FedRAMP Moderate for CMMC Cloud Services: What Contractors Must Verify

Q: Does my MSP need FedRAMP?

Maybe. If the MSP only administers your subscribed or licensed tenant, it is not the CSP. If it contracts with the cloud provider and modifies the service, owns the tenant, or subdivides it, it may become a CSP and need the FedRAMP path when CUI is involved.

Q: Is FedRAMP High required for CMMC?

CMMC's rule says FedRAMP Moderate or higher. High may be required or advisable because of a specific contract, agency requirement, or export-control restriction — but it is not a universal CMMC rule. Verify your specific contract and data type.

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

Last verified: June 5, 2026

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Department of Defense, DCMA DIBCAC, FedRAMP, or The Cyber AB. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This article is educational and is not legal, contractual, cybersecurity, or compliance advice.

FedRAMP Moderate for CMMC cloud services is required when a cloud service offering processes, stores, or transmits Controlled Unclassified Information (CUI) for a DoD contract or subcontract that carries a CMMC Level 2 or Level 3 status requirement. You have two acceptable paths: the exact cloud service offering is FedRAMP Moderate Authorized (or higher) and listed in the FedRAMP Marketplace, or it meets DoD FedRAMP Moderate equivalency requirements through a validated Body of Evidence. There is no third option.

Here’s the fast version before you read another word:

Your cloud service does this	FedRAMP Moderate path?	What to do now
Processes, stores, or transmits CUI	Yes — Authorized at Moderate/higher, or equivalency	Verify the exact Marketplace offering, or request the equivalency Body of Evidence + Customer Responsibility Matrix
Stores encrypted CUI only	Yes — encryption is not a loophole	Don’t treat encryption as decontrol; verify FedRAMP/equivalency anyway
Handles logs/config/security data with no CUI	No FedRAMP requirement from that alone	Treat it as a Security Protection Asset in your CMMC scope
MSP administers your tenant	It depends	Determine who licenses the tenant, the MSP’s access, and the responsibility split
Vendor says “FedRAMP equivalent”	Maybe	Ask for the Body of Evidence — there is no public equivalency registry

Verified against 32 CFR Part 170, DFARS 252.204-7012, the DoD CMMC FAQ, DoD technical guidance, Cyber AB CAP v2.0, and the FedRAMP Marketplace. Last verified June 5, 2026.

This is the page we wish existed when a prime, a solicitation, or a C3PAO first asked a contractor, “What cloud are you using for CUI, and can you prove it qualifies?” We read the rule, the DoD FAQ, the DoD CIO equivalency briefing, and the Cyber AB assessment process so you can make the call without guessing.

Does CMMC require FedRAMP Moderate for cloud services?

Yes — when a cloud service offering processes, stores, or transmits CUI for a CMMC Level 2 or Level 3 contractor environment, the cloud must be FedRAMP Moderate Authorized (or higher) or meet DoD FedRAMP Moderate equivalency. If a cloud service never touches CUI, FedRAMP authorization is not required simply because the service exists in your stack. The requirement is tied to the data, not the logo.

This isn’t new, and it isn’t only a CMMC thing. DFARS 252.204-7012 — the safeguarding clause that has been in DoD contracts since 2016 — already requires that if you use an external cloud provider to store, process, or transmit covered defense information, you must require and ensure that provider meets security requirements equivalent to the FedRAMP Moderate baseline plus incident-reporting obligations. CMMC took that existing obligation and built it into a certification program.

The CMMC Program Rule, codified at 32 CFR Part 170, became effective December 16, 2024. The acquisition rule that puts CMMC clauses into contracts — DFARS 252.204-7021 — became effective November 10, 2025.

What this rule does not mean matters just as much:

It does not mean every vendor in your tech stack needs FedRAMP. Most don’t.
It does not mean a FedRAMP-authorized cloud makes your company CMMC certified. It covers the cloud’s piece, not yours.
It does not mean a vendor’s brand-level FedRAMP status automatically covers every product, plan, add-on, region, or workflow they sell.

Here is the gap between what the regulation says and what it means on a Tuesday morning when you’re scoping your environment:

Primary source	What it says	What it means for you
DFARS 252.204-7012	A CSP handling covered defense information must meet FedRAMP Moderate-equivalent requirements plus incident-reporting obligations	Your contract, not just CMMC, drives the cloud requirement — it’s been there for years
32 CFR §170.16/§170.17	Level 2 cloud use requires FedRAMP Moderate Authorized/higher or equivalent, with responsibilities in the SSP	Your assessor will care about the exact offering and the responsibility split
DoD CMMC FAQ (Section E)	A CSP that stores, processes, or transmits CUI must meet the FedRAMP Moderate baseline	Marketing claims aren’t evidence — confirm the real status
DoD technical guidance	No CUI in a cloud = FedRAMP not required; security-data-only services are assessed as protection assets	Classify the data before you buy or migrate

The real question isn’t “cloud vs. not.” It’s CUI vs. SPD, and CSP vs. ESP.

Whether a cloud service needs FedRAMP Moderate depends on two questions, not one: does it touch CUI (versus only security data), and is the vendor acting as a Cloud Service Provider (versus a different kind of external service provider)? Get those two answers right and almost every cloud question resolves itself. Get them wrong and you’ll either over-buy a fortress you don’t need or fail an assessment over a tool you assumed was fine.

