assessment or Body of Evidence behind it.	No / unverified — treat it as a red flag until they show the evidence.

For scale: the FedRAMP Moderate baseline (NIST SP 800-53 Rev. 5) runs to roughly 325 controls. A “FedRAMP equivalent” sticker is meaningless without the 3PAO Body of Evidence behind it, and you — not the vendor — are accountable for confirming it exists. See the full rule at FedRAMP Moderate for CMMC cloud services.

How to check the FedRAMP Marketplace in eight steps

Don’t take the sales rep’s word — check it:

Search the exact product/service name in the FedRAMP Marketplace.
Confirm the exact product (vendors often have several).
Confirm the status (Authorized vs In Process vs Ready).
Confirm the impact level (Class C = Moderate, Class D = High).
Record the package ID.
Ask the provider whether your exact deployment is inside the listed authorization boundary.
Request the CRM / shared-responsibility documentation.
Ask, in writing, how incident reporting under DFARS 7012 (c)–(g) will work.

FedRAMP Marketplace snapshot — file-sharing and collaboration-relevant services

Checked on the FedRAMP Marketplace and providers’ own published statements as of June 5, 2026. These are examples for evidence methodology — not endorsements, rankings, or routing destinations. Marketplace status covers the listed service at the listed level; it does not configure your tenant, write your SSP, or cover the controls that remain your responsibility.

Provider / service	Category	FedRAMP status (package ID) — verify on Marketplace	What you must still verify
Microsoft 365 GCC High	Full M365 enclave (Azure Government)	FedRAMP Authorized, High (FR1824057433)	GCC High eligibility, tenant config, external-sharing limits, CRM, endpoint controls, CUI-category fit
Microsoft 365 GCC	Government-cloud M365	FedRAMP Authorized, Moderate (MSO365MT)	Whether your CUI category is appropriate for GCC (not ITAR/nuclear), tenant config, CRM, external-sharing controls
AWS GovCloud (US)	IaaS/PaaS foundation	FedRAMP Authorized, High (F1603047866)	This is infrastructure, not a file-sharing workflow — the app layer, access model, logging, and SSP evidence are yours
Box Enterprise Cloud Content Collaboration Platform	Content collaboration / file sharing	FedRAMP Authorized, High & Moderate, DoD IL4 (F1212191840A)	Exact plan/region, external-user controls, CRM, package boundary
Kiteworks Federal Cloud (Private Data Network)	MFT / secure content	FedRAMP Authorized, Moderate (F1511167634)	That your deployment is the authorized one; logging; external-user model
Kiteworks Secure Gov Cloud	Secure Gov Cloud / MFT	Agency Authorization In Process, High (FR2435353186) — not yet authorized	Do not treat as authorized until the Marketplace status changes
Virtru Data Security Platform	Encryption / sharing overlay	FedRAMP Authorized, Moderate (F1605037894); FIPS/control claims provider-stated	That it’s a layer, not a full enclave; FIPS module certificates; what it covers
PreVeil (email + drive)	CUI enclave, E2EE	Provider-stated FedRAMP Moderate Equivalency (3PAO-assessed); not a Marketplace ATO	Ask for the 3PAO Body of Evidence, CRM, FIPS module certs, and confirmation your deployment is covered

How we checked these providers.Category and status: FedRAMP Marketplace and providers’ published statements. Evaluation depth: public-source research as of June 5, 2026— not hands-on testing. Compensation: we may receive compensation for qualified introductions or referrals when disclosed; that does not control this analysis. What we could not verify: private CRMs, non-public package contents, and whether any product fits your specific environment.

PreVeil presents itself as “FedRAMP Moderate Equivalent,” not “FedRAMP Authorized” on the Marketplace.Those are two different doors to the same room. Equivalency (3PAO assessment, 100% of controls, assessment POA&Ms closed, Body of Evidence the contractor must validate) and a Marketplace authorization both satisfy DFARS 7012 — but a vendor claiming “FedRAMP equivalent” with nothing behind it is a different animal entirely. Ask which one. Ask for the evidence.

Want us to source-check the provider category before you put CUI in it?

Send your level, current platform, and file-sharing workflow, and we’ll point you to provider options whose role and status we’ve checked as of June 2026.

