Home / Guides / FedRAMP for CMMC

FedRAMP for CMMC: Authorized vs Equivalent, Explained

Focus: fedramp cmmc Veteran-run · practitioner guide Updated Jul 2026 ~10 min read
The short answer

FedRAMP is the federal government's standardized process for authorizing and monitoring cloud services. It matters to CMMC because DFARS 252.204-7012 requires that any cloud provider handling your CUI meet security equivalent to the FedRAMP Moderate baseline. So the FedRAMP status of every cloud tool in your environment feeds directly into your own DFARS and CMMC compliance — and "Authorized" and "Equivalent" are two different ways to satisfy it.

If you run CUI through a cloud service — email, file sharing, a password vault, anything hosted — the FedRAMP posture of that service is not the vendor's problem to sort out later. It's a line an assessor will trace into your System Security Plan and ask you to defend. Get it wrong and a tool you thought was fine becomes a finding.

Here's where small contractors tie themselves in knots: a sales rep says "we're FedRAMP," a website shows a badge, and everyone assumes the box is checked. Sometimes it is. Sometimes the honest label is "FedRAMP Moderate Equivalent," which is a real, usable status — but it is not the same as "FedRAMP Authorized," and treating them as interchangeable is how you end up explaining a gap you didn't know you had.

I've walked this exact decision with shops standing up their first CUI environment. The good news is that the rule underneath it is simple, the tool to verify a vendor is public and free, and the two legitimate paths are easy to tell apart once someone lays them side by side. That's what this is.

What FedRAMP actually is

FedRAMP — the Federal Risk and Authorization Management Program — is the government's standardized way to assess, authorize, and continuously monitor cloud products and services. The idea is "do it once, use it many times": a cloud service provider (CSP) goes through one rigorous security review, earns an authorization, and agencies across the government can rely on that same authorization instead of each running their own audit.

A CSP that handles federal data generally has to go through FedRAMP. The program sorts services into three baselines based on the sensitivity of the data they hold, using the FIPS 199 impact levels: Low, Moderate, and High. Higher impact means more controls and a harder bar. For defense work involving CUI, the number that keeps coming up is Moderate — hold that thought, because it's the hinge of the whole DFARS connection.

Plain version FedRAMP is a security clearance for cloud software. A provider earns it once, at a specific impact level, and that authorization is what tells a federal customer the service is safe to put government data into. The three levels — Low, Moderate, High — scale with how sensitive the data is.

The CMMC connection: DFARS 252.204-7012

CMMC verifies that you meet the 110 controls across 14 families in NIST SP 800-171. But CMMC doesn't live alone. It sits on top of the DFARS safeguarding clause, 252.204-7012, which is the rule that first put "protect covered defense information" into your contracts — and, critically, the rule that governs what happens when you push that data into someone else's cloud.

The clause is direct about it. When you use an external Cloud Service Provider to store, process, or transmit covered defense information (which includes CUI), that CSP must meet security requirements equivalent to the FedRAMP Moderate baseline. That single requirement is why a cloud tool's FedRAMP status is your business, not just the vendor's. If the tool holds CUI and can't meet FedRAMP Moderate — by authorization or by a recognized equivalency — then using it puts you out of step with DFARS 7012, and that surfaces in your CMMC assessment.

The line that trips people DFARS 7012 says "equivalent to FedRAMP Moderate," not "must be FedRAMP Authorized." That wording is deliberate, and it's what makes the equivalency path legitimate. But "equivalent" has a real, evidence-backed meaning — it is not a phrase a vendor gets to award itself in a brochure.

So map it cleanly in your head. CMMC Level 2 is the 800-171 controls you implement inside your boundary. DFARS 7012 is the clause that extends "protect CUI" out to your cloud vendors and sets FedRAMP Moderate as the bar they have to clear. Your job during scoping is to inventory every cloud service that touches CUI and confirm each one clears that bar the right way.

How to check a vendor on the Marketplace

You don't have to take anyone's word for a FedRAMP claim. The government publishes the authoritative list: the FedRAMP Marketplace at marketplace.fedramp.gov. If a product is genuinely FedRAMP Authorized, it appears there with its status and impact level. This is the tool you use to separate a real authorization from a marketing badge.

