%20Logos%202022/sharetru-white-logo.svg){kind=logo}
Why Sharetru?
Platform
For defense contractors handling Controlled Unclassified Information, the cloud security conversation has changed.
A few years ago, many buyers were mainly asking whether a vendor had strong controls, encryption, audit logging, access restrictions, and a credible security program that could account for NIST SP 800-171 rev 2. Don’t get me wrong -- those things are still relevant (it’s why Sharetru has a NIST SP 800-171 SRM broken down at the objective level). But today, the more important question is whether the vendor’s cloud service (CSP) can be defended during a prime contractor review, CMMC assessment, DIBCAC review, or contract compliance audit.
That is where the distinction between FedRAMP Authorized and FedRAMP Equivalent matters.
FedRAMP Equivalent may sound close to FedRAMP Authorized, but the two are not the same. One is a formal FedRAMP designation. The other is a DoD-recognized pathway that may be available under certain circumstances, but it creates a different evidence burden for the contractor using the service.
For subcontractors, that distinction is becoming more than a technicality. In the market, we increasingly see DoD primes pushing their subcontractors toward cloud products that are plainly FedRAMP Authorized, not merely described as equivalent. The reason is practical: authorized products are easier to verify, easier to flow down, and easier to defend when someone asks, “Show me the evidence.”
FedRAMP Equivalent is not a FedRAMP Marketplace status. FedRAMP defines three Marketplace designations for cloud service offerings: FedRAMP Ready, FedRAMP In Process, and FedRAMP Authorized. FedRAMP also states that terms such as “FedRAMP Compliant” or “FedRAMP Equivalent” are not certified by FedRAMP and do not meet the legal definition of a FedRAMP authorization.
That does not mean FedRAMP Moderate Equivalency is meaningless. Under DoD policy and CMMC (32 CFR 170) scoping rules, a cloud service provider used to process, store, or transmit CUI may be either FedRAMP Authorized at the Moderate baseline or higher, or it may meet security requirements equivalent to the FedRAMP Moderate baseline in accordance with DoD policy.
The important distinction is that these are not interchangeable:
Those are three very different categories, and buyers should not evaluate them as if they create the same level of assurance.
Those are three very different things.
The DoD’s own guidance makes clear that FedRAMP Moderate Equivalency is not a casual self-attestation. It involves defined roles and evidence expectations. The DIB contractor must ensure the cloud service offering meets FedRAMP Moderate equivalent requirements and complies with DFARS 252.204-7012. A Third Party Assessment Organization validates the Body of Evidence. If the contractor uses a FedRAMP Moderate Equivalent cloud service offering, the contractor must provide a Customer Responsibility Matrix to DIBCAC and C3PAO assessors to support the assessment.
That is a very different burden than pointing to a FedRAMP Marketplace listing.
Public commentary from FedRAMP 3PAO and CMMC C3PAO professionals has reinforced the same point. A service does not become FedRAMP Moderate Equivalent simply because it is hosted in a FedRAMP Authorized cloud, because it aligns to the FedRAMP Moderate baseline, or because the vendor promises that it meets the requirements. The defined path requires a 3PAO assessment, 100% compliance, no POA&Ms from the assessment, and a Body of Evidence.
Schellman, a FedRAMP 3PAO, summarizes the DoD equivalency path similarly:
“A cloud service offering must achieve 100% compliance with the latest FedRAMP Moderate baseline, have that compliance assessed by a FedRAMP-recognized 3PAO, and present the Body of Evidence to the contractor. Schellman also notes that this is challenging because the DoD expects full implementation of the FedRAMP Moderate controls with zero control findings from the 3PAO assessment.”
That does not make equivalency useless. It makes it harder to rely on casually.
The regulatory path and the procurement path are not always the same thing.
A contractor may be able to use a FedRAMP Moderate Equivalent service under DoD policy if the evidence is complete, current, and accepted in the relevant assessment context. But that does not mean a prime contractor, contracting officer, or supplier security team will treat equivalency the same way they treat authorization.
In real supplier reviews, the cleanest answer is often the one with the least interpretation required.
If a prime asks, “Is this cloud service FedRAMP Authorized?” a Marketplace-listed authorized service is easier to verify. The buyer can identify the cloud service offering, the package ID, the authorization status, the impact level, and the scope of the authorized boundary.
If the answer is “It is FedRAMP Equivalent,” the next questions are harder:
That is why equivalency may not be the best long-term procurement posture for subcontractors who need to reduce friction with primes. Even when equivalency is legitimate, it can still be harder to explain, harder to verify, and harder to defend.
