FedRAMP Equivalency for CMMC Cloud Providers: What Counts, What Proof You Need, and What Fails an Assessment
A prime, a Certified Third-Party Assessment Organization (C3PAO), or a new solicitation just put your cloud under a microscope, and you’re staring at three words that refuse to explain themselves: “FedRAMP Moderate equivalent.”Here’s the bottom line first — then the trap that quietly fails more assessments than any missing control.
FedRAMP equivalency for CMMC cloud providers means this: if a cloud service offering stores, processes, or transmits Controlled Unclassified Information (CUI), it must either be FedRAMP Authorized at Moderate or higher on the FedRAMP Marketplace, or meet the Department of Defense’s FedRAMP Moderate equivalencyrequirements — 100% of the FedRAMP Moderate controls, assessed by a FedRAMP-recognized third party, with a complete Body of Evidence. “Equivalent” is not a marketing word. No self-attestation counts.
That’s the answer. Now the part vendors gloss over, and the open question this page closes: the two paths are not equally easy. With a FedRAMP Authorized cloud, you are not on the hook for proving the provider’s security — the listing carries that. With a FedRAMP-equivalent cloud, you are— you have to obtain and validate the evidence, and you’re the one liable if the provider slips. The answer also shifts depending on whether your provider actually touches CUI (versus only logs and configuration), whether it’s a Cloud Service Provider (CSP) or a different kind of vendor, your CMMC level, and whether you handle export-controlled data. We read the December 21, 2023 DoD memo, the CMMC rule in the eCFR, the DoD’s own CMMC FAQ, the Cyber AB’s assessment procedure, and the actual FedRAMP Marketplace listings so we could put all of it on one page.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
Which cloud setups clear the cloud-provider floor (when the exact offering and boundary match):
- Clears the floor: Microsoft 365 GCC High, Azure Government, AWS GovCloud, Google Workspace, and other Marketplace-listed government-cloud offerings at Moderate or higher. None of them make your tenant, configuration, SSP, or CMMC implementation compliant by themselves.
- Clears it with conditions: Microsoft 365 GCC (FedRAMP Moderate) for non-export-controlled CUI; a FedRAMP-equivalent encrypted overlay — but only for the slice of your environment it actually covers.
- Does not clear it: a standard commercial Microsoft 365 tenant used for CUI; any SaaS that’s merely “hosted on AWS GovCloud” but isn’t itself authorized or equivalent; encrypted CUI parked in a non-FedRAMP cloud on the theory that encryption gets you off the hook. (It doesn’t — and we’ll show you the DoD’s exact words on that below.)
The fastest way to place your cloud: four proof paths
Answer capsule: Every cloud question in CMMC resolves to one of four proof paths: FedRAMP Authorized, verified on the Marketplace; FedRAMP Moderate equivalent, proven by a third-party Body of Evidence; an in-scope External Service Provider that isn’t a CSP and is documented in your assessment; or out of scope, with a documented rationale. The vendor’s brand name matters far less than the exact service offering, the data flow, and the evidence package behind it.
| Your situation | Is FedRAMP Moderate (or higher) required? | What proves it | Where it lives in your assessment |
|---|---|---|---|
| A. The cloud service stores, processes, or transmits CUI | Yes | FedRAMP Authorized at Moderate+ (Marketplace listing) or FedRAMP Moderate equivalent (3PAO Body of Evidence) | The CSP’s status; your connecting infrastructure; the Customer Responsibility Matrix (CRM) mapped into your System Security Plan (SSP) |
| B. The cloud handles only Security Protection Data (logs, config), not CUI | No | A service description + CRM documented in your SSP | In scope as a security-protection function, assessed with you |
| C. An External Service Provider (ESP) that is not a CSP touches CUI or SPD | No | Service description, CRM, SSP integration; it may elect its own CMMC assessment to reduce your burden | Assessed as part of your scope; no separate certification required |
| D. A tool with no access to CUI or SPD (properly isolated) | No | A data-flow diagram and scope rationale proving isolation | Documented as out of scope |
This one distinction — does the service actually touch CUI?— is where most of the confusion, and most of the wasted money, starts. We’ll work through each path with the primary source behind it.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
▶ Map your cloud before you migrate or get assessed.
Tell us your level, CUI scope, cloud environment, and timeline, and Find My CMMC Path returns the provider categorythat fits — RPO, MSP/MSSP, CUI enclave, GRC platform, or C3PAO — before you spend a dollar. No CUI. No drawings. No sensitive contract details.
Find My CMMC Path →What does FedRAMP equivalency for CMMC cloud providers actually mean?
Answer capsule: FedRAMP equivalency is a Department of Defense acceptance path that lets a cloud service offering support CUI even when it isn’t FedRAMP Authorized on the Marketplace, provided it meets DoD’s defined equivalency standard. The decisive difference from FedRAMP Authorization is visibility and burden: an authorized service is publicly listed and FedRAMP has assessed it, while an equivalent service depends on a complete, current Body of Evidence that you have to hold and a C3PAO can review.
Three things sit underneath every cloud decision in CMMC. They’re easy to blur, so we’ll keep them separate.
FedRAMP (the Federal Risk and Authorization Management Program) is the government’s “do it once, reuse it many times” program for assessing the security of cloud services. A cloud service offering that completes it is listed on the FedRAMP Marketplace at an impact level — Low, Moderate, or High.
CMMC (the Cybersecurity Maturity Model Certification program) doesn’t replace FedRAMP. It references it — and the obligation comes from two places, not one. DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) creates the external-CSP duty: if you use an external cloud provider to store, process, or transmit covered defense information, you must “require and ensure” the provider meets security requirements equivalent to the FedRAMP Moderate baseline and supports the incident-reporting obligations in paragraphs (c) through (g) (DFARS 252.204-7012, Acquisition.gov). And 32 CFR Part 170— the CMMC Program Rule itself — builds the FedRAMP-Moderate-or-equivalent requirement directly into CMMC Level 2 and Level 3 cloud scoping (32 CFR Part 170, eCFR). So the cloud requirement reaches you through the contract clause and through the CMMC rule. See also: DFARS 252.204-7012 explained.