  1. Go to the FedRAMP Marketplace.Open marketplace.fedramp.gov. It's public, free, and no login is needed to search products.
  2. Search the exact product name.Vendors often authorize a specific offering — frequently a "government" edition — not their whole catalog. Search the precise product a rep is selling you, not just the company name, so you're reading the status of the thing you'll actually deploy.
  3. Read the status and impact level.Look for "FedRAMP Authorized," and note whether it's Low, Moderate, or High. You'll also see "In Process" (pursuing authorization, not there yet) and "FedRAMP Ready" (assessed as ready to begin, still not authorized). Only "Authorized" is a finished authorization.
  4. If it's not listed, ask the right question.Not on the Marketplace doesn't automatically disqualify a tool. Ask the vendor for a FedRAMP Moderate equivalency body of evidence for DFARS 7012 — and get the documentation, not a verbal yes.
The honest caveat A product can meet DFARS 7012 without appearing on the Marketplace, if it has a valid FedRAMP Moderate equivalency. That's a legitimate path — it's exactly the situation for one of the most common CUI email tools small contractors use. So "I didn't find it on the Marketplace" is the start of the question, not the end of it. What you're verifying is that the tool clears FedRAMP Moderate one way or the other, and that you can prove it.

Authorized vs Equivalent, side by side

Two different statuses can both satisfy DFARS 7012's Moderate bar. They are not the same thing, and the difference matters when you write your SSP and when an assessor reads it.

Path A

FedRAMP Authorized

  • A formal FedRAMP authorization (an ATO) granted through the program.
  • Listed publicly on the FedRAMP Marketplace with an impact level and date.
  • Verifiable by anyone in about two minutes — you search and read the status.
  • The cleanest possible answer to "does this cloud tool clear the bar?"
Path B

FedRAMP Moderate Equivalent

  • A DoD-recognized determination that a CSP meets the FedRAMP Moderate control set.
  • Used to satisfy DFARS 7012 when a product is not formally on the Marketplace.
  • Backed by a body of evidence and third-party/assessor validation of the controls.
  • Real and usable — but not "FedRAMP Authorized," and never to be labeled that way.
FedRAMP AuthorizedFedRAMP Moderate Equivalent
What it isFormal government authorization (ATO)DoD-recognized determination it meets Moderate controls
On the Marketplace?Yes — that's where you verify itNot necessarily; often not listed
Satisfies DFARS 7012?YesYes, when the equivalency is valid and documented
How you prove itMarketplace listing + impact levelBody of evidence + assessor validation you keep on file
Can you call it "Authorized"?YesNo — that would be inaccurate

The practical takeaway: if a tool is Authorized, verifying it is a two-minute Marketplace search and your SSP cites the listing. If a tool is Equivalent, you carry the burden of proof — you keep the equivalency documentation with your compliance package and be ready to hand it to your assessor. Both are defensible. Only one is self-service to verify.

Two real examples: Keeper and PreVeil

Abstractions get slippery, so here are two tools small contractors actually use, each labeled exactly as its status warrants. One took Path A. The other took Path B. Both are legitimate; the labels are not interchangeable.

Keeper Security (Keeper Security Government Cloud)

Path A · Authorized

The credential-vault example of a genuinely FedRAMP Authorized product. Keeper Security Government Cloud has held a FedRAMP authorization since 2022 — Moderate then, now at the High baseline — and it's FIPS 140-3 validated. Because it's authorized, you don't have to trust a claim: search it on the FedRAMP Marketplace and read the status yourself. For a shop that wants its password and secrets management to be an easy, verifiable "yes" in the SSP, this is what that looks like.

FedRAMP AuthorizedHigh baselineFIPS 140-3On the Marketplace
Learn more about Keeper →

PreVeil (Encrypted Email & Files)

Path B · Equivalent

The go-to example of the FedRAMP Moderate Equivalent path many small contractors take for CUI email and file sharing. PreVeil is DoD-recognized as meeting 100% of the FedRAMP Moderate controls and is FIPS 140-3 certified — but it is not formally FedRAMP Authorized and does not appear on the Marketplace. That's the point: it's a real, documented equivalency you use to satisfy DFARS 7012 without a Marketplace listing. Deploy it and keep its equivalency evidence with your package. Just never write "FedRAMP Authorized" next to it — the accurate label is Moderate Equivalent, and that distinction is exactly the kind of thing an assessor notices.