Three definitions do the heavy lifting, each defined precisely in 32 CFR §170.4:

CUI (Controlled Unclassified Information):the information you’re being paid to protect. “Process, store, or transmit” is read broadly — it includes accessing, entering, editing, generating, manipulating, or printing CUI, plus CUI at rest or moving between systems. If a service can do any of that with CUI, it’s in the CUI conversation.
SPD (Security Protection Data): security-relevant data used to protectyour environment — logs, configuration data, vulnerability findings, and credentials. SPD is not CUI. A service that handles SPD without CUI is assessed as a Security Protection Asset (SPA), not pushed onto the FedRAMP path solely because it exists.
CSP vs. ESP: a Cloud Service Provider delivers a cloud offering (on-demand, shared, rapidly provisioned resources). An External Service Provider (ESP)is an outside party — including cloud providers, MSPs, MSSPs, or cybersecurity-as-a-service providers — that handles your CUI or SPD, or that provides security protection for your in-scope environment. A CSP that touches CUI is also an ESP under this rule.

A relief most contractors miss: Earlier proposed versions of the rule would have required ESPs such as MSPs to get their own CMMC certification. The CMMC Final Rule dropped that: ESPs are not required to obtain their own separate CMMC assessment just because they support your environment. They may voluntarily elect to, and that may be useful to verify. But it is not a current requirement. See the full guide to CMMC External Service Provider requirements.

The rule also gives you a scoping vocabulary in 32 CFR §170.19: every asset lands in one of five buckets — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope Assets. Your cloud services aren’t exempt from that map. They sit somewhere on it, and where determines what you have to prove.

So before you check a Marketplace listing or read a vendor’s security page, classify the service. The table below assembles the work from 32 CFR Part 170, DFARS 252.204-7012, the DoD CMMC FAQ (Section E), DoD technical implementation guidance, the DoD CIO FedRAMP equivalency briefing, the FedRAMP Marketplace, and Cyber AB CAP v2.0.

The CMMC Cloud Service Evidence Matrix

Original decision table assembled from primary sources. Last verified June 5, 2026. On mobile, scroll the table sideways.

Scenario	FedRAMP Moderate required?	CMMC treatment	What to request before assessment	Common mistake
SaaS, IaaS, PaaS, backup, VDI, file-sharing, email, GRC, ticketing, or SIEM processes, stores, or transmits CUI	Yes — Authorized Moderate/higher, or equivalent	CSP path; on-prem systems that connect to it stay in scope; responsibilities go in the SSP	Marketplace listing for the exact offering, or equivalency Body of Evidence; CRM; service description	Assuming the vendor’s brand or parent-platform status covers every service offering
Cloud service stores encrypted CUI only	Yes	Still treated as CUI in the cloud	Same as above	Believing encryption removes CUI status
Cloud service handles SPD only — logs, config, vulnerability data, passwords — and no CUI	No FedRAMP requirement from SPD alone	Assessed as a Security Protection Asset / ESP function against the relevant requirements	CRM/service description; what SPD it touches; how it participates in your assessment	Treating “no CUI” as “out of scope” when the service protects the CUI environment
MSP administers your own subscribed/licensed Microsoft 365, AWS, Azure, or Google tenant	The MSP is usually not the CSP — but the cloud offering still needs the FedRAMP path if it holds CUI	MSP is likely an ESP if it accesses CUI/SPD; assessed via CRM/SSP	Tenant ownership proof; MSP access model; CRM; admin roles; logging	Assuming “the MSP manages it” makes the MSP the CSP
MSP contracts with the CSP and modifies the service, owns the tenant, or subdivides it for customers	Likely yes if CUI is involved	MSP may have become a CSP; or its own platform needs CMMC treatment	Architecture, tenant ownership, CRM, FedRAMP/equivalency evidence or CMMC status	Buying a “managed enclave” without proving who the actual CSP is
Non-cloud ESP hosts your data on its own systems (shared drives, local hosting)	FedRAMP isn’t the framework unless it’s a cloud offering	ESP path; services assessed in your scope	Service description, CRM, SSP mapping	Calling every hosted service “cloud,” or every non-cloud host “FedRAMP”
Offering is FedRAMP Moderate Authorized and listed in the Marketplace	Yes — acceptable path if the exact offering/boundary matches	CSP status accepted; you still own your customer controls	Marketplace record showing provider, service offering, impact level, status; CRM	Checking the provider name but not the exact service offering
Offering is “FedRAMP Moderate Equivalent” and not in the Marketplace	Potentially acceptable — but it is not a FedRAMP authorization	You evaluate the Body of Evidence; the C3PAO/DIBCAC reviews it during assessment	Complete Body of Evidence, documents intact and current; CRM; 3PAO artifacts	Treating “equivalent” as a public status or a Marketplace listing
Offering is FedRAMP High Authorized	Generally clears the “Moderate or higher” bar — still verify the exact offering	CSP path with customer responsibilities	Marketplace listing, CRM, boundary, data-residency/export fit	Assuming High covers every product or tenant configuration
Endpoint only accesses a VDI where CUI stays inside the remote session	Depends on the VDI cloud service, not the endpoint alone	Endpoint can be Out-of-Scope if it can’t process/store/transmit CUI beyond keyboard/video/mouse	VDI configuration proof; copy/paste/print/local-drive restrictions; separate MFA	Calling endpoints out of scope while allowing screenshots, printing, or clipboard
GRC/evidence platform stores CMMC evidence that includes CUI (CUI-bearing screenshots, drawings, technical artifacts, or contract documents that contain CUI)	Yes if it stores/processes/transmits CUI	CSP path if CUI; SPA/SPD path if only security evidence and no CUI	Data-content review; vendor FedRAMP status or Body of Evidence; redaction workflow	Uploading CUI into a generic compliance tool during readiness

Sources: CUI/SPD/CSP/ESP definitions and asset categories from 32 CFR §170.4 and §170.19; cloud rule from §170.16/§170.17 and DFARS 252.204-7012; encrypted-CUI, MSP, and VDI rows from the DoD CMMC FAQ Section E; authorized-vs-equivalent rows from the DoD CIO FedRAMP briefing and Cyber AB CAP v2.0.