For years, “equivalent” was a fog. Vendors filled it with whatever they had — a SOC 2 report, an ISO 27001 certificate, a security questionnaire, or a confident sentence in a sales deck. The DoD ended that on December 21, 2023, with a CIO memo titled FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings (DoD CIO memo, PDF). It defined the bar — and it’s higher than most contractors expected.
The distinction in plain English:
- FedRAMP Authorized / Certified (on the Marketplace) — FedRAMP has assessed the offering and listed it at Moderate or High. Publicly verifiable.
- FedRAMP Moderate equivalent — not a FedRAMP status. It’s a DoD acceptance path under DFARS 252.204-7012 and 32 CFR Part 170. The memo is explicit that equivalency does not confer a FedRAMP authorization.
- FedRAMP Ready / FedRAMP In Process / Agency Authorization In Process — real Marketplace lifecycle stages, but not the same as a finished authorization, and you should not treat them as equivalent for CUI without confirming the specific situation against current DoD guidance.
A terminology heads-up, because the Marketplace itself changed during FedRAMP’s 2024–2026 modernization (more on that near the end). Depending on the offering, a Marketplace listing now shows its status as either “FedRAMP Authorized” (with an Impact Level of Low, Moderate, or High) or “FedRAMP Certified” (with a Certification Class of A–D — a measure of documentation and ongoing commitment — shown with the impact level in parentheses, e.g., Class C (Moderate), Class D (High)). For your purposes they describe the same thing: a finished FedRAMP authorization at a given impact level. DoD and CMMC policy language still says “FedRAMP Authorized at Moderate or higher.” Keep reading — the burden behind that phrase is the whole game.
FedRAMP Authorized vs FedRAMP equivalent: who carries the proof — and the liability?
Answer capsule: Both paths can satisfy CMMC, but they distribute responsibility very differently. With a FedRAMP Authorized/Certified cloud, you do not have to run a FedRAMP-equivalency assessment of the provider or hold its Body of Evidence. With a FedRAMP-equivalent cloud, you must obtain and validate that Body of Evidence and you are responsible for the provider’s compliance, including in a security incident. Equivalency is the heavier lift, not the lighter one.
The CMMC Program Rule states the split cleanly: if you’re using a FedRAMP Authorized CSP at Moderate or higher, you are notresponsible for the CSP’s compliance; if the CSP is not FedRAMP Authorized, you are responsible for determining whether it meets FedRAMP Moderate equivalency (32 CFR Part 170, eCFR).
“Not responsible” does not mean “nothing to do.” Even with an authorized cloud, you still must confirm that the exactcloud service offering in your SSP is the one listed (at the right status and impact level), map the Customer Responsibility Matrix into your SSP, and implement your share of the shared controls. What you avoid is having to prove the provider’s security yourself. With equivalency, that proof — and the liability — is yours.
What equivalency requires — and who proves what
| Requirement (DoD CIO memo, Dec 21, 2023) | What the rule states | Who must produce it | What you must validate |
|---|---|---|---|
| 100% compliance | The offering must meet 100% of the controls in the current FedRAMP Moderate baseline — built on NIST SP 800-53 Rev. 5, a far larger control set than the 110 requirements in NIST SP 800-171 Rev. 2 — with no control-related findings | The CSP | That the assessment covered the full, current Moderate baseline, not a convenient subset |
| 3PAO assessment | Assessed by a FedRAMP-recognized Third-Party Assessment Organization (3PAO). No self-attestation. SOC 2, ISO 27001, and vendor questionnaires don’t qualify | The CSP + a 3PAO | That a named, FedRAMP-recognized 3PAO performed it — not the vendor’s own internal audit |
| Body of Evidence (BoE) | A complete package: System Security Plan, Security Assessment Plan, Security Assessment Report, Plan of Action & Milestones, continuous-monitoring evidence, and penetration-test results | The CSP | That the BoE is complete and current — and that you can hand it to DCMA DIBCAC on request |
| No open assessment POA&Ms | Findings from the equivalency assessment must be closed; the memo references “operational” items but does not fully define the threshold | The CSP + 3PAO | That equivalency findings are closed; treat the “operational” gray area cautiously until DoD clarifies |
| DFARS (c)–(g) support | The CSP must support cyber-incident reporting, malicious-software handling, media preservation, forensic access, and damage assessment | The CSP, contractually | That your agreement actually requires these — many commercial clouds won’t give you forensic access |
| “Require and ensure” | The contractor is responsible for the CSP’s compliance and is liable in an incident | You | That you’ve contractually bound the provider and kept the evidence |
Sources: DoD CIO FedRAMP Moderate Equivalency memo (Dec 21, 2023); DFARS 252.204-7012.
One clarification that saves arguments later: don’t confuse the CMMC assessment with the full DFARS 252.204-7012 contract obligation. CMMC assesses the applicable CMMC requirements and your cloud-scoping evidence; the DFARS 7012 (c)–(g) incident-reporting and forensic obligations remain a separate contract duty that matters whenever you use an external CSP for covered defense information.
The honest part: equivalency is usually the harder road, not the shortcut
Here’s the admission, because you deserve the unvarnished version. “FedRAMP equivalent” sounds like the cheaper, faster alternative to a real FedRAMP authorization. In practice it is often more demanding and riskier — and there is no DoD “approved equivalent cloud” list to point to.
Why riskier? A genuine FedRAMP authorization can be granted with some open Plan of Action & Milestones items and less than 100% of controls fully closed — an authorizing official makes a risk-based call. The DoD’s equivalency bar gives you no such grace: it demands 100% compliance with the assessment findings closed. And unlike an authorized service, where FedRAMP carries the verification, equivalency puts the proof and the liabilityon you. If your “equivalent” CSP lets a control lapse and you can’t produce the evidence, that’s your finding, not theirs.
That sounds discouraging. It isn’t — it’s clarifying, and it usually saves you money. Once you see the burden honestly, the smart move is obvious: if a clean, Marketplace-listed authorized service fits your workload, it’s almost always the lower-friction path to a passing assessment. And if your CUI footprint is genuinely small — a handful of drawings from one prime — you may not need to FedRAMP your whole company at all. A tightly scoped CUI enclaveor a FedRAMP-equivalent encrypted overlay can isolate the CUI and shrink the problem. That’s a provider-category decision, and it’s exactly the kind of call we help you frame.
