%20Logos%202022/sharetru-white-logo.svg){kind=logo}
Why Sharetru?
Platform
Sharetru Federal runs as an authorized service at the IaaS, PaaS, and SaaS layers inside a FedRAMP Moderate boundary, and is purpose-built for CUI, ITAR, and sensitive program data. Use this FAQ to see how we differ from generic file-sharing tools and how we support CMMC, DFARS, and supply-chain compliance in real-world environments.
Sharetru is secure file transfer and file sharing for regulated data. It’s where you move and share the files that really matter—CUI, ITAR drawings, program data, sensitive engineering files—without dumping them into generic collaboration tools. We give you a FedRAMP Moderate Authorized environment, strong access controls, and audit trails so you can move those files and still sleep at night.
Sharetru Federal is built around modern, government-grade encryption end to end. For data at rest, we use AES-256. For data in transit, we use TLS 1.3 for all HTTPS connections. Under the hood, Sharetru Federal relies only on FIPS 140-3 cryptographic modules, and we upgraded our stack specifically to align with the latest federal requirements and help future-proof the platform. That means as encryption baselines tighten for FedRAMP, CMMC, and other frameworks, you’re not stuck asking whether your file-sharing platform needs a crypto refresh—we’ve already done the work.
No. Those tools are great for everyday internal documents and general collaboration. Sharetru is where the high-risk, high-scrutiny files go—CUI, ITAR, export-controlled drawings, contract deliverables, audit evidence, anything a prime or agency will care about. In most environments, we sit alongside your existing collaboration stack and handle the work that actually has compliance teeth.
Defense, aerospace, and CUI/ITAR programs are a huge part of what we do, but they’re not the only use cases. The same FedRAMP-grade approach to file transfer and sharing is valuable in healthcare, financial services, critical infrastructure, and anywhere else the data is sensitive and regulators are paying attention. If a file would ruin your week if it leaked or was mishandled, that’s where Sharetru fits.
To locate Sharetru in the FedRAMP Marketplace, start at marketplace.fedramp.gov and use the search bar in the upper area of the page. If you type “Sharetru” into the search, you’ll see MIS Sciences Corporation – GovPoint Cloud Services appear in the results. Click on that GovPoint / MIS Sciences listing. On the product detail page, scroll down to the section that lists authorized services / service offerings and you’ll see Sharetru called out there as a secure file sharing and managed file transfer service operating inside the GovPoint FedRAMP Moderate JAB P-ATO boundary (IaaS/PaaS/SaaS). That’s the entry you can reference for auditors, primes, and C3PAOs when they ask where Sharetru lives in FedRAMP.
To put it plainly: Sharetru Federal isn't a SaaS application that happens to be hosted on FedRAMP authorized infrastructure while self-attesting its own controls. Our software operates within the FedRAMP authorization boundary at the SaaS layer and is assessed by a 3PAO as part of GovPoint's annual continuous monitoring cycle. When a C3PAO or prime asks how your file-sharing platform's security controls were validated, you can point to an actual FedRAMP authorization that covers IaaS, PaaS, and SaaS — not an infrastructure certificate with a self-attestation on top.
No — and this is one of the most common points of confusion in the market right now. Many file-sharing and SaaS vendors host their application on top of an IaaS or PaaS provider that holds a FedRAMP Moderate authorization (e.g., AWS GovCloud, Azure Government). They then tell customers, "We run on FedRAMP Moderate infrastructure, so we meet CMMC requirements." What they're actually saying is that the infrastructure underneath them has been assessed — not their own software.
Here's the distinction that matters:
Running on a FedRAMP authorized IaaS/PaaS means the compute, storage, and networking layers have been assessed and authorized. The vendor's own application code, access control logic, encryption implementation, logging, session management, and SaaS-layer controls have not been reviewed by any 3PAO or authorization body. The vendor is making a self-attestation about their own software layer. When a C3PAO asks how those SaaS-level controls were validated, the answer is "we implemented them ourselves" — there's rarely an independent assessment to point to.
