%20Logos%202022/sharetru-white-logo.svg){kind=logo}
Why Sharetru?
Platform
If you're evaluating Sharetru Federal for CUI file sharing or working through a CMMC Level 2 assessment, there's a good chance someone on your team has asked us a question that goes something like this:
"Can you send us an architecture diagram or deployment diagram showing how Sharetru Federal is hosted? We need to understand the FedRAMP boundary."
It's a smart question, and the intent behind it is exactly right. You should understand where your data lives, how it's protected, and how that environment was evaluated. But we're going to tell you something that might seem counterintuitive: we won't share architecture diagrams or network-level documentation — and the reason why actually matters for your risk assessment.
If a cloud vendor freely emails you their network diagrams and infrastructure documentation in response to a sales inquiry, that should give you pause — not confidence.
Detailed architecture diagrams map out exactly how a system is built: network topology, segmentation boundaries, infrastructure components, and the relationships between them. That's precisely the information an attacker needs to plan a targeted intrusion. Organizations that handle sensitive government data treat this documentation as controlled information, with access limited to personnel who have a legitimate need — auditors, assessors, and agency partners through formal review processes — not as a sales attachment.
This is why the FedRAMP program exists. Rather than requiring every government customer to independently evaluate a vendor's architecture, FedRAMP puts that assessment in the hands of an accredited Third Party Assessment Organization (3PAO) working under the FedRAMP PMO. The resulting authorization package — the System Security Plan, Security Assessment Report, and Plan of Action & Milestones — is held by the FedRAMP PMO and made available to federal agencies through a formal Package Access Request process. It doesn't get distributed as a PDF in a vendor's sales cycle, by design.
You don't need our architecture diagram to complete your risk assessment. The FedRAMP Marketplace listing is the government-maintained, auditor-accepted reference — and it carries more weight than anything we could send you through Sharetru.
Sharetru Federal operates as an authorized service within MIS Sciences Corporation's GovPoint Cloud Services FedRAMP Moderate JAB P-ATO boundary. The FedRAMP Package ID is F1311222650, and the listing is publicly verifiable at marketplace.fedramp.gov.
When you search for “MIS Sciences” or “GovPoint” in the FedRAMP Marketplace, you'll find Sharetru listed as an authorized SaaS service within that boundary. That single listing tells your auditor, C3PAO, or prime contractor several things at once:
That last point is worth dwelling on.
For those building an SSP or preparing assessment evidence, here's how the layers stack up:
Infrastructure as a Service (IaaS) — Physical datacenter, hardware, networking, and hypervisor at a FedRAMP Moderate Authorized facility in Las Vegas, Nevada. A warm-standby disaster recovery site operates at the same authorization level.
Platform as a Service (PaaS) — Virtualization, operating systems, middleware, and platform management within the GovPoint Cloud Services boundary managed by MIS Sciences Corporation. This layer includes inherited security tooling: IDS/IPS, next-generation antivirus, SIEM integration, vulnerability scanning, and patch management.
Software as a Service (SaaS) — Sharetru Federal. This is the application layer — managed file transfer, SFTP/FTPS/FTPeS services, user management, access controls, audit logging, encryption enforcement, and all customer-facing functionality. Sharetru's own NIST 800-53 Rev. 5 SaaS-level controls are layered on top of the inherited IaaS and PaaS controls and are audited as part of the authorization.
All three layers fall within the GovPoint FedRAMP Moderate JAB P-ATO boundary. When you use Sharetru Federal, you inherit controls across all three tiers.
This is one of the most common points of confusion in the market right now, and it has real consequences for your CMMC posture.
Many file-sharing and SaaS vendors host their application on AWS GovCloud, Azure Government, or another FedRAMP Moderate authorized IaaS/PaaS. They then tell customers they meet FedRAMP or CMMC requirements because the infrastructure underneath them is authorized. What they're actually saying is that the compute, storage, and networking layers have been assessed — not their own software.
The vendor's application code, access control logic, encryption implementation, session management, and audit logging? Those have never been reviewed by a 3PAO. The vendor is self-attesting to their SaaS-layer controls. When a C3PAO asks how those controls were independently validated, the honest answer is: they weren't.
Sharetru Federal is different. Our software is within the authorization boundary and is assessed by a 3PAO as part of GovPoint Cloud Services' annual authorization cycle. That means Sharetru's application-level controls — authentication, role-based access, encryption enforcement, audit logging, incident response integration — are examined as part of that independent assessment. You're not relying on our word that we implemented them correctly.
For a CISO or compliance director: when you're evaluating file-sharing vendors, ask specifically whether the vendor's software is within an authorization boundary and assessed by a 3PAO, or whether only the infrastructure underneath it has been authorized. The answer changes your risk posture, your SSP narrative, and what a C3PAO will accept during a CMMC Level 2 assessment.
The FedRAMP Marketplace listing handles the authorization question. What we provide on top of that is a NIST SP 800-171 System Responsibility Matrix (SRM) that goes deeper than what most vendors offer.
Most SRMs map responsibilities at the control level — telling you that a given control is “shared” or “inherited.” That's a start, but it leaves ambiguity about which specific parts of each control the vendor actually fulfills. Sharetru's SRM maps responsibility at the assessment objective level within each NIST SP 800-171 control. For every assessment objective, we identify whether it's Sharetru-provided, shared, or the OSC's responsibility — with a clear description of who owns what.
When your compliance team is building an SSP, or when a C3PAO is reviewing your CMMC Level 2 evidence, that level of specificity removes the back-and-forth. You can trace each assessment objective directly back to either Sharetru's authorization or your own implementation.
If you're writing or updating an SSP, here's an example of language that you can use in your audit:
"The organization utilizes Sharetru Federal, a FedRAMP Moderate Authorized secure file sharing and managed file transfer service, hosted within MIS Sciences' GovPoint Cloud Services (FedRAMP Package ID F1311222650), for the storage and transmission of CUI associated with DoD contracts. The ATO belongs to MIS Sciences Corporation and Sharetru has been audited and approved as an authorized SaaS service. The service enforces AES-256 encryption at rest; TLS 1.3 for HTTPS and FTPS connections; SFTP with FIPS-compliant KEX and ciphers; FIPS 140-3 validated cryptographic modules; multi-factor authentication; and detailed audit logging of file access and transfer events."
When someone asks for a network diagram, what they're really asking is: Can we trust that this environment was actually assessed, and can we prove it? The answer is yes — and the proof is the FedRAMP Marketplace listing, not a PDF we hand you.
What you need for your risk assessment is the FedRAMP Package ID (F1311222650), the GovPoint Cloud Services listing at marketplace.fedramp.gov, and the SRM we provide to customers. Together, those give your auditor a clean, auditable, government-sourced evidence trail for where Sharetru Federal lives, what controls it inherits, and what remains your responsibility.
If you're in the middle of a CMMC assessment or building out your SSP and want to talk through how to document Sharetru Federal, reach out — we can walk you through it directly, and if needed, coordinate with your assessment team. Additionally, you can visit our CUI and File Sharing FAQ to help with any questions your assessor may have