Skip to content

The Hidden Risk of CUI in SaaS Platforms

CUI Graphics_300 x 300
dOES YOUR ORGANIZATION HANDLE CUI?

Most defense contractors don’t realize how often they come across CUI in everyday work. In two minutes, learn if your company may already handle CUI.

Listen: The Hidden Risk of CUI in SaaS Platforms
16:27

EXECUTIVE BRIEF

Most defense contractors don't make a deliberate decision to put controlled unclassified information (CUI) into commercial software as a service (SaaS) platforms. It happens accidentally, through everyday tools and everyday habits, and no one flags the problem until it's already a compliance event.

This post covers:

  • Where CUI ends up in five common commercial SaaS platforms (Microsoft 365, Google Workspace, Dropbox, Slack, and Zoom) and why the standard commercial tier of each fails Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
  • Why standard IT monitoring often misses this spillage
  • What separates a functional cloud environment from a compliant one
  • What to do if you discover CUI in a non-compliant tool, including how to document your response in a form that survives a Defense Counterintelligence and Security Agency (DCSA) review or Cybersecurity Maturity Model Certification (CMMC) assessment

Dig deeper below to learn more.


CUI can end up in commercial SaaS through forwarded emails, shared folders, screenshots in Slack threads, and proposal drafts uploaded to whatever tool the team already uses.

By the time someone realizes there's a problem, the data has already moved, and the clock on your reporting obligation may already be running.

This is a DFARS 252.204-7012 problem, a CMMC Level 2 assessment problem, and a contract eligibility problem all at once. This post covers where CUI ends up in five common commercial tools, what DFARS actually requires of the cloud underneath them, and what to do the moment a spillage is suspected. If you are not sure your organization handles CUI in the first place, our CUI quiz is a quick way to find out.

If CUI has already ended up somewhere it shouldn't in your systems, the ISI CUI Incident Response Checklist is the right starting point for your response.

What DFARS 7012 Requires of Your Cloud Stack

For defense contractors, the compliance requirements under DFARS 252.204-7012 are clear. If controlled unclassified information is stored, processed, or transmitted in any external cloud platform, you are responsible for ensuring that service meets Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline security requirements, not just in principle, but by documented evidence.

A memo in December 2023 from the Department of Defense (DoD) (also known as the Department of War) Chief Information Officer (CIO) closed the "equivalency" loophole that many contractors had relied on. Equivalency now requires 100% compliance with the FedRAMP Moderate baseline, validated by a FedRAMP-recognized third-party assessment organization (3PAO) and documented in a formal body of evidence.

  • System and Organization Controls 2 (SOC 2) reports and vendor attestation letters no longer satisfy the requirement
  • Federal Information Processing Standards (FIPS) 140-2-validated encryption is a baseline expectation, not a differentiator, for any cloud infrastructure handling CUI
  • Any such providers that touch CUI are explicitly in scope for CMMC assessments

The consequence of getting this wrong doesn't fall on your cloud service provider (CSP). If a non-compliant cloud platform is involved in a cyber incident, you bear the reporting obligation and the contract consequence.

Where CUI Ends Up in Commercial SaaS

The following is a tool-by-tool inventory of the most common spillage patterns and the compliance reality of the standard commercial tier for each. If you're walking through your own environment, use this as a checklist. 

Microsoft 365 (Commercial)

Typical spillage pattern:

  • CUI in Outlook attachments forwarded to external subcontractors
  • OneDrive shared links sent without access restrictions
  • Teams chat exports containing controlled technical data
  • SharePoint sites that were never tagged, restricted, or scoped for CUI

Compliance status: Microsoft 365 Commercial does not meet DFARS 7012 or CMMC Level 2 security requirements for storing, processing, or transmitting CUI. Government Community Cloud (GCC) High is the most commonly selected compliant path for defense contractors working through this transition. GCC High operates from U.S. government-dedicated data centers and satisfies FIPS and FedRAMP Moderate requirements that the commercial tenant does not. 

Google Workspace / Google Cloud

Typical spillage pattern:

  • Drive folders shared with subcontractors via open link
  • Gmail forwards of controlled technical data to personal addresses
  • Google Docs exports of CUI-marked proposal content

Compliance status: Standard Google Workspace and standard Google Cloud are not FedRAMP Moderate authorized for CUI. Google Workspace Assured Workloads is the path being marketed for defense workloads, but you must independently verify the body of evidence before relying on it. Vendor marketing materials are not a substitute for documented authorization. 