▶ Worried a vendor’s “FedRAMP equivalent” claim won’t survive your assessment?
Before you accept it or rip it out, map the workload in Find My CMMC Path. We’ll point you to whether you need an RPO/RP review, a CUI enclave, managed compliance, or assessment-readiness help — so you fix the right thing once. Use sanitized descriptions only. Do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →When is FedRAMP Moderate (or equivalent) actually required for CMMC?
Answer capsule: FedRAMP Moderate or DoD equivalency is triggered when an external cloud service offering stores, processes, or transmits CUI for a CMMC-scoped system. It is not triggered by every vendor, every Managed Service Provider, or every security tool. The deciding questions are whether the service is a CSP handling CUI, whether it instead handles only Security Protection Data, and whether it’s a different kind of External Service Provider that’s simply assessed as part of your scope.
The CMMC rule does not treat all cloud the same way, and the difference is worth real money. Here’s the regulatory backing for each of the four proof paths.
Path A — the CSP handles CUI. For both Level 2 self-assessment and Level 2 certification, 32 CFR Part 170 says a CSP used to process, store, or transmit CUI must be FedRAMP Authorized at Moderate or higher, or meet FedRAMP Moderate equivalency in accordance with DoD policy. Your on-premises infrastructure that connects to that cloud is in your assessment scope, and the Customer Responsibility Matrix must be reflected in your SSP (32 CFR §170.16–.17, eCFR).
Path B — the cloud handles only Security Protection Data. The CMMC rule defines an ESP around whether CUI orSecurity Protection Data (think log data, configuration data) is processed, stored, or transmitted on the provider’s assets (32 CFR §170.4, eCFR). A cloud that handles only SPD — not CUI — does notneed FedRAMP, but it’s documented in your SSP with a service description and CRM.
Path C — a non-CSP ESP. An ESP that isn’t a cloud provider is assessed as part of your scope and does not automatically need its own CMMC certification.
Path D — a properly isolated tool. If a tool genuinely doesn’t touch CUI or SPD, you document why it’s out of scope.
A quick word on levels, because blurring them is a classic and expensive mistake:
- Level 1 (FCI only): Built on the basic safeguarding requirements in FAR 52.204-21; annual self-assessment. Generally not where the FedRAMP-equivalency problem lives, though your specific contract still controls. (See CMMC Level 1 vs Level 2 vs Level 3.)
- Level 2 (CUI): Maps to NIST SP 800-171 Rev. 2 — 110 requirements across 14 control families (NIST SP 800-171 Rev. 2). Either a self-assessment or a C3PAO assessment every three years, set by the contract clause. DoD currently uses Rev. 2 for CMMC; don’t let anyone substitute Rev. 3 unless and until DoD amends the rule.
- Level 3 (the most sensitive CUI): Builds on Level 2 and adds 24 selected requirements from NIST SP 800-172 — 134 requirements in total — assessed by DCMA DIBCAC (the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center), not a C3PAO. Level 3 is not “Level 2 plus FedRAMP High.” The cloud still needs a valid authorized-or-equivalent proof path; the level is about your controls and assessor, not the cloud’s badge.
A real, sourced example of why this isn’t theoretical. The advisory firm Baker Tilly described a contractor that checked the FedRAMP Marketplace for each in-scope CSP and, for any unlisted ones, requested the equivalency Body of Evidence. One provider had most of the BoE — but it inherited some FedRAMP requirements from its underlying Azure platform and fell short of 100% compliance, which Baker Tilly notes would lead to a failed DIBCAC assessment (Baker Tilly). “Mostly compliant” is not equivalent. Hold that thought for the matrix.
Does your cloud qualify? The CMMC Cloud Proof Matrix
Answer capsule: No major cloud environment is automatically “CMMC compliant,” and none of them make you compliant. FedRAMP-authorized infrastructure underneath a service does not authorize the service on top of it. The right question is never “is this vendor authorized?” but “is the specific offering I use authorized or equivalent at Moderate or higher, and what am I still responsible for?”
We verified the status fields below directly on the FedRAMP Marketplace in June 2026. Treat the matrix as a snapshot — FedRAMP is modernizing, and listings change, so confirm your exact offering before you rely on it.
| Cloud offering | FedRAMP Marketplace status (verified June 2026) | Package ID | Clears the CUI cloud floor? | What still falls on you | The most common mistake |
|---|---|---|---|---|---|
| Microsoft 365 GCC High | FedRAMP Certified, Class D (High) — as of 12/26/2024 | FR1824057433 | Yes — High exceeds Moderate. Microsoft states GCC High supports ITAR/EAR and DoD SRG Impact Level 4/5 (verify for your tenant) | Tenant configuration; your share of the 110 NIST 800-171 R2 requirements; CRM → SSP; (c)–(g) support; evidence | Assuming GCC High = an automatic pass. It makes you eligible; your configuration and documentation are still assessed |
| Microsoft 365 GCC (Government Community Cloud & Supporting Services) | FedRAMP Authorized, Impact Level Moderate — as of 11/20/2014 | MSO365MT | Floor only — meets FedRAMP Moderate for covered services inside the authorized boundary; built on Azure Commercial, not the U.S.-person-restricted Government cloud, so it isn’t appropriate for ITAR/EAR data | Verifying covered services, boundary, CRM, and whether export-control or agency requirements push you to GCC High | Putting export-controlled CUI in GCC; treating “Moderate” as “done” |
| Azure Government (includes Dynamics 365) | FedRAMP Authorized, Impact Level High — as of 4/29/2020 | F1603087869 | Platform yes — but what you build on it is yours and may need its own assessment | Almost everything above the platform (shared responsibility); verify any DoD SRG impact-level coverage in Microsoft’s documentation | Believing your app inherits the platform’s authorization |
| AWS GovCloud (US) | FedRAMP Authorized at the High impact level (authorized since 2016) | F1603047866 | Platform yes — per AWS, supports ITAR and DoD SRG Impact Levels 2, 4, and 5. The collaboration layer you add is yours; SaaS on top isn’t auto-authorized | Operating system, apps, configuration, productivity tooling, evidence; verify the specific services in the boundary | Treating “we’re on GovCloud” as a complete CUI answer |