Get matched with source-checked provider options →

Which NIST SP 800-171 controls matter most for CUI file sharing?

CMMC Level 2 doesn’t hand you a separate “file sharing” checklist — it uses the 110 NIST SP 800-171 Rev. 2 requirements. For file sharing specifically, the controls that surface as assessment evidence cluster around access control, CUI flow control, audit logging, encrypted transmission, FIPS-validated cryptography, media handling, and keeping CUI off publicly accessible systems.

File-sharing issue	Requirement (NIST SP 800-171 Rev. 2)	The practical test	Evidence artifact
Only authorized users reach CUI	Limit access to authorized users and functions (§3.1.1–3.1.2)	Can you prove who had access to each CUI folder or transfer?	Access-control matrix, group export, MFA policy, access review
CUI doesn’t flow wherever users want	Control the flow of CUI per approved authorizations (§3.1.3)	Can users forward, sync, or re-share CUI outside approved channels?	DLP/sharing policy, approved-domain list, data-flow diagram
CUI isn’t posted publicly	Control CUI on publicly accessible systems (§3.1.22)	Could a public link expose CUI?	Public-link disablement, link-sharing report, monitoring alert
Activity is traceable	Create audit records traceable to individual users (§3.3.1–3.3.2)	Can you show who uploaded, downloaded, shared, or deleted?	Audit-log export, SIEM record, retention setting
CUI protected in transit	Protect CUI confidentiality during transmission (§3.13.8)	Is transfer encrypted over an approved secure channel?	TLS config, encryption documentation, vendor attestation
Cryptography is validated	FIPS-validated cryptography when used to protect CUI confidentiality (§3.13.11)	Can the provider name the FIPS-validated modules and certificate numbers?	CMVP certificate numbers, module/boundary statement
CUI at rest is protected	Protect CUI confidentiality at rest (§3.13.16)	Is stored CUI encrypted with a validated module?	Encryption-at-rest config, key-management documentation
Downloads and media are controlled	Control access to and mark media containing CUI (§3.8.x)	Can users pull CUI to unmanaged devices?	Endpoint policy, download restriction, media-marking procedure

The warning that keeps people honest: this table is notthe complete CMMC Level 2 control set. It’s the slice most likely to surface in file-sharing evidence. All 110 still apply. Anyone publishing “the complete CMMC file-sharing requirements” as a short list is misleading you.

Should you use GCC High, a FedRAMP file-transfer tool, or an encrypted overlay?

Use GCC High when CUI lives across daily collaboration; use a FedRAMP MFT or portal when the job is controlled external transfer; use an encrypted overlay only when the workflow is narrow, enforceable, and backed by real evidence. Each is right for a different shape of problem, and picking by shape — not by brand — is how you avoid overbuying.

Use GCC High when file sharing isn’t isolated

If CUI shows up in email, documents, chat, meetings, and shared libraries, you need an environment, not a tool. But know the trade going in. Microsoft’s own documentation states that GCC High users can share only with other organizations in GCC High, and that file requests aren’t available for Office 365 Government. In plain terms: the locked door that makes GCC High compliant is the same door that makes sharing CUI with a commercial subcontractor genuinely hard. That’s not a bug — it’s the design — and it’s exactly why so many GCC High shops bolt on an encrypted overlay or a portal for outbound CUI.

Use a FedRAMP MFT or portal when the workflow is transfer-centric

Drawings, RFQs, supplier uploads, prime/sub exchange, large files, recurring drops — when you mostly need to move files with an audit trail, MFT is the lean answer. You get upload/download logging, recipient identity, and a contained boundary without re-platforming your business.

Use an encrypted overlay when it truly contains the workflow

An overlay works when CUI can stay inside it. It stops working the moment users download, forward, or re-store that CUI somewhere uncontrolled. Verify the overlay’s FedRAMP status and CRM before you rely on it, and be honest about whether your users will actually keep CUI inside the lines.

Use a secure enclave when you can isolate CUI

An enclave can shrink your assessment boundary — but, critically, it does not reduce the Level 2 control set itself. It also collapses in value the instant users pull CUI back into shared enterprise tools. Our secure enclave guide covers this trade in depth.

