FedRAMP / FedRAMP Moderate

The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government program that standardizes the security assessment and authorization of cloud services. It defines three impact levels — Low, Moderate, and High — corresponding to the sensitivity of data the cloud service can handle.

Under DFARS 252.204-7012 and CMMC Level 2, any external cloud service that processes, stores, or transmits Controlled Unclassified Information on behalf of a defense contractor must hold a FedRAMP Moderate authorization (or be assessed as meeting equivalent security requirements). FedRAMP High is required for the most sensitive CUI categories.

A C3PAO will review the contractor's shared responsibility matrix with every cloud provider touching CUI and verify the FedRAMP authorization status of each. Cloud services with no FedRAMP authorization (or only FedRAMP Low) cannot be used to handle CUI.