The fastest way to know if your cloud service needs FedRAMP Moderate

Ask three questions in order: Is it a cloud offering? Does it process, store, or transmit CUI? Is the exact offering FedRAMP Moderate Authorized/higher or supported by equivalency evidence? If the first two are “yes” and the third is “no,” you have a cloud-service gap to close before assessment — not during it. This three-step screen mirrors how a C3PAO will think about the same service.

Is this actually a cloud offering?A Cloud Service Provider delivers cloud computing — shared, configurable resources with on-demand access and rapid provisioning, per the §170.4 definition. A vendor running software on your own server, or a consultant with a laptop, is not a cloud offering.
Does it process, store, or transmit CUI? Remember the broad reading: access, entry, editing, generation, manipulation, printing, CUI at rest, CUI in transit. If the service can do any of those to CUI, treat it as in the CUI conversation until you prove otherwise.
Is the exact service offering FedRAMP Moderate Authorized/higher or equivalent? Per Cyber AB CAP v2.0, assessors verify the provider, the specificservice offering, the impact level, and the status in the FedRAMP Marketplace for authorized offerings — and, for equivalency, verify that the Body of Evidence is complete, intact, and within its required periodicity.

Run those three and you land in one of four lanes:

Result	Meaning	Next step
Green	The exact offering is FedRAMP Moderate Authorized/higher and a CRM is available	Document it in your SSP and gather assessment evidence
Yellow	Vendor claims equivalency but isn’t Marketplace-authorized	Request the Body of Evidence, CRM, 3PAO artifacts, and contract terms
Orange	Service handles SPD only, no CUI	Treat it as a Security Protection Asset, not a FedRAMP problem
Red	Cloud service holds CUI with no FedRAMP authorization or equivalency evidence	Remove the CUI, migrate, or replace the provider before assessment

A red light is not a crisis if you catch it now. It’s a crisis if your C3PAO catches it for you. The whole point of running this screen early is to turn a future assessment finding into a manageable project this quarter.

Not sure which of your cloud tools are actually in scope?

That’s a common reason DIB contractors stall — and it’s fixable. Tell us your CMMC level, your cloud stack, how CUI flows, and your timeline, and we’ll help you see whether your next move is readiness help, a cloud/enclave migration, evidence software, or an assessment-only step. Non-sensitive intake only — never send CUI, contract numbers, or system diagrams.

Map my CMMC cloud path →

FedRAMP Authorized vs. FedRAMP Moderate Equivalent: the difference that trips people up

FedRAMP Authorized means the exact cloud offering carries a FedRAMP Marketplace status at Moderate or higher. FedRAMP Moderate Equivalent is not a FedRAMP authorization, does not appear in any public registry, and puts the burden on you, the contractor, to validate a complete Body of Evidence your assessor can review. Both can satisfy CMMC. They are not the same thing, and confusing them is how contractors get surprised at the worst possible moment.

FedRAMP Authorizedis the clean path. The FedRAMP Marketplace is the official, searchable database of authorized cloud services (now labeled “FedRAMP Certified” — more on that name change next) and recognized assessors. As of mid-2026 it listed more than 500 authorized cloud service offerings, and the catalog grows constantly — so confirm the current status, and care far more about whether your exact offeringis on it than about the total count. If your provider’s specific offering is there at Moderate or higher and the boundary matches your use, you have a citation an assessor can confirm in minutes.

FedRAMP Moderate Equivalentis the alternate lane DoD built for cloud offerings that don’t hold a FedRAMP authorization. Per the DoD CIO’s FedRAMP Authorization and Equivalency briefing, equivalency gives contractors an additional pathway to use a cloud offering for CUI — but it explicitly does not confer FedRAMP Moderate Authorization.To claim it, the cloud provider must have a FedRAMP-recognized Third Party Assessment Organization (3PAO) assess the offering at 100% of the current FedRAMP Moderate baseline and produce a Body of Evidence: a System Security Plan, a Security Assessment Plan, a Security Assessment Report, and a Plan of Action and Milestones (POA&M), with continuous-monitoring scans and an annual penetration test.

The most useful thing on this page: FedRAMP Moderate equivalency is real and acceptable, but it is harder to rely on than a Marketplace authorization. There’s no public registry. The provider doesn’t receive a FedRAMP authorization from the equivalency route. And you — not the provider — have to stand behind that evidence during your assessment. There’s even a counterintuitive twist documented in the DoD CIO briefing: because no government Authorizing Official exists to formally accept residual risk for an “equivalent” offering, the offering must hit 100% of the baseline at the conclusion of its 3PAO assessment, with no open control-gap POA&Ms. A truly FedRAMP-authorizedsystem, by contrast, can carry POA&Ms with remediation timelines because an Authorizing Official accepted that risk. At the moment of assessment, “equivalent” can be the stricter bar, not the lighter one.

The contractors who get burned aren’t the ones who chose equivalency. They’re the ones who took “equivalent” on faith and found out during the assessment. Verify beforeyou buy, migrate, or schedule the C3PAO — not after.

