CUI & Compliance FAQ

What Sharetru Is & Where It Fits

What does Sharetru actually do in plain English?

Sharetru is secure file transfer and file sharing for regulated data. It’s where you move and share the files that really matter—CUI, ITAR drawings, program data, sensitive engineering files—without dumping them into generic collaboration tools. We give you a FedRAMP Moderate Authorized environment, strong access controls, and audit trails so you can move those files and still sleep at night.

Which encryption algorithms and modules does Sharetru Federal use?

Sharetru Federal is built around modern, government-grade encryption end to end. For data at rest, we use AES-256. For data in transit, we use TLS 1.3 for all HTTPS connections. Under the hood, Sharetru Federal relies only on FIPS 140-3 cryptographic modules, and we upgraded our stack specifically to align with the latest federal requirements and help future-proof the platform. That means as encryption baselines tighten for FedRAMP, CMMC, and other frameworks, you’re not stuck asking whether your file-sharing platform needs a crypto refresh—we’ve already done the work.

Is Sharetru just another Box/OneDrive/SharePoint replacement?

No. Those tools are great for everyday internal documents and general collaboration. Sharetru is where the high-risk, high-scrutiny files go—CUI, ITAR, export-controlled drawings, contract deliverables, audit evidence, anything a prime or agency will care about. In most environments, we sit alongside your existing collaboration stack and handle the work that actually has compliance teeth.

Is Sharetru only for defense contractors and government work?

Defense, aerospace, and CUI/ITAR programs are a huge part of what we do, but they’re not the only use cases. The same FedRAMP-grade approach to file transfer and sharing is valuable in healthcare, financial services, critical infrastructure, and anywhere else the data is sensitive and regulators are paying attention. If a file would ruin your week if it leaked or was mishandled, that’s where Sharetru fits.

Compliance: CMMC, ITAR, FedRAMP & CUI

How do I find Sharetru in the FedRAMP Marketplace?

To locate Sharetru in the FedRAMP Marketplace, start at marketplace.fedramp.gov and use the search bar in the upper area of the page. If you type “Sharetru” into the search, you’ll see MIS Sciences Corporation – GovPoint Cloud Services appear in the results. Click on that GovPoint / MIS Sciences listing. On the product detail page, scroll down to the section that lists authorized services / service offerings and you’ll see Sharetru called out there as a secure file sharing and managed file transfer service operating inside the GovPoint FedRAMP Moderate JAB P-ATO boundary (IaaS/PaaS/SaaS). That’s the entry you can reference for auditors, primes, and C3PAOs when they ask where Sharetru lives in FedRAMP.

Is Sharetru really FedRAMP Moderate Authorized, or just “equivalent”?

Sharetru Federal runs as an authorized service at the IaaS, PaaS, and SaaS layers inside MIS Sciences Corporation’s GovPoint Cloud Solutions FedRAMP Moderate boundary (Package ID F1311222650). That means we’re not claiming “equivalency” or “we implemented the controls, trust us.” We operate inside a FedRAMP Moderate Authorized stack that’s been through the full 3PAO audit and government approval process.

How can Sharetru claim to be FedRAMP Moderate Authorized and usable for CMMC if it’s an “authorized service” inside MIS Sciences’ GovPoint environment?

FedRAMP cares about where the system actually lives, not whose logo is on the screen. Sharetru Federal runs fully inside MIS Sciences’ GovPoint Cloud Services environment, which holds a FedRAMP Moderate JAB P-ATO for IaaS, PaaS, and SaaS under Package ID F1311222650 in the FedRAMP Marketplace. Through MIS’s "Authorization as a Service" program, Sharetru Federal is brought into that boundary as a secure file sharing and managed file transfer service, inheriting GovPoint’s NIST 800-53 Rev. 5 controls and layering our own SaaS-level controls on top. This is why Sharetru Federal is carved out as an authorized service. For CMMC, the DoD has been clear: if your cloud service provider is FedRAMP Moderate Authorized and listed in the Marketplace, you don’t have to prove “FedRAMP equivalency” yourself—that burden only exists when the provider isn’t authorized. So when you use Sharetru Federal, you’re using a FedRAMP Moderate Authorized cloud service offering (via GovPoint’s package) that’s purpose-built for CUI and CMMC Advanced ("Level 2") use cases—the exact posture primes, C3PAOs, and contracting officers are looking for.

Can I use Sharetru to help with CMMC Level 2 and CUI file sharing?