| Google Workspace | FedRAMP Certified, Class D (High) — as of 10/28/2021 | F1206081364 | Can — for covered Workspace editions and services inside the authorized boundary; the base authorization does not mean your configuration is compliant | Applying Google’s FedRAMP High configuration; verifying covered editions/services, U.S.-person access for export-controlled data, CRM, and evidence | Assuming base Workspace authorization covers your CUI configuration |
| Standard commercial Microsoft 365 / Office 365 (a global commercial tenant, not GCC, GCC High, or DoD) | Not within a government-cloud authorized boundary for CUI | — | No — don’t treat it as CUI-ready merely because Microsoft holds FedRAMP packages for other environments; verify your exact tenant, package, and boundary | N/A — using a standard commercial tenant for CUI is a finding | “Our security settings are strong enough.” The environment/boundary, not the settings, is the problem |
| Encrypted overlay claiming DoD FedRAMP Moderate equivalency | Equivalency is a DoD path, not a Marketplace listing | — | Only if that exact offering has a complete, current equivalency Body of Evidence for the boundary that touches CUI — and only for the service it covers (e.g., email + file sharing), not your whole environment | Holding and validating the BoE; everything outside the overlay’s scope (endpoints, other apps); CRM/SSP; (c)–(g). Treat any DIBCAC-validation claim as provider-stated until you verify it | Assuming an overlay covers your entire CUI footprint |
| Generic SaaS “built on AWS GovCloud / Azure Gov” | The infrastructure’s authorization does not transfer to the SaaS | (the SaaS has its own, if any) | Only if the SaaS itself is authorized or 3PAO-assessed equivalent | Get the SaaS’s own evidence | The single biggest one: “it’s hosted in GovCloud, so it’s FedRAMP.” False. |
“Hosted on GovCloud” is not “FedRAMP authorized” — here’s a verifiable example
This is the trap that quietly fails assessments. A SaaS or security tool may run on AWS GovCloud or Azure Government, but if that application is the thing storing, processing, or transmitting your CUI, the application itself needs its own proof path. Infrastructure authorization does not authorize every product built on top of it.
You can see this on the Marketplace itself. AWS GovCloud (US) is its own FedRAMP package (F1603047866). Snowflake’s “Data Cloud on AWS GovCloud” is a separate FedRAMP package (FR2308159208, FedRAMP Certified, Class D (High)) — it does not ride on AWS GovCloud’s authorization; Snowflake had to earn its own. The Baker Tilly example above is the same lesson in the wild: a provider leaning on inherited Azure controls, short of the 100% the equivalency bar demands. When a vendor points at the data center, ask about the offering.
Screenshot these before your assessment
Build a small evidence file for every CUI cloud you rely on. For each offering, capture: the Marketplace product name, package ID, status (Authorized/Certified), impact level or certification class, authorization date, the covered services / boundary, the Marketplace URL, and the date you captured it. An assessor wants to see the specific offering documented in your SSP — not a logo, and not the vendor’s word.
Two company-stated proof points worth knowing (and verifying)
We don’t endorse providers, but two market facts are useful context — both company-stated, both worth confirming directly:
- PreVeil states it was the first CSP to have its 3PAO Body of Evidence reviewed and validated by DIBCAC under the December 2023 memo (PreVeil). Treat that as the vendor’s claim; if it’s in your scope, request the equivalency evidence and confirm the current status yourself.
- Microsoft states that GCC High and Azure Government completed a DIBCAC Joint Surveillance assessment (with assessor Redspin) at a perfect 110-point score, to convert to a CMMC Level 2 status as rulemaking allows (Microsoft). Again, company-stated — verify the specific service boundary you use.
Can encrypted CUI live in a non-FedRAMP cloud?
Answer capsule: No — not merely because it’s encrypted. The DoD’s CMMC FAQ is explicit: if you use an external CSP to store encrypted CUI, you must still require and ensure the CSP meets FedRAMP Moderate (or equivalent) security requirements. Encryption protects confidentiality, but it does not decontrol the data or remove the cloud from FedRAMP scope.
This is one of the most expensive misconceptions in the DIB, so we went to the source. In Section E of the DoD CMMC FAQ, the question is asked directly — can a non-FedRAMP-Moderate cloud service offering store encrypted CUI? — and the answer is no: a contractor using an external CSP to store encrypted CUI must require and ensure the CSP meets FedRAMP Moderate equivalency. The DoD reinforced this in its 2025–2026 FAQ updates, confirming that CUI remains controlled until it is formally decontrolled, regardless of encryption state.
Why this stings: a lot of organizations used encryption as a scoping workaround — parking encrypted CUI on a system that otherwise doesn’t meet the security requirements, and assuming the ciphertext made the platform irrelevant. The DoD has now closed that door explicitly. If you discover you’ve been doing this, you don’t just have a control gap — you have a scoping gap, and that often means a different architecture, not a quick fix.
What this means practically for secure file sharing and encrypted collaboration:
- Some encrypted tools have a FedRAMP authorized government offering — verify the exact one.
- Some rely on the equivalency path — ask for the Body of Evidence.
- Some are great for non-CUI or out-of-scope workflows but not for CUI.
- Strong encryption is necessary, not sufficient. The CSP still needs Moderate-or-equivalent.
Before you put CUI in any encrypted service, ask: Is the provider a CSP? Does it store CUI (encrypted or not)? Is the exact offering FedRAMP authorized at Moderate or higher? If not, is there a complete DoD equivalency BoE? Who controls the keys? What does the CRM say? Is the service in your SSP and data-flow diagram?
▶ Using encrypted storage or collaboration for CUI and unsure the evidence holds?
Map the workflow in Find My CMMC Path before you move more CUI into that system. We’ll help you tell the difference between a control gap and a scoping gap — and route you to the CUI enclave, MSP/MSSP, or readiness category that fixes it. No CUI, drawings, or sensitive contract details.
Find My CMMC Path →Is my MSP a CSP?
