Home β€Ί CMMC FAQs β€Ί External Service Providers
External Service Providers β€” Official DoD FAQ

Must My Cloud Service Provider Meet FedRAMP Requirements for CMMC?

πŸ’Ό
Need help evaluating your cloud provider's CMMC compliance? Jun Cyber specializes in cloud security assessments.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (E-Q1)

Yes, Cloud Service Providers (CSPs) that process, store, or transmit CUI must meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements or equivalent. A non-FedRAMP cloud service may store encrypted CUI data under specific conditions, but the encryption implementation must be properly evaluated.

In-Depth Analysis

Cloud Requirements Under CMMC

If you store CUI in the cloud β€” which most modern defense contractors do β€” your cloud provider must meet specific security standards.

The FedRAMP Requirement

Under DFARS 252.204-7012, cloud services processing, storing, or transmitting CUI must be FedRAMP Moderate authorized or meet equivalent security requirements. This applies to:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

Common Cloud Providers and FedRAMP Status

  • Microsoft 365 GCC High: FedRAMP High authorized β€” meets CMMC requirements
  • AWS GovCloud: FedRAMP High authorized
  • Google Workspace: FedRAMP Moderate authorized (standard) β€” evaluate carefully for CUI

The Encrypted CUI Exception

A non-FedRAMP cloud service may store encrypted CUI if the encryption meets FIPS 140-2/140-3 validated standards and the encryption keys are managed separately from the cloud provider. However, this is a narrow exception and must be carefully evaluated during your CMMC assessment.

Important: Remember that encrypted CUI is still CUI β€” the cloud environment remains in your assessment scope even if data is encrypted.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

External Service Providers

Do MSPs and MSSPs Need Their Own CMMC Assessment?

β†’ External Service Providers

Is My MSP Considered a Cloud Service Provider for CMMC?

β†’ CMMC Model

Is Encrypted Controlled Unclassified Information (CUI) Still Considered CUI?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’