You know the options now, but still not sure which fits your environment?

Tell us your CUI workflow and current stack, and we’ll match you with the provider categories that fit — portal, GCC High, enclave, overlay, or managed compliance.

See provider categories matched to your CUI path →

Can you use SharePoint, OneDrive, Dropbox, Google Drive, or WeTransfer for CUI?

The brand name alone doesn’t answer the question — the environment, configuration, authorization boundary, CUI category, and evidence do.

SharePoint and OneDrive in GCC High

A stronger fit for CUI collaboration than ad hoc tools — but external sharing is limited (only to other GCC High orgs), and tenant configuration is what gets assessed. Microsoft is explicit that customer configuration and operation remain part of the compliance responsibility; the platform supports compliance but doesn’t deliver it for you.

SharePoint and OneDrive in GCC

Possibly acceptable for some data and contract situations — but not the default for CUI Specified categories like ITAR or nuclear information. Do the contract and data-category analysis first, and get the CRM. We don’t make blanket “GCC is fine for CUI” statements, and you shouldn’t accept them from a vendor either.

Commercial Dropbox, Google Drive, WeTransfer, and public links

Our default editorial answer: do not use these for CUIunless you have authoritative evidence that the exact service, configuration, and boundary meet the requirements. Public links create obvious CUI-flow and public-system exposure — and they’re nearly impossible to defend in an assessment because you can’t reliably audit or revoke them.

External sharing is the hidden failure point

This is where good intentions go to die: guest identity, MFA, link expiration, download controls, approved domains, revocation, logging, recipient authorization, and subcontractor flow-down. If you can’t control and prove each of those, your “secure” sharing isn’t.

What proof should you ask a file-sharing provider for before you put CUI in it?

Ask for evidence, not slogans. At minimum: the FedRAMP package ID or DoD-reviewed equivalency Body of Evidence, the CRM, the service description, a data-flow/boundary diagram, log export, the incident-reporting commitment, encryption/FIPS module details, the support-access policy, and written confirmation that your exact deployment sits inside the claimed boundary.

The CUI File-Sharing Fit Finder

Answer these questions before calling a vendor. The answers determine your architecture category, the red flags in your current setup, and the evidence checklist to walk into vendor calls with.

What do you handle? (FCI only, CUI Basic, CTI, or ITAR/EAR)
What’s your CMMC target? (Level 1, Level 2 self-assessment, or Level 2 C3PAO)
Do you need internal collaboration, external transfer, or both?
Who receives the files? (primes, subs, foreign nationals, commercial vendors)
Does CUI currently land in email or sync to laptops?
What do you use today?
Are you up against a solicitation deadline?

Use as a planning aid only — please don’t enter CUI, drawings, technical data, contract numbers, or sensitive security details.

The provider evidence checklist

Walk into every vendor call with this. If they can’t answer, that’s your answer.

Exact product name and FedRAMP Marketplace link or package ID
Current FedRAMP status and impact level
Confirmation your deployment is inside the authorization boundary
CRM / shared-responsibility matrix
SSP-ready boundary language and a data-flow diagram
Data residency and support-access policy — can their support staff see your content, and is support inside or outside the authorization boundary?
Incident-reporting process aligned to DFARS 7012 (c)–(g)
Audit-log export and retention (named-user traceability)
MFA / SSO / identity integration
External-user access, link-sharing, download/sync/print controls
CUI marking and labeling support
Encryption in transit and at rest, with FIPS module certificate numbers
Backup, retention, legal hold, and deletion
The hosting/subprocessor chain
Sample evidence for an access review, a file transfer, and an incident investigation

Reject these immediately

Be skeptical of any provider that says “CMMC compliant” but can’t explain your boundary; claims “FedRAMP equivalent” but won’t show the Body of Evidence; can’t produce a CRM; can’t say whether support staff can access your content; can’t export named-user audit logs; treats “FIPS encryption” as the whole answer; tells you that you “don’t need to document this in your SSP”; or — the brightest red flag of all — guarantees a certification outcome. No one can guarantee that.