Running within a FedRAMP authorization boundary at IaaS, PaaS, and SaaS — which is how Sharetru Federal operates — means the application itself has been brought into scope of the authorization. Sharetru Federal operates as an authorized service within MIS Sciences Corporation's GovPoint Cloud Services FedRAMP Moderate JAB P-ATO (Package ID F1311222650), which covers IaaS, PaaS, and SaaS. That means Sharetru's application-layer controls — authentication, access control, encryption implementation, audit logging, session management, data handling — are part of the authorization boundary and subject to 3PAO assessment. We're not just inheriting infrastructure controls and self-attesting the rest.
For a CISO or compliance director evaluating vendors: ask whether the vendor's software is within the authorization boundary and assessed by a 3PAO, or whether only the infrastructure underneath it has been authorized. The answer changes your risk posture, your SSP narrative, and what a C3PAO will accept during a CMMC Level 2 assessment.
Sharetru Federal is directly in scope for 3PAO assessment as part of GovPoint Cloud Services' FedRAMP Moderate authorization.
What that means in practice: when GovPoint Cloud Services undergoes its annual 3PAO assessment for continuous monitoring and reauthorization, Sharetru Federal is included in that assessment as an authorized service operating within the boundary. The 3PAO evaluates Sharetru's SaaS-layer NIST 800-53 Rev. 5 controls — not just the IaaS and PaaS controls underneath us. Our application-level security controls, including access control enforcement, encryption implementation, audit logging, incident response integration, and configuration management, are examined as part of that annual assessment cycle.
This is fundamentally different from a vendor that hosts on a FedRAMP authorized IaaS/PaaS but whose own application has never been reviewed by a 3PAO. In that model, the vendor self-attests to their SaaS-layer controls and there is no independent third-party validation of the software your CUI actually touches.
For C3PAOs conducting a CMMC Level 2 assessment: Sharetru Federal's inclusion in a FedRAMP Moderate JAB P-ATO boundary means the OSC's use of Sharetru for CUI file transfer and sharing is backed by an independently assessed authorization — not a self-certification layered on top of someone else's infrastructure approval. The FedRAMP Marketplace listing for GovPoint Cloud Services (Package ID F1311222650) under MIS Sciences Corporation confirms Sharetru as an authorized service within the boundary.
Yes. We built Sharetru Federal specifically for organizations that have to move CUI and still be able to pass a real CMMC assessment. We help you:
Put CUI into a FedRAMP Moderate Authorized environment
Control who can access it and how it moves
Log what happens to it, end-to-end
So your SSP, SPRS score, and C3PAO conversations don’t have to paper over gaps in your file transfer and file sharing story. We’re not your entire CMMC program—but we are a core part of how CUI moves.
Most of our customers don’t live in a single-tenant fantasy. You’ve got primes, subs, labs, and suppliers all touching the same data. Sharetru lets you:
Segment sites, groups, and projects by program, customer, or contract
Onboard external partners with only the access they need—no more, no less
Apply consistent policies and logging across internal and external users
That gives you a cleaner story when you’re explaining supply chain risk and CUI handling to a prime, an agency, or an auditor.
Sharetru Federal is intentionally designed as a “FedRAMP+” environment. All customer file data in Sharetru Federal is stored only in U.S.-based datacenters, and the platform is operated only by U.S. persons under least-privilege access controls. That combination—FedRAMP Moderate Authorization plus U.S.-only infrastructure and U.S.-person support—lets you align not just to FedRAMP expectations, but also to ITAR and export-control expectations around where data resides and who can touch it. On top of that, we enforce AES-256 encryption at rest, TLS 1.3 in transit, and FIPS 140-3 crypto modules. The short version: your sensitive files stay in the U.S., operated by U.S. personnel, in an environment built to meet FedRAMP and ITAR requirements—not a generic “global” cloud.
Yes. Sharetru Federal runs entirely inside MIS Sciences’ GovPoint Cloud Services FedRAMP Moderate JAB P-ATO boundary (Package ID F1311222650). Practically, that means when a contract or prime says “use a FedRAMP Moderate Authorized CSP for CUI,” your Sharetru usage can be tied directly to a FedRAMP-listed package in the FedRAMP Marketplace rather than a vague “equivalent” claim.