Dropbox

Typical spillage pattern:

  • Subcontractors invited into shared folders with no access audit trail
  • Link-shared files with no expiration or access controls
  • Sync clients copying CUI to personal devices without restriction

Compliance status: Dropbox Business and standard Dropbox tiers are not FedRAMP Moderate authorized. Dropbox doesn't currently offer a configuration that satisfies DFARS 7012 for CUI data storage or handling.

Slack

Typical spillage pattern:

  • Screenshots of controlled drawings pasted directly into channels
  • Code snippets containing controlled technical information shared in direct messages
  • File uploads that bypass any data loss prevention (DLP) rules configured at the organizational level

Compliance status: Standard Slack isn't authorized for CUI. Slack offers GovSlack for federal government customers, but it requires explicit procurement and verification. It isn't a default upgrade from a commercial account.

Zoom

Typical spillage pattern:

  • Recordings of program reviews that capture controlled discussion
  • Screen-shared CUI documents during meetings
  • AI-generated meeting summaries and transcripts that capture controlled content verbatim and store it in the commercial Zoom cloud

Compliance status: Standard Zoom (including Zoom AI Companion features) isn't authorized for CUI. Zoom for Government is FedRAMP Moderate authorized, but the commercial product isn't. The transcript and AI summary risk is particularly underappreciated. Many contractors don't realize those outputs are being stored in a non-compliant cloud platform. 

How CUI Spillage Happens and Why IT Often Misses It

Most CUI spillage in SaaS is the product of three predictable conditions:

  • The user doesn't know what counts as controlled unclassified information in the first place
  • The familiar tool is faster than the compliant alternative
  • There is no enforced data classification step before sharing

Commercial SaaS is designed for frictionless workflows. That design is fundamentally incompatible with the access controls, audit logging, and incident reporting security requirements DFARS 7012 imposes.

Standard IT cybersecurity monitoring catches malware and credential theft. It doesn't catch a program manager forwarding a CUI-marked PDF to a personal Gmail account to print from home, or an engineer pasting controlled source code into an AI tool to debug it. Sensitive data moves through these gaps constantly, and most organizations have no visibility into it.

This is the difference between a functional IT environment and a compliant CUI environment. It's the most common reason contractors fail a DCSA review or a CMMC Level 2 self-assessment despite having cloud computing infrastructure and security tooling in place. Having a security vendor isn't the same as having a CUI-compliant enclave.

The gap is also a supply chain risk. When CUI flows into non-compliant tools used by subcontractors, the prime contractor's compliance posture doesn't end at its own firewall. It extends to every information system in the data-sharing chain, which is part of why understanding who is responsible for protecting CUI across your supply chain matters as much as your own environment.

Choosing the Right Cloud Environment for CUI

Not all cloud migration paths lead to a compliant destination. The key distinction is between commercial cloud infrastructure and government-specific cloud environments built to meet federal security requirements.

For most small businesses and mid-size defense contractors working through this transition, the practical options break down as follows:

  • FedRAMP Moderate authorized SaaS (for example, GCC High, Zoom for Government, GovSlack): suitable for CUI data storage and processing; requires verification of current authorization and body of evidence
  • Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) on AWS GovCloud or Azure Government: appropriate for organizations building custom information systems or migrating on-demand workloads; security controls must still be configured and documented by the contractor
  • Private cloud or on-premises infrastructure: viable when properly scoped and documented to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171; requires end-to-end control over the environment and documented lifecycle management of all systems

What doesn't qualify: any standard commercial SaaS tier, regardless of the vendor's cybersecurity posture, unless it holds current FedRAMP Moderate authorization with a documented body of evidence. The vendor's use cases page and security whitepaper are not authorization.

International Traffic in Arms Regulations (ITAR) controlled data carries additional handling requirements layered on top of CUI compliance. If your contracts involve export-controlled technical data, verify requirements separately before selecting a cloud platform.

What to Do When You Discover CUI in a Non-Compliant Tool

Treat it as a CUI spillage incident, not an IT cleanup task.