Answer capsule: Not automatically. Per the DoD CMMC FAQ, the answer turns on the relationship: if the cloud tenant is subscribed or licensed to you (even if your Managed Service Provider resells it) and the MSP simply administers it, the MSP is not a CSP. If the MSP contracts with the cloud provider and modifies the underlying service, the MSP may itself be a CSP and must meet FedRAMP or equivalency requirements.
Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) are where a cloud question quietly becomes a scoping question. The DoD FAQ’s Section E walks the scenarios, and we’ll follow it.
- You own the tenant; the MSP administers it. The MSP is generally not the CSP. It may be an External Service Provider / security-protection function if it has administrative access to CUI systems or handles Security Protection Data — and in that case it’s assessed as part of your scope. The CSP proof path still attaches to the underlying cloud offering.
- The MSP resells but doesn’t modify the service. Still not a CSP, per the FAQ — the licensing relationship to you is what matters, not who clicks the admin buttons.
- The MSP contracts with the CSP and modifies the base service. Now the MSP may be a CSP, and that modified offering needs its own FedRAMP authorization or equivalency.
- The MSP/MSSP handles Security Protection Data but no CUI. It’s an ESP, assessed within your scope, and does not require its own CMMC certification.
- The MSP handles CUI directly. Higher-stakes scoping question — document the relationship, access, and responsibilities precisely, and confirm whether its own CMMC status is relevant.
A point many contractors miss, also from the FAQ: an MSP that stores your CUI in a system it provides (and that isn’t a cloud offering) does not need its own CMMC assessment, but its systems fall inside your scope and must meet the applicable requirements. An ESP may electits own self-assessment or certification; if it uses that certification to simplify your assessment, the ESP’s level and assessment type should be the same or higher and cover the ESP assets in your scope.
A four-question decision tree
- Does the provider store, process, or transmit CUI? → Yes: CSP/ESP evidence path. No: keep going.
- Does it handle Security Protection Data (logs, config)? → Yes: ESP / security-protection path, documented in your SSP. No: likely out of scope — document the rationale.
- Who holds the cloud license? → You (the customer): the MSP can administer without being the CSP. The MSP (and it modifies the service): the MSP may be the CSP.
- Is the exact offering on the FedRAMP Marketplace? → Yes: verify the listing. No: request the BoE or change the path.
▶ This is where a software question becomes a provider-category question.
If you can’t cleanly answer “is my MSP a CSP, an ESP, or out of scope?”, Find My CMMC Path will tell you whether your next move is an RPO/RP, an MSP/MSSP, a CUI enclave, a GRC platform, or a C3PAO conversation. Sanitized inputs only — no CUI.
Find My CMMC Path →What proof should you request before you sign or get assessed?
Answer capsule: For a FedRAMP authorized service, request the exact Marketplace listing, the impact level or certification class, the package ID, the authorized service boundary, and the Customer Responsibility Matrix. For an equivalent service, request the full Body of Evidence — the SSP, Security Assessment Plan, Security Assessment Report, continuous-monitoring artifacts, CRM, and confirmation that the 3PAO-assessment findings are closed. Vendor marketing language is not evidence; the package is.
You don’t need to take anyone’s word for it — you need documents. Copy the questions below into an email to your provider.
If the provider is FedRAMP authorized/certified:
| Ask for this | Why it matters |
|---|---|
| The FedRAMP Marketplace listing for the specific offering | Confirms the public status of the service you actually use |
| Package ID and impact level / certification class | Distinguishes Moderate vs High and the exact package |
| The authorized service boundary | Prevents you from using an unauthorized module or region |
| The Customer Responsibility Matrix (CRM) | Shows which controls are yours to implement |
| Guidance for placing the offering in your SSP | Helps you document the cloud correctly |
| Incident-support commitments | Connects the service to DFARS 252.204-7012 (c)–(g) |
If the provider claims FedRAMP Moderate equivalency:
| Ask the provider | What you’re confirming |
|---|---|
| “Can you provide the SSP for this specific service boundary?” | The offering is actually documented |
| “Which controls are provider-, customer-, or shared-responsibility?” (CRM) | You know what you still own |
| “Was the assessment against the current FedRAMP Moderate baseline?” | Not a stale or partial baseline |
| “Can you share the 3PAO Security Assessment Report?” | A FedRAMP-recognized 3PAO did the work |
| “Are the assessment POA&M items corrected and validated closed?” | You meet the 100% bar |
| “Do you maintain continuous monitoring with monthly summaries?” | Equivalency isn’t a one-time snapshot |
| “How do you support DFARS 252.204-7012 (c)–(g)?” | Incident reporting and forensic access are covered |
One safety rule, stated plainly: do not upload CUI, drawings, contract documents, credentials, SSPs, or Body-of-Evidence artifacts through public web forms or AI prompts. Use sanitized descriptions until you have an NDA, a secure transfer method, and a real provider relationship in place.
▶ Got a “FedRAMP equivalent” claim but no package yet?
Tell us your level, scope, and timeline, and we’ll match you with the provider category that can review the evidence path — RPO/RP, MSP/MSSP, CUI enclave, or GRC — before you spend on the wrong fix. Start at Find My CMMC Path. No CUI, drawings, or sensitive details.
Find My CMMC Path →What goes in your SSP, asset inventory, network diagram, and CRM?
Answer capsule: Your assessment evidence has to show which cloud services touch CUI, which provide security protections, which assets are in scope, and who is responsible for which controls. 32 CFR Part 170 requires an asset inventory, a System Security Plan, and network diagrams for in-scope assets, and the Customer Responsibility Matrix is what ties shared cloud controls back to you.
This is where a clean cloud decision becomes a clean assessment. The CMMC Level 2 scoping requirements in 32 CFR §170.19 drive what you document. Keep it concrete:
- SSP, for each cloud provider: service name and offering; FedRAMP package ID or equivalency BoE reference; whether it handles CUI or Security Protection Data; region/environment; identity and access integration; encryption and key management; logging and monitoring; incident-reporting support; a link to the CRM; and a reference to the data-flow diagram.
- Asset inventory: CUI assets; Security Protection Assets; specialized assets; contractor-risk-managed assets; and out-of-scope assets with a documented rationale.
- Network / data-flow diagram: where CUI enters, is stored, and moves; cloud service boundaries; MSP and admin access; SIEM/MDR/GRC integrations; backup paths; and encrypted-storage locations.