Path	Public status?	Who reviews it?	What you need	Biggest risk
FedRAMP Moderate Authorized	Yes — Marketplace	Assessor verifies provider/offering/impact/status	Marketplace record + CRM + SSP mapping	Wrong product or boundary
FedRAMP High Authorized	Yes — Marketplace	Same as above	Same, plus contract/data fit	Assuming the whole suite is covered
FedRAMP Moderate Equivalent	No public registry	You evaluate; C3PAO/DIBCAC reviews the Body of Evidence	Body of Evidence, 3PAO artifacts, CRM, continuous-monitoring evidence	Vendor won’t share enough proof
Non-CSP ESP with CUI	Not a FedRAMP path	Assessed in your scope	Service description, CRM, SSP, evidence	Misclassifying a cloud service as non-cloud
SPD-only ESP / SPA	No FedRAMP requirement from SPD	Assessed against relevant requirements	CRM, asset inventory, network diagram, SSP treatment	Treating security tooling as out of scope

“FedRAMP Certified” and “Class C”: the 2026 label change you’ll see on vendor sites

In 2026, FedRAMP began moving from “FedRAMP Authorization” language to “FedRAMP Certification” language, and from Low/Moderate/High impact labels toward lettered classes — where Class C maps to today’s Moderate baseline. The control baseline behind it is essentially the same, and your contract still references “FedRAMP Moderate.” So when a vendor’s site says “FedRAMP Certified — Class C,” read it as the same standard as “FedRAMP Moderate Authorized.”

Per FedRAMP’s own notice NTC-0004 (published February 25, 2026), the mapping is: Class A is a new pilot baseline, Class Bcovers today’s Low (and Li-SaaS), Class C covers today’s Moderate, and Class Dcovers today’s High. FedRAMP has said it will publish the broader Consolidated Rules for 2026 (CR26) by the end of June 2026, with the new framework taking effect during 2026 and remaining valid through December 31, 2028.

Three things this does not change — hold these firmly:

The regulation’s text is unchanged. DFARS 252.204-7012 and 32 CFR Part 170 still say “FedRAMP Moderate.” The relabel changes vendor marketing and the Marketplace, not your contractual requirement.
DoD “equivalency” is separate from FedRAMP’s classes. Equivalency is a DoD construct under the 7012 clause; it does not map to or earn a FedRAMP certification class.
The underlying baseline didn’t shrink because the label changed.

When you read a 2026 vendor claim, translate it before you trust it:

Vendor says…	What it means in FedRAMP terms	What it means for your CMMC/DFARS requirement	What to verify
“FedRAMP Certified — Class C”	Today’s FedRAMP Moderate Authorized	Meets the requirement	The exact offering and impact level on the Marketplace
“FedRAMP Moderate Authorized”	Moderate Authorized (legacy label)	Meets the requirement	Same as above
“FedRAMP Certified — Class D” / “FedRAMP High”	Today’s FedRAMP High Authorized	Exceeds the requirement	Exact offering; whether every service you use is covered
“FedRAMP Moderate Equivalent”	A DoD evidence path, not a FedRAMP authorization	May meet it — only with a real Body of Evidence	The full Body of Evidence, scoped to your services, current
“FedRAMP Ready” or “FedRAMP In Process”	Pursuing authorization; not yet authorized	Does not meet it on its own	Whether the vendor separately supports DoD equivalency with a reviewable Body of Evidence
“Runs on FedRAMP infrastructure” / “FedRAMP aligned”	Not a status at all	Insufficient as stated	What their specific offering actually holds

Can a non-FedRAMP cloud store encrypted CUI for CMMC?

No. The DoD CMMC FAQ is explicit: a non-FedRAMP-Moderate cloud service offering cannot store encrypted CUI for DoD contract performance unless the provider meets requirements equivalent to the FedRAMP Moderate baseline. Encryption protects the data; it does not change the data’s status. CUI stays CUI until it is formally decontrolled — encrypted or not.

In Section E of the DoD CMMC FAQ, question E-Q2 asks whether a non-FedRAMP Moderate cloud service offering can store encrypted CUI. The answer begins with a flat “No,” then restates the 7012 requirement: if you use an external CSP to store encrypted CUI, you must require and ensure that CSP meets FedRAMP Moderate-equivalent requirements.

Where this bites — the hidden copy paths for encrypted CUI:

Hidden encrypted-CUI copy path	Why it’s easy to miss
Cloud backup target	A nightly job copies CUI into commercial backup even when production looks controlled
Helpdesk/ticketing attachments	Users paste drawings, error screens, or files containing CUI into tickets
GRC/evidence repositories	Readiness work uploads CUI-bearing screenshots and artifacts into a generic tool
SIEM/log pipelines	Payloads, filenames, or alert enrichment carry CUI into the logging platform
VDI storage / profile data	CUI persists in the remote profile or redirected folders
File-sharing / object storage	“Temporary” shares and buckets quietly become CUI repositories

If a service holds encrypted CUI and can’t show FedRAMP Moderate authorization or equivalency, the cleanest fix is usually one of three moves: remove CUI from that service, shift the workflow to an authorized or equivalent service, or redraw your scope so the CUI lives in a properly authorized boundary. Doing that now is a project. Doing it after a failed assessment is a fire drill with a contract on the line.

Is my MSP or MSSP a Cloud Service Provider for CMMC?

Sometimes. If your company subscribes to or licenses the cloud tenant and your Managed Service Provider (MSP) merely administers it, DoD says the MSP is not the CSP. If the MSP contracts with the cloud provider and modifies the base service, owns the tenant, or subdivides it for customers, the MSP may itself be a CSP and must meet FedRAMP/equivalency requirements when CUI is involved. The licensing relationship — who actually holds the subscription — usually settles it.

This comes straight from the DoD CMMC FAQ question E-Q5: if the cloud tenant is subscribed or licensed to you (even if the MSP resells it), the MSP is not a CSP. Day-to-day administration doesn’t transfer the CSP designation. The flip side: an MSP that contracts with the cloud provider directly and modifies the base offering can cross into CSP territory and inherit the FedRAMP obligation.

