How Defense Contractors Can Ensure Their Critical SaaS Tools Withstand Assessment
The SaaS (software as a service) applications your team uses every day to manage projects, track customers, communicate, run financials, and coordinate production were likely chosen for how well they work, not for whether they meet CMMC requirements. This has created a CMMC gap problem that catches many Department of Defense (DoD) contractors off guard.
The SaaS Assumption Problem
Under the CMMC 2.0 Final Rule (32 CFR Part 170), any external company providing cloud-based platform, infrastructure, application, or storage services, classified as a Cloud Service Provider (CSP) that either stores, processes or transmits controlled unclassified information (CUI) must meet FedRAMP Moderate or the equivalent requirements. This includes the SaaS apps you know, use, and love. The issue is that most commercial SaaS applications do not meet these requirements. Not because their security controls are bad, just that they are designed to satisfy commercial buyers, typically addressing things like SOC 2, ISO 27001, or general data privacy standards, not the 323-control FedRAMP Moderate baseline (Rev 5). They often store data on shared infrastructure, manage or retain access to encryption keys rather than giving customers independent control, and operate support models that may involve offshore staff with access to platform data. None of that is unusual for commercial software. All of it can create problems under CMMC.
What CMMC Actually Requires from Your SaaS Tools
DFARS 252.204-7012(b)(2)(ii)(D) has applied to defense contractors since 2017. It requires that any external CSP storing, processing, or transmitting CUI meet security requirements equivalent to the FedRAMP Moderate baseline, the 323-control security standard the government uses to evaluate cloud services handling sensitive federal information.
A CSP can satisfy this in one of two ways: by holding a formal FedRAMP Moderate authorization, or by demonstrating equivalency through a full independent assessment by a FedRAMP accredited 3PAO (third party assessment organization) with zero outstanding findings, as defined by the DoD's December 2023 memo.
Authorization is simpler to verify. Equivalency is more complex and places the burden of proof squarely on you, the contractor.
The CMMC Final Rule (32 CFR Part 170) confirms that either way, every CSP that touches CUI is subject to evaluation by a C3PAO assessing Level 2 and Level 3 contractors (Level 3 requires a C3PAO to do a Level 2 assessment and the DOW DIBCAC to do a Level 3). In practical terms, your SaaS app may be a compliance issue.
Level 1 contractors handling only Federal Contract Information (FCI) face a lighter requirement—the fifteen self-assessed requirements under FAR 52.204-21 (being renumbered to FAR 52.240-93) that apply to the contractors themselves. But the moment CUI enters your environment, and for most defense contractors and manufacturers, it does, Level 2 (or higher) requirements apply and every external CSP touching that data is in scope.
How to Tell If Your SaaS Is in Scope?
The question is not what is on your vendor's security page or their list of certifications. It is a simpler question: Does this tool touch CUI? If the answer is yes, it is in scope for CMMC assessment requirements, and any CSP storing, processing, or transmitting that CUI must meet the FedRAMP Moderate equivalency standard.
For most defense contractors, the answer is yes for more tools than they realize: Customer Relationship Management (CRM) systems holding contract and customer data; project management platforms where work on DoD programs gets tracked; communication tools where sensitive details are discussed; and Enterprise Resource Planning (ERP) systems processing financial and operational information tied to government contracts.
For manufacturers in the Defense Industrial Base (DIB), the exposure runs deeper still. Manufacturing Execution Systems (MES) storing and processing production data. Product Lifecycle Management (PLM) systems holding engineering drawings and technical specifications. Supply chain platforms coordinating with subcontractors who may themselves be exposed to CUI. These are the systems that organizations have built their operations around, and they represent a compliance risk.
Is Your SaaS Tool FedRAMP-Authorized?
If you need to comply with CMMC Level 2 or 3, then finding out if your SaaS applications are FedRAMP Moderate or High authorized is a good place to start. Authorization status can be verified at marketplace.fedramp.gov.
The equivalency provision exists, but in practice, it is a high bar. Equivalency cannot be self-declared by a vendor; the burden of demonstrating equivalency sits with the contractor, not the vendor, and it must be defensible to an assessor.
“If you store CUI in the cloud, for an assessor, assessing FedRAMP authorized CSPs is easier than assessing those that are asserting FedRAMP Moderate equivalency. Assessing equivalency requires reviewing the 3PAO supplied body of evidence (BOE) and is complex and time-consuming,” said Scott Singer, President CyberNINES, A ControlCase Company. “However, FedRAMP authorization or equivalency is only required for SaaS tools that handle CUI. Removing CUI from a SaaS application can take that application out of your assessment scope, thus reducing the time and cost of preparing for and conducting your assessment and lowering your risk of non-compliance.”
What to Do When a Tool Is Non-Compliant?
When a SaaS tool is identified as non-compliant, you have a few options.
Indeed, tokenization can provide a viable and cost-effective solution to the CMMC risk posed by the use of CSPs. As StratoKey CEO Anthony Scotney puts it: “The conversation we have most often is with organizations that do not want to rip out their existing tools. They have invested in these platforms, their teams know how to use them, and replacing them mid-compliance-journey is its own project. Tokenization changes the question from ‘How do we replace this tool?’ to ‘How do we make sure this tool never holds CUI?’ That is a much simpler problem to solve."
Find Your SaaS Gaps Now—Not During Your Assessment
The time to audit your SaaS stack is before an assessor does it for you. A gap found in your own readiness review is a documented finding with a remediation plan, whereas a gap found by a C3PAO during a formal CMMC Level 2 assessment is a scored deficiency that affects your Supplier Performance Risk System (SPRS) score and potentially your contracts. Proactively ensuring that your use of SaaS meets CMMC requirements will save you time, money, and headaches.
Contact CyberNINES, A ControlCase Company to schedule your CMMC Level 2 Assessment or get going on compliance with a gap assessment.
Learn more about tokenization for CMMC Compliance Controls with StratoKey.
This article was written by StratoKey as part of a content series developed in partnership with CyberNINES, A Control Case Company.