- CRM: provider-responsible controls; customer-responsible controls; shared controls; the evidence owner for each; and the limits of any inherited control.
If your provider can’t or won’t give you a CRM, that’s not a paperwork inconvenience — it’s a gap. Without it, you can’t show an assessor which controls you inherited versus which you operate, and “we assume the cloud handles that” is exactly the kind of answer that produces a finding.
How a C3PAO actually checks your cloud evidence
Answer capsule: A C3PAO does not turn your CMMC assessment into a FedRAMP assessment. Under the Cyber AB’s CMMC Assessment Process, the team verifies a FedRAMP Marketplace authorization for authorized clouds, and for equivalent clouds it reviews the Body of Evidence to confirm it is complete, intact, and within its required periodicity. It does not re-test FedRAMP conformance or qualitatively grade the evidence — but you still own the risk if the evidence is thin.
This is the part almost no competitor cites precisely, so we read the procedure. The Cyber AB CMMC Assessment Process (CAP) v2.0, at section 2.21, addresses cloud environments that may not hold FedRAMP authorizations and instead meet equivalency (Cyber AB, CAP v2.0). Here’s what the assessor does — and doesn’t do.
For FedRAMP authorized CSPs: the assessment team verifies the authorization through the FedRAMP Marketplace and confirms the specific cloud service offering documented in your SSP is listed at the relevant status and impact level.
For FedRAMP-equivalent CSPs: the team determines whether equivalency was attained under DoD CIO policy and then verifies that the Body of Evidence is complete, intact, and within periodicity — defined in the CAP as:
- Complete — you present all required BoE elements for review.
- Intact — each element is whole, not missing sections, pages, or material information.
- Within periodicity — elements with time requirements were completed inside their specified timeframe.
What the assessor is not doing (CAP §2.21.2): the team is not evaluating the offering’s conformance to the FedRAMP standard, and it is not conducting a qualitative examination of any BoE element, including testing results. The review only confirms the BoE is complete, intact, and within periodicity.
Read that twice, because it cuts both ways. The good news: your C3PAO won’t re-run a FedRAMP assessment on your vendor. The hard news: “complete, intact, and within periodicity” is a real bar. A BoE missing its Security Assessment Report, or whose continuous-monitoring evidence has lapsed, fails the check — and the responsibility traces back to you, the contractor who “required and ensured” it. That’s why the request checklist above isn’t busywork. It’s the difference between walking into your assessment with a clean package and walking in with a vendor’s slogan.
Is FedRAMP itself changing? What FedRAMP 20x means for you
Answer capsule: Yes — FedRAMP is in the middle of its biggest overhaul, but the DoD equivalency standard has not changed. OMB Memorandum M-24-15 (July 2024) replaced the original 2011 FedRAMP policy, the Joint Authorization Board was dissolved in favor of a FedRAMP Board, and the FedRAMP 20x initiative (announced March 2025) is moving authorizations toward automation. What’s shifting is how a provider gets authorized and how the Marketplace is labeled; the 100%-of-Moderate, 3PAO-assessed equivalency bar still applies.
We flag this so you don’t get whiplash from a vendor citing old process — and so you understand why two Marketplace listings can look different. OMB M-24-15 reset FedRAMP toward scale and automation and pushed agencies to reuse authorizations; GSA dissolved the Joint Authorization Board and stood up the FedRAMP Board; and in March 2025 GSA announced FedRAMP 20x. The Marketplace was rebuilt in the process — the old marketplace.fedramp.gov now redirects to fedramp.gov/marketplace, and listings display through a refreshed lifecycle.
| What changed under FedRAMP modernization | What did not change for CMMC | What to re-check before your assessment |
|---|---|---|
| Marketplace rebuilt; status may read “FedRAMP Authorized” or “FedRAMP Certified” (with an impact level or a Class A–D) | The December 21, 2023 DoD equivalency standard: 100% of Moderate, 3PAO-assessed, complete BoE | Your provider’s current status, package ID, and covered services on the new Marketplace |
| JAB dissolved; FedRAMP Board now governs; FedRAMP 20x moving toward automated authorization | FedRAMP Moderate (or higher) remains the cloud floor for CUI under DFARS 7012 and 32 CFR Part 170 | Whether your CSP’s authorization is current and covers the exact services you use |
| New authorization paths and faster timelines being piloted | “FedRAMP equivalent” is still a DoD path, not a Marketplace designation | That any “equivalent” claim is backed by a complete, current Body of Evidence |
In short: the standard is stable; the process and labels around it are moving. Date your evidence, and check the Marketplace when it counts.
Which provider category do you actually need next?
Answer capsule: The right provider depends less on company size than on your CUI flow, your assessment type, your current environment, and your contract timeline. A small machine shop with a few CUI drawings usually needs a narrow CUI enclave; a software contractor with CUI in production usually needs architecture, GRC workflow, and managed-security support, sequenced before any C3PAO assessment. Match the category to the gap, not to a brand.
This is The Defense Compliance Report’s CMMC Path Framework applied to cloud: data type → service role → assessment type → environment → timeline → provider category. It routes you to a category, not a named provider, and it is not a score, ranking, or compliance advice. We don’t publish “best provider” awards.
| Your situation | The likely cloud/evidence issue | Provider category to evaluate first | Don’t start with |
|---|---|---|---|
| Small manufacturer, a few CUI drawings | File storage, email, endpoints, containment | CUI enclave + RPO/RP (and a CMMC-focused MSP) | A C3PAO before your scope is stable |
| Engineering firm exchanging drawings | Secure collaboration, CUI sharing, email | CUI enclave + MSP/MSSP + RP | Generic commercial file sharing |
| Software/SaaS company handling CUI | Application boundary, cloud platform, DevSecOps | RPO/RP + cloud architecture + GRC + MSSP | Treating infrastructure authorization as app authorization |
| MSP serving DIB clients | ESP-vs-CSP role ambiguity | RPO/RP + contract review + architecture evidence | “CMMC-ready” marketing claims |
| Prime flowing CUI to subs | Subcontractor cloud evidence, flow-down | Flow-down process + GRC/evidence workflow | Assuming subs already use a compliant cloud |
| Near a C3PAO assessment | Evidence gaps, CRM, BoE, SSP | Assessment-readiness review (RPO/RP) | New tools without scope control |
A few category definitions, so the routing is clear:
- RPO / RP (Registered Provider Organization / Registered Practitioner): readiness, scoping, SSP/POA&M, and remediation help. Usually the right first call. (See who to hire first for CMMC.)
