If you handle CUI and you use a cloud service to store, process, or transmit it, there is a federal requirement attached to that cloud. Most contractors I talk to either do not know it exists or assume their IT vendor took care of it. Neither is safe.

Here is the rule, in plain English.

What the clause actually says

DFARS 252.204-7012(b)(2)(ii)(D) requires that if a contractor uses an external cloud service provider (CSP) to store, process, or transmit Covered Defense Information, which includes CUI, the CSP must meet security requirements equivalent to the FedRAMP Moderate Baseline.

It does not stop there. The CSP must also comply with paragraphs (c) through (g) of the same clause, which cover:

  • Cyber incident reporting within 72 hours
  • Malicious software submission
  • Media preservation for at least 90 days
  • Access to additional information for forensic review
  • Cyber incident damage assessment cooperation

In other words, the cloud you use is not just a vendor decision. It is part of your compliance boundary.

What "equivalent" means after the DoD memo

Until the end of 2023, "FedRAMP Moderate equivalent" was vague enough that a lot of vendors waved a SOC 2 report at it and called it done. The DoD CIO memo dated December 21, 2023 closed that door.

Equivalent now means:

  1. The CSP has implemented 100% of the FedRAMP Moderate baseline controls.
  2. That implementation is assessed by a FedRAMP-recognized 3PAO.
  3. The CSP produces a Body of Evidence that mirrors what a FedRAMP authorization package would contain (SSP, SAR, POA&M, continuous monitoring artifacts).
  4. The contractor (you) reviews and accepts that body of evidence and keeps it on file.

If your cloud vendor cannot hand you those artifacts on request, you are not meeting the rule. Letters of attestation are not enough.

Common traps

"We use Microsoft, so we are covered." Commercial M365 is not FedRAMP Moderate equivalent. GCC and GCC High are different products with different boundaries. If your CUI is in commercial M365 mailboxes or SharePoint, that is a finding.

"Our MSP handles compliance." The clause flows down to the contractor. The MSP is a vendor, not the responsible party. You sign the contract, you carry the obligation.

"The vendor is FedRAMP authorized." Authorized at what level? Low, Moderate, or High? On which boundary? FedRAMP Tailored does not satisfy this clause. Read the marketplace listing, not the marketing page.

"We only email CUI occasionally." "Process, store, or transmit" includes email in transit and at rest. One CUI thread in a non-equivalent inbox is in scope.

How we built Tentacle Ops around this rule

When I was designing Tentacle Ops, this clause was one of the constraints that shaped the architecture. A few decisions came out of it:

  • Per-customer isolated stacks. Each customer runs their own dedicated instance. There is no shared multi-tenant control plane that would pull CUI across customer boundaries.
  • Zero CUI on Tentacle Ops infrastructure. The agent reaches into the customer's existing systems where the CUI already lives. We do not pull CUI back to a vendor cloud and re-store it.
  • The customer's existing FedRAMP-equivalent boundary stays the boundary. If a contractor has stood up GCC High or an on-prem CUI enclave, our agent operates within that boundary rather than creating a new one.

The point is not that Tentacle Ops makes you compliant. Compliance is the contractor's job. The point is that an ops automation tool should not quietly expand your CUI footprint and your 7012 obligations along with it.

What to do this week

  1. List every cloud service in your environment that touches CUI: mail, file storage, ticketing, MES, CAM, ERP, ops automation, AI tools.
  2. For each one, ask the vendor for their FedRAMP Moderate Equivalency Body of Evidence, including the 3PAO assessment.
  3. If they cannot produce it, decide whether to migrate, segment, or remove CUI from that path.
  4. Keep the artifacts in your SSP appendix. Auditors will ask.

The cloud regulation in CMMC is not exotic. It is one clause, in one DFARS rule, with one 2023 memo defining the bar. Read it once. Then read your vendor list against it.

That is usually where the surprises are.

Tentacle Ops is an autonomous operations agent built for CMMC-bound manufacturers. Learn more at tentacleops.ai.