Keep readiness help separate from your formal assessment. Where CMMC independence rules require it, the organization that helps you implement and remediate cannot also be the C3PAO that assesses that same work.

Use this checklist in your vendor calls.

If the answers come back vague, send us your level, scope, and workflow and we’ll help you compare source-checked provider categories so you’re not evaluating in the dark.

Compare source-checked provider categories →

FIPS-validated vs “FIPS-compliant” — the encryption gotcha (and a real 2026 date)

“FIPS 140-validated” means the cryptographic module passed CMVP testing and carries a certificate number — it is not the same as “FIPS-compliant” or “uses AES-256.” NIST SP 800-171 §3.13.11 requires validated cryptography when cryptography is used to protect CUI confidentiality. Contractors fail this control constantly because they check the algorithm, not the module, or they buy FIPS-capable software and never turn on FIPS mode.

The dated, concrete part — one of the few genuinely time-sensitive facts on this page:NIST’s transition schedule says FIPS 140-2 modules can remain active for five years after validation or until September 21, 2026, and that all remaining FIPS 140-2 certificates move to the CMVP Historical List on September 22, 2026. Historical status doesn’t automatically stop a deployed module from working, and NIST notes those modules can still be purchased and used for existing systems — but it makes the certificate number, validation status, cryptographic boundary, and your provider’s transition plan a concrete evidence question, and federal guidance is that Historical modules shouldn’t be selected for new systems. If you’re choosing a file-sharing tool right now, ask whether its encryption modules carry active FIPS 140-3 certificates — not a roadmap, not “in process,” but an active certificate you can look up in the CMVP database.

That date lands right inside the CMMC rollout that began November 10, 2025. Neither date is manufactured urgency — both are fixed in federal records. Together they make cryptographic-module status a concrete vendor-diligence question for any CMMC file-sharing decision.

How do you scope a CMMC file-sharing environment?

Scope follows wherever CUI actually goes.If a system, endpoint, cloud service, or external provider processes, stores, or transmits CUI, it’s in your CMMC assessment boundary — or it must be documented as a CSP/ESP-supported service. The whole game is deciding where CUI is allowed to live and proving it stays there.

Draw the five-point CUI file map first

Before you demo a single tool, answer: Who creates the CUI? Where is it first received? Where is it stored? Who needs access? And where can it be downloaded, synced, forwarded, printed, or archived? That last question is where most environments quietly sprawl.

The five asset categories

Under 32 CFR § 170.19, every asset in a Level 2 environment maps to one of five categories. You propose the boundary; the C3PAO can challenge it.

CUI Assets — process, store, or transmit CUI. The core of Level 2. A file-sharing platform holding CUI is one of these.
Security Protection Assets (SPAs) — provide security functions protecting CUI (your SIEM, identity provider, DLP).
Contractor Risk Managed Assets (CRMAs) — assets that can, but are not intended to, process, store, or transmit CUI because of your security policy, procedures, and practices; they require a written rationale.
Specialized Assets — operational technology, IoT, and government-furnished equipment with limited assessment.
Out-of-Scope Assets — physically or logically separated from the CUI environment.

How file sharing accidentally explodes your scope

These are the moves that drag your whole company into the assessment: CUI emailed into a commercial inbox; CUI synced to a personal laptop; CUI downloaded to an unmanaged desktop; CUI dropped into general-company SharePoint; an external user re-sharing via public link; a support ticket with a CUI attachment; a backup system quietly storing CUI that was never scoped; a logging tool capturing CUI filenames. Every one of those turns an “out-of-scope” system into an in-scope one.

What to put in the SSP

Your SSP should name the approved CUI file-sharing channels, the system boundary, the data-flow diagram, the external providers (with CRM references), access-control roles, the external-user policy, log retention, the incident-reporting workflow, user training, and — just as importantly — the prohibitedchannels. Documenting what’s banned is part of proving control.

What does CMMC compliant file sharing cost?

There’s no single regulatory price — cost depends on whether you need a narrow transfer portal, a full GCC High environment, a secure enclave, an encrypted overlay, or a managed compliance partner to design and operate it. Here’s what actually moves the price — and a worksheet to scope it before you ever take a sales call.