- MSP / MSSP: managed IT and managed security — including standing up and running a compliant environment like GCC High or workloads on Azure Government or AWS GovCloud.
- CUI enclave: a dedicated, isolated environment so you don’t drag your whole company into scope. (See CMMC secure enclave.)
- GRC platform: evidence management, control mapping, and continuous compliance — a supporting layer, not a complete CMMC solution. Software alone does not make you compliant.
- C3PAO: the authorized organization that performs your Level 2 certification assessment. Keep readiness/remediation and formal assessment separate — the firm that fixes your environment should not also be the one that certifies it where independence rules apply.
▶ Get matched with source-checked provider options.
Tell us your level, CUI scope, cloud environment, and timeline, and Find My CMMC Path returns the matched provider categories whose role and status we’ve checked — so you can request scoped quotes with confidence. No CUI. No drawings. No sensitive contract details.
Find My CMMC Path →What to do if your current cloud can’t prove FedRAMP authorization or equivalency
Answer capsule: If a cloud provider can’t show a Marketplace authorization or a complete equivalency Body of Evidence, don’t plan to explain it away during the assessment — the CAP review will catch an incomplete package. The faster, cheaper path is usually to stop placing CUI in that service, move CUI into a verified enclave or an authorized/equivalent offering, narrow your scope, or get an RPO/RP-led evidence review before you engage a C3PAO.
There’s good news buried in a stressful situation: cloud evidence gaps are far cheaper to fix before an assessment than to discover during one. Your realistic options, roughly in order of how contained your CUI is:
- Move the CUI out of the non-verifiable service. Best when your CUI flow is limited.
- Use a verified CUI enclave. Best for small and mid-sized firms that want to isolate CUI instead of rebuilding everything.
- Replace the SaaS tool with one that’s authorized or can produce a complete equivalency BoE. Best when the tool itself stores or transmits CUI and can’t prove it.
- Keep the tool, remove the CUI/SPD. Best when the tool can stay in your business but not in CMMC scope.
- Delay the C3PAO assessment until the evidence is stable. Best when the gap hits your core scope and would otherwise produce a failure.
Remember the clock. Phase 1 of the CMMC rollout began November 10, 2025, when revised DFARS clause 252.204-7021 took effect, and the first 12 months focus primarily on self-assessments for CUI contracts. During Phase 1, a Level 2 C3PAO assessment may appear in a solicitation only where program officials use discretion and adequate market research supports competition — it is not required for every CUI contract. Beginning November 10, 2026, Level 2 third-party (C3PAO) assessments begin appearing as a condition of award for applicable CUI contractors. See also: DFARS 252.204-7019 and 7020 explained and SPRS score guide. If your cloud evidence isn’t ready, the time to fix it is now — deliberately — not under assessment pressure.
▶ Fix the right thing once.
Map your current cloud stack and timeline in Find My CMMC Path before you request quotes or schedule a C3PAO. We’ll help you decide between scope reduction, enclave design, managed remediation, GRC cleanup, or a readiness review. Sanitized inputs only — no CUI.
Find My CMMC Path →What we actually verified for this guide
Answer capsule: This guide is built from primary and authoritative sources, not vendor marketing. We read the current CMMC rule language, the DFARS cloud clause, the DoD FedRAMP Moderate Equivalency memo, the DoD CMMC FAQ, the Cyber AB CMMC Assessment Process, and the live FedRAMP Marketplace listings, and we date every regulatory and status fact because phases, rules, and listings change.
| What we checked | Source | Verified |
|---|---|---|
| CMMC Program Rule, CSP/ESP scoping and definitions | 32 CFR Part 170 (eCFR) | June 2026 |
| CMMC Final Rule publication and effective date (Oct 15, 2024 / Dec 16, 2024) | Federal Register | June 2026 |
| DFARS 252.204-7012 external-CSP requirement and (c)–(g) | Acquisition.gov | June 2026 |
| DFARS 252.204-7021 effective Nov 10, 2025; Phase 1 start | Federal Register / Acquisition.gov | June 2026 |
| FedRAMP Moderate equivalency definition (100% / 3PAO / BoE) | DoD CIO memo, Dec 21, 2023 | June 2026 |
| Encrypted CUI and MSP/CSP guidance | DoD CMMC FAQ, Section E | June 2026 |
| How assessors review cloud evidence (complete/intact/within periodicity) | Cyber AB, CMMC Assessment Process (CAP) v2.0, §2.21 | June 2026 |
| Cloud offering statuses and package IDs (GCC High, GCC, Azure Gov, AWS GovCloud, Google Workspace) | FedRAMP Marketplace product pages | June 2026 |
| FedRAMP modernization context (M-24-15; FedRAMP 20x) | FedRAMP.gov | June 2026 |
What we could not independently verify:provider-stated claims (for example, PreVeil’s and Microsoft’s equivalency/assessment announcements) — we present these as company-stated and link to each company’s own source; confirm directly with evidence. The exact current control count in the FedRAMP Moderate Rev. 5 baseline (cite fedramp.gov, not a secondhand number). And the precise threshold for “operational” items referenced but not fully defined in the equivalency memo.
Disclosure
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our editorial standards, methodology, and corrections policy.
Frequently asked questions about FedRAMP equivalency for CMMC cloud providers
Is FedRAMP Moderate enough for CMMC Level 2?
Yes, if the specific cloud service offering used to store, process, or transmit CUI is FedRAMP authorized at Moderate or higher (or DoD-equivalent) and you document the shared responsibilities and your own implementation. FedRAMP does not make your company CMMC compliant by itself — it makes the cloud eligible.
Is FedRAMP High required for CMMC?
Not as a blanket rule. The CMMC and DFARS language uses “FedRAMP Moderate (or higher)” for the cloud requirement. Specific contracts, agencies, data sensitivity (such as export-controlled CUI), or Level 3 environments may push you toward FedRAMP High, but “CMMC always requires FedRAMP High” is incorrect.