Use the tenant-owner test:

Relationship	Is the MSP the CSP?	FedRAMP required of the MSP?	CMMC treatment
Tenant licensed to you; MSP administers it	No	The underlying offering must meet the requirement if CUI is there	MSP is an ESP if it accesses CUI/SPD
MSP resells the service to you, you hold the tenant	No	Same as above	MSP as ESP
MSP owns the tenant and sells you a workspace	Maybe / likely	Yes, if CUI is there	CSP or ESP analysis needed
MSP subdivides one tenant across customers	Likely	Yes, if CUI is there	CSP analysis needed
MSP modifies the base cloud service it contracts for	Likely	Yes, if CUI is there	May be a CSP
MSSP ingests logs/SPD only, no CUI	No	No FedRAMP from SPD alone	Security Protection Asset / ESP

A note on MSSPs specifically: a security provider that only sees logs and telemetry that do not contain CUI is handling SPD, not CUI, so it doesn’t need FedRAMP on that basis. But watch that “do not contain CUI” — logs can pick up CUI through payloads, filenames, alert enrichment, ticket attachments, or user-entered content. And even a clean SPD-only MSSP is still an External Service Provider / Security Protection Asset in your scope, with a service description and a CRM. “We only see security data” is a reason it isn’t a CSP — not a reason it’s out of scope.

Your MSP may not be the CSP — but it may still be squarely in scope.

If you’re untangling who owns what, send us your non-sensitive provider categories, your CMMC level, and your timeline, and we’ll map which provider type should help first: readiness, a CMMC-focused MSP/MSSP, a CUI enclave, GRC software, or assessment.

Compare provider categories →

What evidence should you request from a CSP before a CMMC assessment?

Request evidence before you sign, renew, migrate, or schedule the assessment — not during it. For an authorized offering, verify the exact Marketplace service offering and get the Customer Responsibility Matrix. For equivalency, request the full Body of Evidence, the CRM, the service description, and proof the documents are complete, intact, and current. The single biggest avoidable failure is discovering at assessment time that your vendor can’t — or won’t — produce what your C3PAO needs.

Evidence item	Authorized offering	Equivalent offering	Why it matters
Exact FedRAMP Marketplace listing	Yes	No (equivalency isn’t listed)	Proves provider, offering, impact level, status
Customer Responsibility Matrix (CRM)	Yes	Yes	Shows which controls are yours, theirs, or shared
Service description	Yes	Yes	Defines the actual service boundary
SSP references / integration	Yes	Yes	CMMC requires the responsibility split documented or referenced in your SSP
Body of Evidence (SSP, SAP, SAR, POA&M)	Generally no	Yes	The equivalency proof package
3PAO assessment artifacts	Not usually for you	Yes	Equivalency requires third-party assessment evidence
Continuous-monitoring summary	FedRAMP ConMon applies	Should be in the Body of Evidence	Shows the evidence is current, not a one-time snapshot
Incident-response terms	Yes	Yes	DFARS 7012 includes incident reporting and forensic obligations
NDA process for evidence review	Often	Almost always	Real Bodies of Evidence are sensitive; there should be a way for you and your assessor to review them

The request we’d send a vendor — word for word. Copy it, send it, and keep the reply in your assessment file:

“Please confirm whether the exact cloud service offering that will process, store, or transmit our CUI is FedRAMP Moderate Authorized or higher, or whether you are asserting DoD FedRAMP Moderate equivalency. If authorized, please provide the FedRAMP Marketplace service-offering reference and the Customer Responsibility Matrix. If equivalent, please provide the Body of Evidence, the service description, the Customer Responsibility Matrix, evidence of assessment periodicity, and the NDA process for our CMMC assessment team’s review.”

What we’d never accept as final proof:“we run on AWS GovCloud,” “we use Azure,” “we’re CMMC ready,” “we’re FedRAMP aligned,” “we’re equivalent,” or “our security exceeds FedRAMP.” Your assessment evidence needs the exact offering, the exact boundary, and the exact responsibility split. Running on FedRAMP-authorized infrastructure is not the same as your specific offering being authorized; a SaaS sitting on authorized IaaS inheritssome controls but the SaaS layer still has to be covered.

Got a vendor claiming “FedRAMP equivalent”?

Before you write that into your SSP, run it through a cloud-service evidence review. We’ll help you sort the Marketplace-authorized, equivalency-claim, SPD-only, and CMMC-assessed paths apart — without collecting any CUI through the intake.

Get a cloud-service evidence check →

What stays in your CMMC scope even when the CSP is FedRAMP Authorized?

FedRAMP status covers the cloud provider’s piece — it does not make your environment disappear. Under 32 CFR §170.16/§170.17, your on-premises infrastructure that connects to the cloud offering stays in your CMMC Assessment Scope, and your customer responsibilities must be documented in or referenced by your System Security Plan. A green light on the cloud doesn’t relieve you of the controls you own.

Your identities and access controls, your endpoint configurations, your logging and encryption settings, your sharing policies, your incident-response procedures, your backup choices, and your users’ behavior can all remain your responsibility. The Customer Responsibility Matrixis the bridge that turns inherited, shared, and customer-owned controls into something an assessor can test. If a control is marked customer-owned and you didn’t implement it, FedRAMP status will not save you.

For any CUI cloud service, map these into your SSP:

The service offering and its boundary
The data types and the CUI workflows that touch it
Which controls are inherited from the CSP, which are shared, and which are customer-owned
External connections and the on-prem infrastructure that reaches the cloud
Administrative roles and who holds them
The evidence owner for each control

Treat the cloud as a partner in your boundary, not a place your obligations go to vanish.