Cost driver	Why it changes the price
Number of users touching CUI	Licensing, identity, training, and access reviews scale with people.
Internal vs. external sharing	External users add guest management, revocation, and audit overhead.
CUI category	CTI, ITAR, and CUI Specified narrow your acceptable environments (and raise cost).
Current platform	Existing GCC/GCC High vs. commercial M365 vs. on-prem changes migration effort.
Evidence maturity	No SSP, CRM, logs, or access reviews today means more implementation work.
Assessment type	A C3PAO-ready environment demands stronger evidence discipline than a casual internal setup.
Architecture	Portal/MFT, GCC High, enclave, and full managed programs have very different cost profiles.

Quote-scoping worksheet (fill this in before you call a vendor)

Bring concrete answers and you’ll get concrete, comparable quotes instead of a pile of mismatched proposals.

Scoping question	Your answer
How many people actually touch CUI?	___
Internal collaboration, external transfer, or both?	___
CUI category (Basic, CTI, ITAR/EAR, mixed)?	___
Current platform (commercial M365, GCC, GCC High, Google, on-prem)?	___
Do you have an SSP, CRM, logs, and access reviews today?	___
Migration scope (net-new, partial, full re-platform)?	___
Assessment path (Level 1, Level 2 self, Level 2 C3PAO)?	___
Hard deadline tied to a solicitation or prime?	___

The smartest sequence is counterintuitive:don’t collect quotes until you know your category. Pricing a GCC High migration when you actually needed a narrow transfer portal wastes weeks and warps the conversation. Figure out the architecture first; price it second.

Don’t ask for quotes until you know the category.

Fill in the worksheet, then tell us your level, CUI workflow, and current stack, and we’ll help you request scoped quotes from the right provider category.

Request scoped quotes from matched provider categories →

What are the most common CMMC file-sharing mistakes?

The biggest failures usually aren’t “the file wasn’t encrypted.” They’re uncontrolled CUI flow, missing evidence, wrong cloud assumptions, unmanaged downloads, public links, unclear provider responsibilities, and treating a narrow tool as if it secured the whole environment.

Mistake	How to detect it in your environment	The evidence artifact that catches it	Relevant control/source
Buying a tool before mapping CUI flow	You can’t draw where CUI enters, lives, and leaves	Data-flow diagram and asset inventory	32 CFR § 170.19
Treating FedRAMP status as the whole answer	No CRM; no tenant-config evidence	CRM and SSP control implementation	§ 170.19; DFARS 7012
Letting CUI escape through downloads/sync	OneDrive sync on, local copies, unmanaged laptops	Endpoint policy, download/sync controls	NIST SP 800-171 §3.1.3, §3.8.x
Public links and anonymous access	Link-sharing reports show open or “anyone” links	Public-link disablement, sharing report	NIST SP 800-171 §3.1.22
No CRM or shared-responsibility proof	Provider can’t say what they cover vs. you	CRM referenced in the SSP	32 CFR § 170.19
Assuming an assessor accepts marketing language	Your “evidence” is a brochure, not a log	Named-user audit-log export	NIST SP 800-171 §3.3.x

What should you do before sharing your next CUI file?

Before you send the next CUI file, confirm it’s actually CUI, confirm the recipient is authorized, use an approved channel, verify the provider evidence, apply access and download controls, keep the logs, and update your data-flow record. Convenience is exactly how CUI ends up in the wrong place.

The 10-minute pre-transfer checklist

Is the file actually CUI, CTI, or FCI?
Is it marked correctly?
Is the recipient authorized for a lawful government purpose?
Is the channel approved in your CUI handling procedure?
Does the tool store, process, or transmit CUI? If yes, do you have CSP/ESP evidence?
Is MFA required to access it?
Are public links disabled?
Can downloads be restricted or logged?
Can you export named-user audit logs for this transfer?
Does this transfer appear in your data-flow diagram — and do users know not to re-upload it elsewhere?

When a prime needs files tomorrow

Deadlines happen, and panic leads to bad choices. Do notreach for a consumer link because it’s fast. Ask the prime whether they have an approved CUI exchange method — many do. If you must provide the channel, use a provider category with documented CSP/ESP evidence. Record the decision in your internal notes, then follow up afterward by updating your SSP and approved-channel list. A defensible “good enough for now” beats a fast mistake you can’t take back.