Yes. We built Sharetru Federal specifically for organizations that have to move CUI and still be able to pass a real CMMC assessment. We help you:

• Put CUI into a FedRAMP Moderate Authorized environment

• Control who can access it and how it moves

• Log what happens to it, end-to-end

So your SSP, SPRS score, and C3PAO conversations don’t have to paper over gaps in your file transfer and file sharing story. We’re not your entire CMMC program—but we are a core part of how CUI moves.

How does Sharetru support primes, subs, and multi-organization programs?

Most of our customers don’t live in a single-tenant fantasy. You’ve got primes, subs, labs, and suppliers all touching the same data. Sharetru lets you:

• Segment sites, groups, and projects by program, customer, or contract

• Onboard external partners with only the access they need—no more, no less

• Apply consistent policies and logging across internal and external users

That gives you a cleaner story when you’re explaining supply chain risk and CUI handling to a prime, an agency, or an auditor.

Where is our data stored and who at Sharetru can access it?

Sharetru Federal is intentionally designed as a “FedRAMP+” environment. All customer file data in Sharetru Federal is stored only in U.S.-based datacenters, and the platform is operated only by U.S. persons under least-privilege access controls. That combination—FedRAMP Moderate Authorization plus U.S.-only infrastructure and U.S.-person support—lets you align not just to FedRAMP expectations, but also to ITAR and export-control expectations around where data resides and who can touch it. On top of that, we enforce AES-256 encryption at rest, TLS 1.3 in transit, and FIPS 140-3 crypto modules. The short version: your sensitive files stay in the U.S., operated by U.S. personnel, in an environment built to meet FedRAMP and ITAR requirements—not a generic “global” cloud.

How Sharetru Fits Different Government Contract Types

Can we use Sharetru to meet contract requirements that call for FedRAMP Moderate Authorized cloud services?

Yes. Sharetru Federal runs entirely inside MIS Sciences’ GovPoint Cloud Services FedRAMP Moderate JAB P-ATO boundary (Package ID F1311222650). Practically, that means when a contract or prime says “use a FedRAMP Moderate Authorized CSP for CUI,” your Sharetru usage can be tied directly to a FedRAMP-listed package in the FedRAMP Marketplace rather than a vague “equivalent” claim.

Will Sharetru give us its FedRAMP security package? What proof do we have that you’re authorized?

Sharetru appearing in the FedRAMP Marketplace is your official proof. The full FedRAMP security authorization package (the “Body of Evidence” – SSP, SAR, POA&M, etc.) for GovPoint is controlled by the FedRAMP PMO and is only released to government agencies through the official FedRAMP Package Access Request process—not emailed around as a sales attachment. Agencies with a .gov or .mil address can request that package directly from FedRAMP using the GovPoint package ID (F1311222650) for their own ATO and reuse.

Will Sharetru Give us a NIST SP 800-171 SRM?

Yes, to customers we provide a NIST SP 800-171 System Responsibility Matrix (SRM) that maps which controls you inherit from Sharetru Federal (via GovPoint’s FedRAMP authorization) and which remain your responsibility. You can attach that SRM—and a reference to the FedRAMP Marketplace listing for GovPoint—to your SSP and CMMC evidence. That gives your C3PAO or prime a clean, defensible story without us trying to sidestep FedRAMP’s rules on who can see the full package.

How does Sharetru help with DoD contracts that include CMMC Level 2 (DFARS 252.204-7021)?

For CMMC Level 2, the big questions are: Where does your CUI live? and How does it move? Sharetru Federal gives you a FedRAMP Moderate Authorized environment for both file transfer and file sharing, with AES-256 at rest, TLS 1.3 in transit, FIPS 140-3 crypto modules, and full audit logging. That lets you point to a single, defensible system for moving CUI tied to DFARS 252.204-7021 contracts instead of trying to justify a patchwork of ad-hoc tools in your SSP and SPRS score.

We’re a Tier 2 or Tier 3 subcontractor—how does Sharetru help with flow-down requirements from our prime?

Primes increasingly expect subs to use FedRAMP Moderate Authorized platforms for CUI and ITAR data. When you use Sharetru Federal, you can tell your prime: “Our CUI file sharing and file transfer runs in a FedRAMP Moderate Authorized environment (via MIS Sciences’ GovPoint FedRAMP package) with full audit trails and access controls.” That gives them a clear, supply-chain-friendly story for their own CMMC and DFARS obligations and reduces the chances your tooling becomes the reason they see you as a risk.

