Are you a Cloud Service Provider (CSP) or Managed Service Provider (MSP)?

We are a Cloud Service Provider (CSP). Under the CMMC Final Rule, any external service whose cloud offering stores, processes, or transmits CUI inside the cloud service boundary is categorized as a CSP for compliance purposes. Because SIS Compliance is a SaaS Cloud Service Offering (CSO) where regulated customer data can reside within our boundary, CSP requirements apply.

What’s the practical difference between a CSP and an MSP for CMMC?

Under CMMC/DFARS: A CSP provides the cloud service boundary where CUI may live. If CUI is stored/processed/transmitted within that boundary, the provider is a CSP and must meet FedRAMP Moderate Authorized or FedRAMP Moderate-equivalent security. An MSP may administer, monitor, or transmit data on behalf of a customer. However, if CUI exists inside the MSP’s service boundary, that offering is treated as a CSP under the rule. Simple takeaway: If CUI is in the service, it’s a CSP under CMMC, regardless of label.

Are you CMMC certified today?

We are not CMMC-certified today, and we do not represent ourselves as such. That said, because CMMC requires CSPs that handle CUI to be FedRAMP Moderate Authorized or FedRAMP Moderate-equivalent, our FedRAMP Moderate Equivalency program is the correct move-forward path for supporting customer Level 2 environments.

Can customers use your platform for CMMC 2.0 Level 2 environments?

Yes. Customers handling CUI can use SIS Compliance as part of a CMMC Level 2 environment, with the understanding that our cloud service is already hosted in AWS GovCloud (a FedRAMP High baseline) and is being enhanced to the FedRAMP Moderate-equivalent baseline required of CSPs under CMMC/DFARS.

Why are you pursuing FedRAMP Moderate Equivalence?

We are pursuing FedRAMP Moderate Equivalency because SIS Compliance is a CSP cloud service offering (CSO) that may store, process, or transmit CUI within its boundary. Under DFARS 252.204-7012 and the CMMC Final Rule, any CSP supporting CUI must be FedRAMP Moderate Authorized or demonstrate security equivalence to the FedRAMP Moderate baseline. FedRAMP Moderate Equivalency means our CSO implements 100% of the FedRAMP Moderate control set and is validated through an independent FedRAMP-recognized 3PAO assessment.

What is your FedRAMP status today?

We are actively progressing through a FedRAMP Moderate-equivalency authorization program. Current stage: 3PAO Advisory Stage and Boundary Enhancement Upgrades Authorization Boundary: FedRAMP Moderate Equivalency We’ll keep customers updated as we progress through the authorization roadmap. You can stay up-to-date in our newsroom.

Cloud Compliance FAQs | Sign In Solutions

ATO (Authorization to Operate)
Formal U.S. government approval that a cloud service is authorized for use at a specific FedRAMP impact level.

BOE (Body of Evidence)
The package of security documents and test results used to prove a cloud service meets FedRAMP Moderate (or equivalent) controls.

CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 2
A U.S. Department of Defense (DoD) cybersecurity certification program.

Level 2 applies to organizations that handle CUI and maps to NIST SP 800-171 requirements.

Cloud Service Boundary
The technical and operational “box” defining what systems, people, and processes are part of a cloud service. If CUI is inside this boundary, CSP rules apply.

CSP (Cloud Service Provider)
A provider whose cloud service stores, processes, or transmits CUI. Under CMMC/DFARS, CSPs that handle CUI must meet FedRAMP Moderate or equivalent.

CUI (Controlled Unclassified Information)
Sensitive U.S. government information that isn’t classified but still requires protection. Common in defense and federal contracting.

DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012
A DoD contract regulation clause requiring contractors (and their cloud providers) to protect CUI. It ties CSP requirements to FedRAMP Moderate equivalency.

DoD (Department of Defense)
The U.S. federal department responsible for national defense, and the owner of the CMMC program.

FedRAMP (Federal Risk and Authorization Management Program)
The U.S. government’s standard program for assessing and authorizing cloud services for federal use.

FedRAMP Moderate
A FedRAMP security baseline for systems categorized as Moderate impact (loss of confidentiality, integrity, or availability would cause serious adverse effect).

FedRAMP Moderate Equivalency (FedRAMP EQ Moderate)
A DoD-recognized path showing a CSP meets 100% of FedRAMP Moderate controls, independently validated by a FedRAMP-recognized 3PAO, even if not yet listed on the FedRAMP Marketplace.

FedRAMP 20x
FedRAMP’s modernized authorization approach intended to reduce cost and time using automation and continuous monitoring, delivered in phases.

FIPS (Federal Information Processing Standards) 199 — Moderate Impact
A U.S. federal system impact rating standard.

“Moderate” means a breach would have a serious adverse effect and aligns to FedRAMP Moderate baselines.

Identity Data SaaS Platform
A Software as a Service (SaaS) cloud platform that manages identity-related data and workflows (e.g., vetting, eligibility, access risk) with auditable records.

MSP (Managed Service Provider)
A provider that manages or supports IT/cloud environments for a customer. Under CMMC, MSPs can support/transmit data, but if CUI is stored inside their service boundary, they’re treated as a CSP.

NIST (National Institute of Standards and Technology)
A U.S. federal agency that publishes cybersecurity frameworks used across government and industry.

NIST SP (Special Publication) 800-53 Rev. 5
A NIST control catalog for federal information systems. FedRAMP Moderate is based on a tailored set of these controls.

NIST SP (Special Publication) 800-171
A NIST security standard for protecting CUI in non-federal systems. CMMC Level 2 maps directly to this standard.

POA&M (Plan of Action & Milestones)
A formal list of security gaps and remediation plans. DoD FedRAMP EQ guidance expects CSPs to meet Moderate controls without open POA&Ms at assessment time (except continuous monitoring items).

SaaS (Software as a Service)
Cloud-hosted software delivered over the internet, where the provider operates the application and infrastructure.

Shared Responsibility Model / Matrix (SRM)
A map dividing which security/compliance controls are owned by the CSP versus the customer.

3PAO (Third-Party Assessment Organization)
A FedRAMP-approved independent auditor that tests and validates whether a CSP meets FedRAMP Moderate controls.

Sign In Solutions Cloud Compliance FAQ

What does the Sign In Solutions Compliance product do?

What frameworks does Sign In Compliance align to?

The world leader in visitor management software