Sharetru's listing in the FedRAMP Marketplace is your official, government-maintained proof of authorization — that's what it exists for.
The full FedRAMP security authorization package (the "Body of Evidence" — SSP, SAR, POA&M, and supporting artifacts) for GovPoint Cloud Services is controlled by the FedRAMP PMO. Per FedRAMP's package access policy, the Body of Evidence is only released to federal agencies through the official FedRAMP Package Access Request process. Only individuals with a .gov or .mil email address can submit that request. It is not something cloud service providers distribute to customers, partners, or prospects — and any vendor handing theirs out should raise questions about how they handle controlled information.
To verify Sharetru's authorization status, go to marketplace.fedramp.gov, search for MIS Sciences Corporation — GovPoint Cloud Services, and look for Sharetru listed as an authorized service within that FedRAMP Moderate JAB P-ATO boundary (Package ID F1311222650). That listing is your auditable, government-sourced reference for SSPs, CMMC assessment evidence, and prime contractor due diligence.
If your organization is undergoing a DIBCAC / DCMA assessment and there are further questions about Sharetru Federal's authorization status, control posture, or how we fit within the GovPoint boundary, we're happy to have that conversation directly with your assessment team. Reach out to us and we'll coordinate.
Yes. We provide customers with a NIST SP 800-171 Rev. 2 System Responsibility Matrix (SRM) that goes deeper than what most cloud service providers offer.
Most vendor SRMs map responsibilities at the control level — telling you that, for example, control 3.5.3 (multi-factor authentication) is "shared" or "inherited." That's a start, but it leaves the OSC and its assessors guessing about which specific parts of that control the vendor actually fulfills. Sharetru's SRM is broken down at the assessment objective level within each NIST SP 800-171 control. For every control, we map each individual objective as either:
Sharetru-provided — Sharetru Federal fulfills this objective through the FedRAMP Moderate authorized environment
Shared — responsibility is split between Sharetru and the OSC, with a clear description of who owns what
OSC responsibility — this objective falls entirely on the organization seeking certification
That means when your compliance team is building or updating your SSP, or when a C3PAO is reviewing your CMMC Level 2 evidence, there's no ambiguity about what Sharetru covers at a granular level. You can trace each assessment objective back to either Sharetru's authorization or your own implementation — which is exactly the level of specificity a C3PAO needs to validate your control narratives without extended back-and-forth. You can attach the SRM alongside a reference to the FedRAMP Marketplace listing for GovPoint Cloud Services (Package ID F1311222650) in your SSP and CMMC assessment evidence package.
For CMMC Level 2, the big questions are: Where does your CUI live? and How does it move? Sharetru Federal gives you a FedRAMP Moderate Authorized environment for both file transfer and file sharing, with AES-256 at rest, TLS 1.3 in transit, FIPS 140-3 crypto modules, and full audit logging. That lets you point to a single, defensible system for moving CUI tied to DFARS 252.204-7021 contracts instead of trying to justify a patchwork of ad-hoc tools in your SSP and SPRS score.
Primes increasingly expect subs to use FedRAMP Moderate Authorized platforms for CUI and ITAR data. When you use Sharetru Federal, you can tell your prime: “Our CUI file sharing and file transfer runs in a FedRAMP Moderate Authorized environment (via MIS Sciences’ GovPoint FedRAMP package) with full audit trails and access controls.” That gives them a clear, supply-chain-friendly story for their own CMMC and DFARS obligations and reduces the chances your tooling becomes the reason they see you as a risk.
DFARS 252.204-7012 expects you to protect CUI in non-federal systems and to have a realistic incident response story. Sharetru Federal helps on the file side of that requirement by keeping CUI in a FedRAMP Moderate Authorized boundary, enforcing strong access controls, and recording detailed logs of file access, uploads, downloads, and sharing events. Those logs and integrations with your SIEM give you concrete evidence if you ever need to investigate or report a suspected incident involving files.