Is FedRAMP High, GCC High, AWS GovCloud, Azure Government, or Assured Workloads required instead of FedRAMP Moderate?

CMMC’s cloud rule is “FedRAMP Moderate or higher” for offerings that handle CUI — so Moderate is the baseline, not automatically the whole answer. Specific contracts, export-control obligations, data-residency needs, or product boundaries can point you toward FedRAMP High, Microsoft 365 GCC High, AWS GovCloud, Azure Government, or Google Assured Workloads. Don’t treat any one environment as universally mandatory from CMMC alone; the answer turns on your CUI type and your contract clauses.

The decisive fork is export control. If your systems process, store, or transmit export-controlled CUI or ITAR/EAR-controlled technical data, FedRAMP Moderate alone may not satisfy the access, residency, and export-control requirements. Those commonly include US-person-only access and US data residency. Verify before treating any environment as sufficient.

Environment	Stated FedRAMP status	Typical fit	What to verify
Microsoft 365 Commercial	Not FedRAMP-authorized for CUI	FCI / Level 1 only	Don’t use it for CUI
Microsoft 365 GCC	FedRAMP Moderate authorized	Non-export-controlled CUI may be supported with strict configuration; the field genuinely debates it	Whether your contract and CUI type allow it; may include non-US persons → not for ITAR/EAR
Microsoft 365 GCC High	FedRAMP High authorized (Azure Gov IL4/IL5)	Common landing spot for DoD CUI, DFARS, ITAR/EAR, US-only access	Cost (often well above Commercial); migration is a full tenant move, not an upgrade
AWS GovCloud / Azure Government	FedRAMP Moderate & High authorized services	IaaS/PaaS foundation	Which specific services are in scope; your SaaS/config on top still needs coverage
Google Workspace (Assured Workloads)	FedRAMP Moderate (or equivalent) services available; not the default	CUI possible with strict boundary + client-side encryption	None of it is on by default; document every control

For the full environment-by-environment buy decision, we go deep elsewhere so this page can stay focused on the rule:

What does a C3PAO or DIBCAC assessor actually review for cloud services?

For an authorized offering, the assessment team verifies the exact provider, service offering, impact level, and status in the FedRAMP Marketplace. For equivalency, the team verifies that the provider’s Body of Evidence is complete, intact, and within its required periodicity. The team is not re-running a full FedRAMP assessment of your cloud during your CMMC assessment. Knowing the scope of their review tells you exactly what to have ready.

The assessment team does	The assessment team does not
Verify the provider, offering, impact level, and status in the Marketplace (authorized)	Re-perform a full FedRAMP assessment of the CSP
Verify the equivalency Body of Evidence is complete, intact, and within periodicity	Re-test the CSP’s individual security controls qualitatively
Review your CRM and how responsibilities are documented in your SSP	Accept marketing language in place of evidence
Confirm the assessed scope matches the services you actually use	Treat your customer-owned controls as the CSP’s job

DIBCAC (the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center) plays the parallel role on the government side. Per the DoD CIO’s FedRAMP Authorization and Equivalency briefing, DIBCAC reviews a provider’s Body of Evidence asserting FedRAMP Moderate equivalency and validates compliance with DFARS 252.204-7012 and the related assessment requirements.

The assessment risk here is evidence readiness, not cloud security. CAP v2.0 puts the burden on showing that an equivalency Body of Evidence is complete, intact, and current — so a provider that can’t produce that evidence on request is the real exposure. Don’t let the first time anyone asks for it be the week of your assessment.

Do CMMC Level 1, Level 2, and Level 3 treat cloud differently?

The cloud-service requirement bites hardest at Level 2 and Level 3, where CUI is in play. Level 1 covers Federal Contract Information only and doesn’t create the FedRAMP Moderate cloud requirement on its own. Level 2 and Level 3 follow the FedRAMP Moderate Authorized/higher-or-equivalent path whenever a cloud processes, stores, or transmits CUI. Same cloud rule, different assessment intensity.

Level 1 (FCI only):Annual self-assessment against the basic safeguarding requirements. If you’re a pure Level 1 contractor, this page’s FedRAMP Moderate requirement doesn’t apply to you — unless your contract or data environment separately introduces CUI. See the Level 1 vs. Level 2 vs. Level 3 breakdown.
Level 2 (Self-Assessment): The cloud requirement is identical; you assess your own environment against NIST SP 800-171 Revision 2 (110 security requirements across 14 control families, totaling 320 assessment objectives) and post your results and affirmation in the Supplier Performance Risk System (SPRS).
Level 2 (C3PAO Certification): This is where cloud evidence readiness becomes visible. A C3PAO reviews your cloud evidence and your CRM/SSP treatment as part of certifying you.
Level 3: Requires a Final Level 2 (C3PAO) status first, adds 24 selected requirements from NIST SP 800-172, and is assessed by DCMA DIBCAC. If any of those 24 requirements are inherited from a CSP, you must demonstrate that protection through a Customer Implementation Summary/CRM and the associated Body of Evidence.

The phases and what each means for your cloud evidence:

Phase	Begins	CMMC status in applicable contracts	Cloud-evidence implication
Phase 1	Nov 10, 2025	DoD intends Level 1 (Self) and Level 2 (Self); may require Level 2 (C3PAO) at its discretion	If you hold CUI, your cloud must already meet the FedRAMP Moderate/equivalent rule — self-assessment doesn’t lower the bar
Phase 2	Nov 10, 2026	DoD intends to require Level 2 (C3PAO) as a condition of award, with discretion to delay to an option period	Your cloud evidence gets reviewed by a C3PAO — have the Marketplace listing or Body of Evidence ready
Phase 3	Nov 10, 2027	Level 2 (C3PAO) across a broader set of contracts; Level 3 (DIBCAC) introduced	Level 3 adds the 24 NIST SP 800-172 requirements and CSP-inheritance evidence
Phase 4	Nov 10, 2028	Full implementation across applicable contracts	The rule applies broadly; no runway left

Phase 2 — the first wave of mandatory C3PAO certification — is November 10, 2026, roughly five months out as we publish. C3PAO capacity is finite and assessments take time to schedule. If your cloud evidence isn’t in order, that’s the window you’re working against.