Under a deadline from a prime or solicitation?

Tell us what you need to send, who receives it, and your CMMC path, and we’ll match you with source-checked provider categories that fit your situation — fast.

Get matched with source-checked provider options →

What we actually verified for this guide

We don’t ask you to take regulatory claims on faith, so here’s what we read and cross-checked ourselves.

What we verified — last verified June 5, 2026

CMMC Level 2 maps to NIST SP 800-171 Rev. 2 (110 requirements, 14 control families) under 32 CFR Part 170. (Primary source.)
DFARS 252.204-7012(b)(2)(ii)(D) requires external cloud services handling covered defense information to meet FedRAMP Moderate-equivalent security plus (c)–(g) obligations. (Primary source.)
32 CFR § 170.19 addresses CSP/ESP scoping, the five asset categories, SSP, and CRM documentation. (Primary source.)
Effective dates: 32 CFR Part 170 effective December 16, 2024; DFARS 252.204-7021 effective November 10, 2025; Phase 1 runs through November 9, 2026. (Primary source.)
FedRAMP Moderate Equivalency (3PAO assessment at 100%, assessment POA&Ms closed, Body of Evidence the contractor must validate) per the DoD CIO’s December 21, 2023 memo. (Primary memo.)
FIPS 140-2 → Historical List timing (active until September 21, 2026; Historical on September 22, 2026) — confirmed on NIST CSRC. (Primary source.)
CUI categories and CTI marking (CUI//SP-CTI, governed by DFARS 252.204-7012) — confirmed in the NARA CUI Registry. (Primary source.)
GCC High external-sharing limitation (shares only with other GCC High orgs; file requests unavailable) — confirmed on Microsoft Learn. (Vendor primary source.)
FedRAMP Marketplace statuses and package IDs for Microsoft 365 GCC High (FR1824057433), GCC (MSO365MT), AWS GovCloud (F1603047866), Box (F1212191840A), Kiteworks Federal Cloud (F1511167634), Kiteworks Secure Gov Cloud (FR2435353186, In Process), and Virtru (F1605037894) — checked on the FedRAMP Marketplace. (Marketplace records, as of the verification date.)
SPRS posting under DFARS 252.204-7019/-7020 (current NIST SP 800-171 DoD Assessment score). (Primary source.)

What we did not verify: private provider CRMs; non-public FedRAMP package contents; provider compensation relationships beyond our own disclosure; control-coverage counts (provider-stated); customer outcomes or assessment pass rates; whether any named product fits a specific contractor; and current vendor pricing.

CMMC compliant file sharing: frequently asked questions

Is there such a thing as a CMMC certified file-sharing product?

Not in the way buyers usually mean it. A product can support a CMMC environment, but your implementation, CUI boundary, controls, evidence, and assessment scope determine whether the file-sharing workflow is defensible. CMMC certifies organizations, not software.

What is the best CMMC compliant file-sharing tool?

There’s no universal best tool. If your problem is external transfer, start with a FedRAMP-authorized MFT or secure portal; if CUI lives across collaboration, evaluate GCC High or a secure enclave; if the workflow is narrow, an encrypted overlay may fit when the evidence is strong. The “best” tool is the one that matches your CUI flow and that you can prove.

Does CUI file sharing require FedRAMP Moderate?

If an external cloud service stores, processes, or transmits covered defense information, DFARS 252.204-7012 requires it to meet FedRAMP Moderate-equivalent security. If the service doesn’t touch CUI, the analysis changes — but it may still be an ESP in your CMMC scope.

Is FedRAMP “In Process” enough for CUI?

No. “In Process” is not the same as Authorized. Verify current Marketplace status, package scope, and your contract requirements before putting CUI into the service.

Can I use GCC High OneDrive to share CUI outside my company?

GCC High supports CUI collaboration, but external sharing is limited. Microsoft states GCC High users can share only with other GCC High organizations and that file requests aren’t available — so evaluate your recipient workflow before relying on it for outbound CUI, and expect to add a portal or encrypted overlay for external sharing.