The reporting clock under DFARS 7012 is 72 hours from discovery of a cyber incident. Unauthorized disclosure of CUI in a non-compliant environment qualifies. Here's what the response sequence should look like:

  • Contain first, investigate second: revoke shared links immediately, suspend access for any involved users, and preserve evidence (such as audit logs, file metadata, and sharing histories) before deleting anything; deletion before documentation can make your posture worse, not better
  • Identify scope: which CUI category was involved, which contracts it touches, which subcontractors or external parties may have received the data, and how long the exposure window lasted
  • Document the response in a form that survives a review: verbal containment isn't a record, and a Slack thread saying "I deleted it" isn't a record either. A DCSA reviewer or CMMC assessor will ask for written evidence of what you did and when

Get Ahead of the Next Spillage Before It Becomes a Contract Problem

SaaS spillage is the most common, least visible CUI compliance failure in the defense industrial base. The consequences for getting it wrong can affect your contract eligibility.

Download the CUI Incident Response Checklist and walk through it against your current tool stack. By reviewing the checklist before a spillage, you'll determine whether you could actually execute the required response within the 72-hour window if a spillage were discovered today.


FAQs

What Are the Best Compliant File Sharing Platforms for Storing CUI?

The most widely adopted options are:

  • Microsoft GCC High (for Microsoft 365 workloads)
  • AWS GovCloud
  • Azure Government
  • Zoom for Government

The common requirement across all of them is FedRAMP Moderate authorization, a documented body of evidence, and validation by a recognized 3PAO. Be sure to verify current authorization status directly, since FedRAMP authorization can lapse or carry conditions that affect your specific use cases.

Is Microsoft 365 Commercial Compliant for CUI?

No. Microsoft 365 Commercial (including standard Office 365, Teams, OneDrive, and SharePoint) does not meet DFARS 252.204-7012 requirements for CUI. GCC High is Microsoft's compliant path for defense contractors, operating from dedicated U.S. government data centers with FIPS-validated encryption and the security controls required for CUI data protection.

What About Microsoft Copilot for the Microsoft 365 Stack?

Microsoft 365 Copilot on a commercial tenant isn't authorized for CUI. Copilot processes, and in some configurations stores, content from your Microsoft 365 environment in the commercial cloud. If your tenant handles CUI, enabling Copilot on a non-GCC High environment creates a spillage risk. Copilot for Microsoft 365 Government (GCC High) is a separate offering with a distinct compliance posture; verify its current status before deploying, as the rollout for GCC High Copilot features is ongoing.

Can You Store CUI on a Personal Computer?

Generally, no, not without explicit authorization and a documented set of security controls applied to that device. DFARS 7012 requires that all information systems processing, storing, or transmitting CUI meet NIST SP 800-171 requirements. A personal computer is unlikely to satisfy those requirements without significant configuration, monitoring, and documentation.

Where Can CUI Be Stored?

CUI must be stored in environments that meet the FedRAMP Moderate baseline (for cloud platforms and SaaS) or NIST SP 800-171 requirements (for on-premises or private cloud environments). Approved cloud environments require a documented body of evidence, not just vendor claims. Standard commercial SaaS does not qualify by default regardless of a vendor's general cybersecurity posture.

Is It a CUI Spillage If Someone Pastes Controlled Data into ChatGPT?

Yes. Pasting CUI into any commercial AI tool, such as ChatGPT, Copilot on a commercial tenant, or Google Gemini, constitutes processing controlled unclassified information in a non-authorized environment and should be treated as a spillage event. Establish explicit acceptable use policies for AI tools before the question becomes a compliance incident.

What Are the Two Types of CUI?

CUI is categorized as either CUI Basic or CUI Specified. CUI Basic follows the standard handling and data protection requirements in the CUI Federal Register. CUI Specified requires additional or different handling controls defined by the relevant law, regulation, or government-wide policy for that category. The category marking on a document tells you which requirements apply. For more on what counts as CUI in the first place, see ISI's overview of what is CUI.

Does a SOC 2 Report from a SaaS Vendor Satisfy DFARS 7012?

No. As of the December 2023 DoD CIO memo, SOC 2 reports and vendor self-attestations no longer satisfy the equivalency requirement under DFARS 7012. Compliance requires 100% alignment with the FedRAMP Moderate baseline, validated by a FedRAMP-recognized 3PAO, and documented in a body of evidence the contractor can produce. A SOC 2 report does not map to FedRAMP Moderate security controls and cannot substitute for them.

How Quickly Do We Have to Report a CUI Spillage?

DFARS 252.204-7012 requires reporting of a cyber incident within 72 hours of discovery. Unauthorized disclosure of CUI in a non-compliant environment qualifies as a reportable incident. The clock starts at discovery, which is why having a prepared, documented response process matters before you need it.


Helpful ISI Links

Related Posts