Which provider category should you talk to next?

If your problem is cloud classification, evidence, or architecture, start with readiness or cloud-implementation help — not a C3PAO. Bring in a C3PAO when you’re assessment-ready or specifically need the formal assessment. Matching the right provider category to your actual problem saves the most money and time.

Independence note:under the Cyber AB assessment process, a firm that performs your readiness and remediation generally cannot also be the C3PAO that certifies that same work, where prohibited. Keep “get me ready” and “assess me” as separate engagements. It protects your assessment and your investment.

Your situation	Best first provider category	Don’t hire first	Why
You don’t know which cloud services touch CUI	RPO/readiness consultant or CMMC-focused MSP/MSSP	A C3PAO	Scope and evidence come before assessment
CUI is scattered across email/files/SaaS	CUI enclave / secure collaboration / cloud-implementation partner	A generic GRC tool	Tooling can’t fix uncontrolled CUI flows
Vendor claims equivalency but has no Body of Evidence	Readiness lead + cloud-evidence review	Assessment scheduling	Evidence must be reviewed before assessment
MSP owns/operates your tenant or a managed enclave	CMMC-focused MSP/MSSP + readiness review	A generic MSP renewal	The provider’s role may change your compliance path
You already have SSP, CRM, evidence, and cloud proof	An authorized C3PAO	A readiness firm that also wants to assess you	Preserve independence and assessment readiness
You need evidence workflow only	GRC/evidence platform, after scope is known	A full cloud migration	Evidence tooling should follow scope decisions, not lead them

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance, not affiliated with DoD, DCMA DIBCAC, FedRAMP, or The Cyber AB. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Ready to sort the provider category before you spend a dollar?

Tell us your CMMC level, your cloud stack, your scope, and your timeline, and we’ll match you with source-checked CMMC provider options by category — readiness, MSP/MSSP, enclave, GRC, or assessment — with each one’s role and status checked as of the date we send them. Non-sensitive intake only — never send CUI, contract numbers, drawings, or system diagrams.

Get matched with source-checked provider options →

What to do this week if CUI is already in the cloud

Don’t start by buying a new platform. Start by mapping where CUI actually sits, which cloud offerings touch it, which vendors touch only security data, and what evidence each one can produce — then remove CUI from unsupported tools or document the FedRAMP/equivalency path before assessment. A week of disciplined inventory beats a rushed, expensive migration nearly every time.

A realistic seven-day plan:

Day 1 — Inventory cloud services. Email, file storage, collaboration, CRM, ERP, ticketing, GRC, SIEM, EDR, backup, VDI, databases, object storage, MSP portals, customer portals.
Day 2 — Mark the data type. CUI, covered defense information, FCI only, SPD only, or no sensitive data.
Day 3 — Classify the provider role. CSP, non-CSP ESP, MSP/MSSP, Security Protection Asset, or out-of-scope candidate.
Day 4 — Check the Marketplace or request the Body of Evidence. Verify the exact service offering, not just the parent company.
Day 5 — Request the CRM and service description. Map inherited, shared, and customer-owned controls.
Day 6 — Update the SSP and network diagram. Document asset treatment and external connections.
Day 7 — Decide the path. Keep, remove CUI, replace, enclave, or schedule a readiness review.

Day 7 outcome	What it means
Keep	Evidence is strong and scope is documented
Remove CUI	The service can stay — just not for CUI
Replace	The vendor can’t support CMMC evidence
Enclave	CUI needs a dedicated, controlled cloud boundary
Readiness review	Scope and evidence aren’t assessment-ready yet
Schedule assessment	Evidence is complete and responsibilities are documented

If Day 7 lands on “readiness review” or “enclave,” that’s your cue to start the readiness checklist or compare provider categories — whichever matches where you are.

What we actually verified for this guide

We treat regulatory facts, current-state facts, and our own judgment as three different things. The facts below are sourced to primary documents we read directly. Our recommendations are editorial conclusions based on those facts — not legal, contractual, or compliance advice.

Last verified: June 5, 2026. We verified:

32 CFR Part 170 — CMMC program scope; Level 2’s use of NIST SP 800-171 Revision 2 (110 requirements, 14 families, 320 assessment objectives); Level 3’s use of 24 selected NIST SP 800-172 requirements.
32 CFR §170.16 / §170.17 / §170.18 — the Level 2 and Level 3 cloud-service rules, the SSP/CRM requirement, and the on-prem-in-scope rule.
32 CFR §170.4 and §170.19 — definitions of CUI, SPD, CSP, ESP; the five asset categories; ESPs are not required to obtain their own CMMC certification but may voluntarily elect to.
DFARS 252.204-7012 — the external-CSP requirement for covered defense information and the incident-reporting obligations.
DoD CMMC FAQ, Section E — E-Q1 (CSP must meet FedRAMP Moderate if it handles CUI), E-Q2 (encrypted CUI cannot sit in a non-FedRAMP-Moderate cloud), E-Q5 (MSP-is-not-the-CSP when the tenant is licensed to you), and E-Q6 (VDI endpoint out-of-scope conditions).
DoD CIO FedRAMP Authorization and Equivalency briefing — equivalency does not confer authorization; the Body of Evidence structure; the 100%-at-assessment / no-Authorizing-Official POA&M nuance; DIBCAC/C3PAO Body-of-Evidence review roles.
Cyber AB CAP v2.0 — assessor verification of Marketplace status and Body-of-Evidence completeness, intactness, and periodicity; that the team does not re-run a full FedRAMP assessment.
FedRAMP Marketplace and FedRAMP NTC-0004 — the “FedRAMP Certification” relabel and the Class A–D mapping (Class C = Moderate).