Does FedRAMP authorization make my company CMMC compliant?
No. FedRAMP applies to a cloud service offering. CMMC assesses your in-scope environment, your implementation of NIST SP 800-171 Rev. 2, your evidence, and your responsibilities.
Can I store encrypted CUI in a non-FedRAMP cloud?
No — not simply because it’s encrypted. The DoD CMMC FAQ states that if you use an external CSP to store encrypted CUI, the CSP must still meet FedRAMP Moderate equivalency. Encryption does not decontrol CUI or remove the cloud from scope.
What is a FedRAMP-equivalent Body of Evidence?
It’s the documentation package supporting a cloud offering’s claim of DoD FedRAMP Moderate equivalency — typically a System Security Plan, Security Assessment Plan, Security Assessment Report, continuous-monitoring artifacts, Plan of Action & Milestones, a Customer Responsibility Matrix, and penetration-test results, assessed by a FedRAMP-recognized 3PAO.
Who validates the Body of Evidence during a CMMC assessment?
Your C3PAO reviews whether the BoE is complete, intact, and within periodicity, per the Cyber AB CMMC Assessment Process. The C3PAO does not perform a full FedRAMP conformance assessment or qualitatively grade the evidence during your CMMC assessment.
Is FedRAMP Ready the same as FedRAMP Authorized?
No. FedRAMP Ready, Agency Authorization In Process, and FedRAMP In Process are Marketplace lifecycle stages that are not the same as a finished authorization. Don’t treat them as equivalent for CMMC unless current DoD guidance permits the specific status for your specific use.
Does an MSP need its own CMMC certification?
Not automatically. Per the DoD CMMC FAQ, MSPs and MSSPs that don’t store, process, or transmit CUI but do handle Security Protection Data are External Service Providers assessed as part of your scope, and don’t require their own CMMC certification.
Is my MSP a CSP?
It depends on the relationship. If you hold the cloud license and the MSP administers it, the MSP is not a CSP. If the MSP contracts with the cloud provider and modifies the underlying service, the MSP may be a CSP and must meet FedRAMP or equivalency.
Does “hosted in AWS GovCloud” mean the SaaS is CMMC-ready?
No. It can help, but the SaaS offering itself needs its own proof path if it stores, processes, or transmits CUI. Infrastructure authorization does not authorize the application built on top of it.
Do I upload my cloud evidence, BoE, or SSP to SPRS?
No. SPRS (the Supplier Performance Risk System) holds your CMMC self-assessment scores, your CMMC status, and your annual affirmations; Level 2 C3PAO results are recorded through the CMMC instantiation of eMASS (the Enterprise Mission Assurance Support Service) and reflected in your status. Don’t upload SSPs, Body-of-Evidence artifacts, diagrams, or CUI into public forms. DFARS 252.204-7019 and 7020 govern posting NIST SP 800-171 assessment scores to SPRS; DFARS 252.204-7021 governs maintaining your CMMC status, affirmations, and flow-down.
What if the cloud provider won’t give me a Customer Responsibility Matrix?
That’s a serious evidence problem — without a CRM you can’t map inherited, shared, and customer-responsible controls, which is exactly what your assessor expects to see. Resolve it before your assessment, or treat the provider as a risk.
Who should review my cloud stack before I request a C3PAO assessment?
For most contractors who aren’t yet assessment-ready, start with an RPO/RP, a CMMC-focused MSP/MSSP, a CUI enclave architect, or a GRC/evidence provider, depending on the gap. A C3PAO should not be your remediation provider for the same engagement where independence rules apply.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Start at Find My CMMC Path — do not submit CUI, drawings, or sensitive contract details.
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This page is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist.
Keep going
- FedRAMP Moderate for CMMC Cloud Services: What Counts — the full regulatory basis and evidence demands for any CSP in your CMMC scope
- CMMC vs FedRAMP — how the two programs differ, who each applies to, and when you need both
- CMMC Secure Enclave — how to isolate CUI so you don’t drag your whole company into scope
- Microsoft 365 GCC High for CMMC — what it covers, what your tenant still owes, and how to verify it
- Azure Government for CMMC — FedRAMP High authorized platform; what lives above it is yours
- AWS GovCloud for CMMC — when it’s required, when it’s overkill, and what “we’re on GovCloud” actually proves
- DFARS 252.204-7012 explained — the cloud clause that drives the FedRAMP-equivalency duty
- Who to hire first for CMMC — RPO, MSP, C3PAO, or GRC: sequencing the right provider for your gap
Primary sources
- DoD CIO, FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings (Dec 21, 2023) — dodcio.defense.gov (PDF)
- 32 CFR Part 170 — CMMC Program (eCFR) — ecfr.gov
- 32 CFR Part 170, Subpart D (scoping; CSP/ESP) — ecfr.gov/subpart-D
- DFARS 252.204-7012 (Acquisition.gov) — acquisition.gov
- DFARS 252.204-7019 (Acquisition.gov) — acquisition.gov
- CMMC Program Final Rule (Federal Register, Oct 15, 2024) — federalregister.gov
- DoD CMMC FAQ, Section E (External Service Providers) — dodcio.defense.gov (PDF)
- Cyber AB, CMMC Assessment Process (CAP) v2.0, §2.21 — cyberab.org (PDF)
- OMB Memorandum M-24-15, Modernizing FedRAMP (Jul 25, 2024) — fedramp.gov
- FedRAMP Marketplace — fedramp.gov/marketplace
- FedRAMP Marketplace, Microsoft 365 GCC High (FR1824057433) — fedramp.gov
- FedRAMP Marketplace, Microsoft 365 GCC / Multitenant (MSO365MT) — fedramp.gov
- FedRAMP Marketplace, Azure Government (F1603087869) — fedramp.gov
- FedRAMP Marketplace, Google Workspace (F1206081364) — fedramp.gov
- FedRAMP Marketplace, AWS GovCloud (US) (F1603047866) — fedramp.gov
- NIST SP 800-171 Rev. 2 — nvlpubs.nist.gov (PDF)
- NIST SP 800-172 — csrc.nist.gov