How does Sharetru support contracts that include DFARS 252.204-7012 (safeguarding CUI and incident reporting)?

DFARS 252.204-7012 expects you to protect CUI in non-federal systems and to have a realistic incident response story. Sharetru Federal helps on the file side of that requirement by keeping CUI in a FedRAMP Moderate Authorized boundary, enforcing strong access controls, and recording detailed logs of file access, uploads, downloads, and sharing events. Those logs and integrations with your SIEM give you concrete evidence if you ever need to investigate or report a suspected incident involving files.

We have both FCI and CUI across multiple contracts—how do we scope Sharetru correctly?

Most customers carve Sharetru up by program, contract, or customer. You can use separate sites, groups, and folder structures to keep FCI-only work separate from CUI-heavy contracts, and apply stricter controls (MFA, link rules, retention, logging) where CUI is involved. That makes it much easier for a C3PAO or prime to see which contracts rely on Sharetru, how access is granted, and where the CUI boundary starts and stops.

Can we use Sharetru for ITAR technical data and export-controlled drawings?

Yes—this is a big part of why many aerospace and defense customers use Sharetru. Sharetru Federal is effectively a “FedRAMP+” environment: it’s FedRAMP Moderate Authorized and we only store files in U.S. datacenters and only employ U.S. persons to operate the platform, which aligns with ITAR expectations on top of the FedRAMP requirements. That gives you a tightly scoped space where ITAR-controlled technical data and export-controlled drawings can be shared with authorized domestic parties only, using strong authentication, logging, and role-based access. You still need to define and enforce your own ITAR policies and screening, but Sharetru gives you a single, controlled file-exchange layer to apply those rules—instead of letting export-controlled files float through email, unmanaged SFTP boxes, or generic cloud drives.

Example Language a C3PAO Might Use to Reference Sharetru

SSP / System Description Snippet

“The Organization Seeking Certification (OSC) utilizes Sharetru Federal, a FedRAMP Moderate Authorized secure file sharing and managed file transfer service, hosted within MIS Sciences’ GovPoint Cloud Services (FedRAMP package ID F1311222650), to store and transmit CUI associated with DoD contracts [list contract numbers]. All external file exchange of CUI between the OSC, prime contractors, subcontractors, and government program offices is required to occur through Sharetru Federal. The service enforces AES-256 encryption at rest, TLS 1.3 in transit, FIPS 140-3 validated cryptographic modules, multi-factor authentication, and detailed audit logging of file access and transfer events.”

Assessment Observation for a Control (e.g., SC.L2-3.13.x / SC-series)

"For CUI transmitted to and from external partners, the OSC uses Sharetru Federal as the primary secure file transfer solution. Sharetru Federal operates within a FedRAMP Moderate Authorized boundary (GovPoint Cloud Services, JAB P-ATO, Package ID F1311222650). The assessor verified that data in transit is protected using TLS 1.3 and data at rest is protected using AES-256 leveraging FIPS 140-3 validated modules. Access to CUI repositories is restricted via role-based permissions, and the platform generates detailed logs of user logon, file upload, download, and link-sharing events, which are retained in accordance with the OSC’s logging policy."

Assessment Narrative on Use of External Cloud Service Providers

"The OSC relies on Sharetru Federal as its sole external cloud service provider for storage and transfer of CUI related to DoD contracts. Sharetru Federal is an authorized service operating within MIS Sciences’ FedRAMP Moderate JAB P-ATO boundary and is listed in the FedRAMP Marketplace under GovPoint Cloud Services. As a result, the OSC is not required to independently demonstrate FedRAMP equivalency for this provider. The use of Sharetru Federal, combined with the OSC’s policies and procedures for provisioning, monitoring, and de-provisioning user accounts, supports compliance with CMMC Level 2 practices related to use of external cloud services."

Evidence Summary / Risk Commentary Example

"Based on interviews, documentation review, and technical verification, the assessor determined that the OSC’s use of Sharetru Federal for CUI file exchange materially reduces the risk of CUI being transmitted through uncontrolled channels (e.g., email, consumer file-sharing services, unmanaged SFTP servers). The platform’s FedRAMP Moderate authorization, FIPS-validated cryptography, and comprehensive audit logging provide a defensible control environment aligned with NIST SP 800-171 requirements for protecting CUI in transit and at rest."