One of the most common sources of confusion is the belief that a SaaS product becomes FedRAMP Authorized because it runs on FedRAMP Authorized infrastructure.
FedRAMP directly addresses this. Using a FedRAMP Authorized Infrastructure-as-a-Service environment does not automatically make a SaaS or PaaS service FedRAMP compliant.
Each layer — IaaS, PaaS, and SaaS — must be evaluated on its own and become FedRAMP Authorized (appear in the FedRAMP marketplace). A software product may inherit controls from the authorized infrastructure beneath it, but inherited controls are not the same thing as authorization of the application layer.
This distinction matters for defense contractors evaluating file sharing, managed file transfer, collaboration, ERP, ticketing, and other cloud-based systems that may touch CUI.
The question is not simply: “Where is the software hosted?”
The better question is: “Is the specific cloud service offering we intend to use covered by the authorized boundary or supported by a valid DoD-recognized equivalency package?”
That is the question primes and assessors are increasingly asking.
File sharing and managed file transfer platforms sit directly in the path of sensitive information.
They are often used to exchange technical data, drawings, specifications, supplier documents, quality records, contract files, and other information that may qualify as CUI. They also frequently involve external users, guest access, links, protocol-based transfers, automation, and cross-organization workflows.
That makes the authorization posture of the file transfer platform especially important.
If a contractor uses a cloud-based file sharing or MFT service to process, store, or transmit CUI, that service becomes part of the contractor’s compliance story. It may be reviewed during a CMMC assessment. It may be questioned by a prime. It may appear in supplier security documentation. It may need to be explained in a System Security Plan or customer responsibility model.
In that environment, vague vendor language is not enough.
A vendor saying “we meet FedRAMP-level controls” is not the same as a vendor showing that the specific service is FedRAMP Authorized or that it has completed the DoD-defined FedRAMP Moderate Equivalency path.
Before accepting a vendor’s FedRAMP claim, ask for the evidence behind it. Start with these questions:
Do not rely only on the vendor’s company name or logo. Some services operate within a broader authorized cloud service offering. The important question is whether the specific service and deployment model are covered by the authorized boundary and listed within the service boundary.
These are not interchangeable. FedRAMP Ready and FedRAMP In Process are not the same as FedRAMP Authorized. FedRAMP Equivalent is not a FedRAMP Marketplace designation.
A SaaS product does not become FedRAMP Authorized merely because it runs on authorized infrastructure. The application layer must be evaluated in scope.
DoD-recognized equivalency requires more than internal control mapping or a security questionnaire.
If the vendor cannot provide assessor-ready documentation, the contractor may inherit the burden of explaining a claim it cannot prove.
This is the practical question many subcontractors miss. A valid equivalency pathway under DoD policy does not automatically mean every prime, solicitation, or supplier security team will accept it.
Sharetru Federal is not asking customers to rely on a private FedRAMP Equivalency argument.
The more accurate way to describe Sharetru’s authorization posture is this:
Sharetru Federal operates as an authorized SaaS service within MIS Sciences Corporation’s GovPoint Cloud Services FedRAMP Moderate Authorized boundary. GovPoint Cloud Services is listed on the FedRAMP Marketplace as FedRAMP Authorized at the Moderate impact level under package ID F1311222650, and Sharetru Federal is in scope for their annual FedRAMP 3PAO audit.
MIS Sciences describes GovPoint Cloud Services as a FedRAMP Moderate environment with a JAB P-ATO for IaaS, PaaS, and SaaS. MIS also identifies GovPoint’s FedRAMP package ID as F1311222650.
That distinction is important.
Sharetru should not be described as the standalone JAB ATO holder. The cleaner and more accurate description is that Sharetru Federal is an authorized SaaS service operating within a FedRAMP Moderate Authorized boundary, with a proper 3PAO assessment, Body of Evidence, Customer Responsibility Matrix, and ongoing documentation.
But equivalency is not a Marketplace authorization. It is not a shortcut. It is not created by hosting software on FedRAMP Authorized infrastructure. And it may not satisfy a prime contractor or contract that specifically requires FedRAMP Authorized cloud services.
For subcontractors in the Defense Industrial Base, the practical question is not just whether a vendor has strong security controls. The question is whether the vendor’s evidence can survive the review process.
When your prime, assessor, or contracting officer asks how CUI is protected in your file sharing environment, the cleaner answer is the one with the least ambiguity.
That is the case for FedRAMP Authorized products.
And that is the case for Sharetru Federal: an authorized SaaS service operating within MIS Sciences Corporation’s GovPoint Cloud Services FedRAMP Moderate Authorized boundary for IaaS, PaaS, and SaaS.