Where current-state facts may change:the live FedRAMP Marketplace offering count, the final CR26 timeline, and whether standard Microsoft 365 GCC suffices for a specific contract’s CUI all move over time. Confirm them against the primary sources above and your contracting officer before relying on them.

Frequently asked questions: FedRAMP Moderate for CMMC cloud services

Does CMMC require FedRAMP Moderate for every cloud service?

No. The requirement applies when a cloud service processes, stores, or transmits CUI for contract performance. A service that handles only Security Protection Data — logs, configuration, vulnerability data — and no CUI isn’t pushed onto the FedRAMP path on that basis, though it’s still assessed as a Security Protection Asset in your scope. (Source: DoD technical guidance; 32 CFR §170.4.)

Is FedRAMP Moderate equivalency the same as FedRAMP authorization?

No. DoD states plainly that FedRAMP Moderate equivalency does not confer FedRAMP Moderate Authorization. It’s an evidence pathway for cloud offerings without a FedRAMP authorization, validated by a third-party Body of Evidence. (Source: DoD CIO briefing.)

Is there a public list of FedRAMP Moderate equivalent cloud services?

No. There is no public registry of equivalency offerings. You evaluate the provider’s Body of Evidence, and your C3PAO or DIBCAC reviews it during assessment. (Source: DoD technical guidance.)

Can encrypted CUI be stored in a non-FedRAMP cloud?

No. The DoD CMMC FAQ (E-A2) answers this directly — a non-FedRAMP-Moderate cloud offering cannot store encrypted CUI unless the provider meets FedRAMP Moderate-equivalent requirements. Encryption doesn’t decontrol CUI. (Source: DoD CMMC FAQ.)

Does a FedRAMP Authorized cloud make my company CMMC compliant?

No. FedRAMP covers the cloud provider’s piece. Your organization still has to meet the applicable CMMC requirements, configure the tenant, own your controls, keep evidence, and affirm compliance where required.

Does my MSP need FedRAMP?

Maybe. If the MSP only administers your subscribed/licensed tenant, it’s not the CSP. If it contracts with the cloud provider and modifies the service, owns the tenant, or subdivides it, it may become a CSP and need the FedRAMP path when CUI is involved. (Source: DoD CMMC FAQ, E-A5.)

Does an MSSP that only sees logs need FedRAMP?

Not on that basis — logs that contain no CUI are Security Protection Data, not CUI. But confirm the logs and telemetry truly don’t carry CUI, and remember the MSSP is still an External Service Provider / Security Protection Asset in your scope, with a service description and a CRM.

Does a GRC or evidence tool need FedRAMP?

Yes, if the cloud-based tool stores, processes, or transmits CUI (CUI-bearing screenshots, drawings, or contract documents that contain CUI). If it stores only non-CUI evidence or SPD, treat it through the Security Protection Asset lens and document the treatment.

Does cloud backup count as “storing CUI”?

Yes, if the backup contains CUI. Backup is a common hidden CSP problem — CUI gets copied into a cloud backup target even when the production workflow looks controlled.

Is FedRAMP High required for CMMC?

CMMC’s rule says “FedRAMP Moderate or higher.” High may be required or advisable because of a specific contract, agency requirement, or export-control restriction — but it’s not a universal CMMC rule. Verify your specific contract and data type.

How do DFARS 252.204-7019 and 252.204-7020 relate to this?

They were the older mechanism for posting NIST SP 800-171 DoD Assessment scores in SPRS — and they’ve changed. As of February 1, 2026, under the Revolutionary FAR Overhaul, DFARS 252.204-7019 was removed and 252.204-7020 was renumbered (to 252.240-7997) without the old self-assessment requirements; assessment obligations now run through CMMC under DFARS 252.204-7021. DFARS 252.204-7012 and the CMMC clause are unchanged, so the cloud rule on this page still applies. For CMMC itself, you still post your Level 2 self-assessment results and affirmation in SPRS. (Verify the current clause set on Acquisition.gov before relying on any clause number, since these changes came by class deviation.)

What does “exact service offering” mean?

The specific cloud offering documented in your SSP and used for your CUI workflow — not the provider’s parent company or a different product in their catalog. Assessors check the offering, not the brand.

What if my CSP says the Body of Evidence is confidential?

That’s normal — but there should be an NDA-controlled process for you and your assessor to review it. If there’s no process at all, don’t rely on the equivalency claim for assessment readiness.

What’s the single biggest mistake contractors make here?

Verifying the brand instead of the boundary. “Runs on GovCloud” or “built on FedRAMP infrastructure” is not the same as proving the exact offering handling your CUI is FedRAMP Moderate Authorized/higher or equivalent.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. If you’d rather self-serve first, start with our CMMC readiness checklist — and if you’re earlier than you thought, our Level 1 vs. Level 2 vs. Level 3 guide will get you oriented fast.

Get matched with source-checked provider options →

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance, not affiliated with DoD, DCMA DIBCAC, FedRAMP, or The Cyber AB. Educational content only — not legal, contractual, or compliance advice. Do not submit CUI, contract numbers, drawings, or system diagrams through any form on this site.