FedRAMP Moderate Equivalent100% Moderate controlsFIPS 140-3Not on the Marketplace
Learn more about PreVeil →

There's a third path worth naming: Microsoft GCC High, which is FedRAMP High and is the other common route contractors take for a full CUI-capable productivity and email environment. It's a heavier lift and a bigger commitment than a single encrypted-email tool, but for shops that want their whole Microsoft 365 stack inside a compliant boundary, it's the standard answer.

Before you write a word in your SSP Match each cloud tool to its true FedRAMP status and cite how you verified it. Authorized products get the Marketplace listing. Equivalent products get the equivalency evidence on file. If your SSP calls an Equivalent product "Authorized," you've written something an assessor can disprove in one search — and a document that misstates a control is worse than one that states a modest truth plainly.

None of this replaces the assessment. Verifying vendor status, keeping the equivalency evidence, and mapping it into your SSP is audit-ready preparation — it makes the cloud portion of your assessment fast and defensible. It is not a substitute for the C3PAO audit itself, and no tool's badge certifies your company. Your assessor makes that call.

Skip the guesswork

You've verified the vendors. Now document it.

Confirming a cloud tool's FedRAMP status is one line item. Turning that — plus the other 109 controls — into an SSP an assessor accepts is the real work. The CMMC Level 2 DIY Compliance Kit gives you the System Security Plan, the 20 required policies, a POA&M template, and the per-control SPRS scorer, built for a small shop doing this itself.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.
Sources — verify it yourself
  • FedRAMP program overview and baselines — fedramp.gov
  • The authoritative list of authorized cloud products and their status — marketplace.fedramp.gov
  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (cloud equivalency to FedRAMP Moderate) — acquisition.gov

Frequently asked questions

Does my cloud tool have to be FedRAMP Authorized for CMMC?

Not necessarily. DFARS 252.204-7012 requires that a cloud service provider storing, processing, or transmitting your CUI meet security requirements equivalent to the FedRAMP Moderate baseline. A formal FedRAMP Authorization on the Marketplace satisfies that cleanly, but a DoD-recognized FedRAMP Moderate equivalency can also meet the requirement. What you cannot do is use a cloud tool with neither and assume it counts.

Is FedRAMP Equivalent good enough for CUI?

It can be, when the equivalency is real. FedRAMP Moderate Equivalent means the provider meets the FedRAMP Moderate control set and has a body of evidence to prove it, validated to DoD's expectations. That is different from a vendor simply claiming to be "FedRAMP aligned" in marketing copy. Get the equivalency documentation, keep it with your SSP, and be ready to show your assessor exactly why the tool satisfies DFARS 7012.

How do I verify a vendor is actually FedRAMP Authorized?

Go to the FedRAMP Marketplace at marketplace.fedramp.gov, search the exact product name, and read its status. Authorized products list an authorization date and impact level (Low, Moderate, or High). If a product is genuinely FedRAMP Authorized, it appears there. Do not take a sales rep's word or a logo on a website as proof.

What's the difference between FedRAMP Authorized and FedRAMP Moderate Equivalent?

FedRAMP Authorized is a formal government authorization to operate (ATO) listed publicly on the FedRAMP Marketplace. FedRAMP Moderate Equivalent is a DoD-recognized determination that a cloud service provider meets the FedRAMP Moderate baseline controls, used to satisfy DFARS 7012 when a product is not formally on the Marketplace. They are not the same thing, and a provider that is only Equivalent should never be described as FedRAMP Authorized.

Where does FedRAMP sit inside CMMC and DFARS?

CMMC Level 2 verifies you meet the 110 controls in NIST SP 800-171. DFARS 252.204-7012 is the safeguarding clause that also governs cloud: when an external CSP handles your covered defense information, that CSP must meet FedRAMP Moderate (or equivalent) security. So your cloud vendor's FedRAMP posture is not a side issue — it's a requirement your assessor will trace straight into your System Security Plan.

When does CMMC Level 2 third-party certification kick in?

November 10, 2026 starts Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. The cloud-equivalency requirement in DFARS 7012 is already in force today, so sorting out your CUI cloud tools shouldn't wait for the Phase 2 date — it's part of the groundwork you do now.