Most customers carve Sharetru up by program, contract, or customer. You can use separate sites, groups, and folder structures to keep FCI-only work separate from CUI-heavy contracts, and apply stricter controls (MFA, link rules, retention, logging) where CUI is involved. That makes it much easier for a C3PAO or prime to see which contracts rely on Sharetru, how access is granted, and where the CUI boundary starts and stops.
Yes—this is a big part of why many aerospace and defense customers use Sharetru. Sharetru Federal is effectively a “FedRAMP+” environment: it’s FedRAMP Moderate Authorized and we only store files in U.S. datacenters and only employ U.S. persons to operate the platform, which aligns with ITAR expectations on top of the FedRAMP requirements. That gives you a tightly scoped space where ITAR-controlled technical data and export-controlled drawings can be shared with authorized domestic parties only, using strong authentication, logging, and role-based access. You still need to define and enforce your own ITAR policies and screening, but Sharetru gives you a single, controlled file-exchange layer to apply those rules—instead of letting export-controlled files float through email, unmanaged SFTP boxes, or generic cloud drives.
“The Organization Seeking Certification (OSC) utilizes Sharetru Federal, a FedRAMP Moderate Authorized secure file sharing and managed file transfer service, hosted within MIS Sciences’ GovPoint Cloud Services (FedRAMP package ID F1311222650), to store and transmit CUI associated with DoD contracts [list contract numbers]. The ATO belongs to MIS Sciences Corporation and Sharetru has been audited and approved as an authorized SaaS service. All external file exchange of CUI between the OSC, prime contractors, subcontractors, and government program offices is required to occur through Sharetru Federal. The service enforces AES-256 encryption at rest, TLS 1.3 in transit, FIPS 140-3 validated cryptographic modules, multi-factor authentication, and detailed audit logging of file access and transfer events.”
"For CUI transmitted to and from external partners, the OSC uses Sharetru Federal as the primary secure file transfer solution. Sharetru Federal operates within a FedRAMP Moderate Authorized boundary (GovPoint Cloud Services, JAB P-ATO, Package ID F1311222650). The assessor verified that data in transit is protected using TLS 1.3 and data at rest is protected using AES-256 leveraging FIPS 140-3 validated modules. Access to CUI repositories is restricted via role-based permissions, and the platform generates detailed logs of user logon, file upload, download, and link-sharing events, which are retained in accordance with the OSC’s logging policy."
"The OSC relies on Sharetru Federal as an external cloud service provider for storage and transfer of CUI related to DoD contracts. Sharetru Federal is an authorized service operating within MIS Sciences’ FedRAMP Moderate JAB P-ATO boundary and is listed in the FedRAMP Marketplace under GovPoint Cloud Services Authorized Services section. As a result, the OSC is not required to independently demonstrate FedRAMP equivalency for this provider. The use of Sharetru Federal, combined with the OSC’s policies and procedures for provisioning, monitoring, and de-provisioning user accounts, supports compliance with CMMC Level 2 practices related to use of external cloud services."
"Based on interviews, documentation review, and technical verification, the assessor determined that the OSC’s use of Sharetru Federal for CUI file exchange materially reduces the risk of CUI being transmitted through uncontrolled channels (e.g., email, consumer file-sharing services, unmanaged SFTP servers). The platform’s FedRAMP Moderate authorization, FIPS-validated cryptography, and comprehensive audit logging provide a defensible control environment aligned with NIST SP 800-171 requirements for protecting CUI in transit and at rest."
%20Iconography/Icon%20Set%20-%20Expanded%20(2023)/Data%20Protection%20Icons%20-%20SVG%20Files/Data%20Protection%20Icons%20-%20White/Data%20Protection%20Icons%20White%20(37).svg)
If you’d like a 30-minute conversation about your CUI/CMMC setup or a deeper, one-hour demo of how Sharetru Federal actually works, get in touch and we’ll line it up. Bring your contracts, your questions, and your current file-sharing story—we’ll bring a concrete path forward.