Can I use commercial Microsoft 365, Google Drive, Dropbox, or WeTransfer for CUI?

Don’t use consumer or ordinary commercial file-sharing links for CUI unless you have authoritative evidence that the exact service, configuration, and boundary meet the requirements. For most Level 2 workflows, ad hoc commercial links create unnecessary scope and evidence risk.

Can I send CUI by encrypted email?

Encryption alone isn’t the full answer. You still need authorized recipients, access control, CUI flow control, audit logging, endpoint handling, correct marking, provider evidence, and SSP documentation. Encryption is one control among many.

Does a file-sharing tool reduce CMMC scope?

It can — but only if it actually contains the CUI workflow. If users download, sync, email, print, or re-store CUI in ordinary business systems, those systems can enter scope and erase the benefit.

Does file-sharing evidence change my SPRS score?

No tool automatically updates your SPRS score. Where DFARS 252.204-7019/-7020 apply, you must have a current NIST SP 800-171 DoD Assessment (not more than three years old) with summary-level scores posted in SPRS. A better file-sharing setup can raise your underlying score, but you still have to assess, document, and post it.

Can I send CUI in a vendor support ticket?

Don’t attach CUI to vendor support tickets unless the support boundary, support-personnel access, the provider’s CSP/ESP status, and the evidence package are verified. Support channels and the staff behind them are not automatically inside a provider’s authorization boundary.

What logs should a CMMC file-sharing system retain?

At minimum, named-user evidence for uploads, downloads, shares, permission changes, deletions, failed access attempts, administrator actions, and external-recipient activity. NIST SP 800-171 requires audit records traceable to individual users.

What should be in my SSP for file sharing?

The approved file-sharing channel, the CUI data flow, the system boundary, CSP/ESP dependencies (with CRM references), access controls, external-user controls, logging, encryption, the incident-response process, and the prohibited channels.

How do I share CUI with subcontractors?

Use an approved CUI-sharing channel, confirm recipient authorization, apply DFARS 252.204-7012 flow-down where applicable, control access, disable public links, log activity, and document the workflow. Your sub’s handling of that CUI is part of your supply-chain responsibility.

Does CMMC Level 1 require the same file-sharing controls as Level 2?

No. Level 1 is for FCI and basic safeguarding; Level 2 applies to CUI and incorporates the 110 NIST SP 800-171 Rev. 2 requirements. The first decision is always whether you handle CUI or only FCI — don’t overbuild a Level 2 environment if CUI isn’t in scope.

Does NIST SP 800-171 Rev. 3 apply to CMMC file sharing?

Not as the current CMMC Level 2 baseline. NIST published Rev. 3 in 2024, but 32 CFR Part 170 currently incorporates Rev. 2 for CMMC Level 2 unless and until DoD amends the rule. Build to Rev. 2.

What should I ask a file-sharing provider before buying?

The exact product boundary, FedRAMP Marketplace status or DoD-reviewed equivalency Body of Evidence, the CRM, the incident-reporting process, audit-log export, external-user controls, encryption/FIPS module certificate numbers, the support-access policy, and sample assessment evidence.

The bottom line — and your next step

You came here for a product. What you actually needed was a scope-and-evidence answer, and now you have it: keep CUI in one controlled channel, match the architecture to your CUI flow, encrypt with validated cryptography, document the boundary, and demand the evidence before you buy. Do that, and your next assessment gets dramatically less scary — and dramatically less expensive.

If you’re handling FCI only, start with our readiness checklist — you don’t need a Level 2 CUI environment yet. If you’re handling CUI and still not sure whether you need a transfer portal, GCC High, an enclave, or a full managed program, that’s a normal place to be, and it’s exactly the decision we can help you make with less risk.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Please keep CUI, drawings, technical data, and contract-sensitive details out of the form.

Get matched with source-checked provider options →

Related guides:

This guide is editorial analysis, not legal, contractual, export-control, or compliance advice. The Defense Compliance Report is not affiliated with, endorsed by, or sponsored by the Department of Defense, DCMA DIBCAC, NIST, FedRAMP, The Cyber AB, or any U.S. government agency.

Editorial review process · Editorial standards · Corrections · Request a quote