Most defense contractors don't make a deliberate decision to put controlled unclassified information (CUI) into commercial software as a service (SaaS) platforms. It happens accidentally, through everyday tools and everyday habits, and no one flags the problem until it's already a compliance event.
This post covers:
Dig deeper below to learn more.
CUI can end up in commercial SaaS through forwarded emails, shared folders, screenshots in Slack threads, and proposal drafts uploaded to whatever tool the team already uses.
By the time someone realizes there's a problem, the data has already moved, and the clock on your reporting obligation may already be running.
This is a DFARS 252.204-7012 problem, a CMMC Level 2 assessment problem, and a contract eligibility problem all at once. This post covers where CUI ends up in five common commercial tools, what DFARS actually requires of the cloud underneath them, and what to do the moment a spillage is suspected. If you are not sure your organization handles CUI in the first place, our CUI quiz is a quick way to find out.
If CUI has already ended up somewhere it shouldn't in your systems, the ISI CUI Incident Response Checklist is the right starting point for your response.
For defense contractors, the compliance requirements under DFARS 252.204-7012 are clear. If controlled unclassified information is stored, processed, or transmitted in any external cloud platform, you are responsible for ensuring that service meets Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline security requirements, not just in principle, but by documented evidence.
A memo in December 2023 from the Department of Defense (DoD) (also known as the Department of War) Chief Information Officer (CIO) closed the "equivalency" loophole that many contractors had relied on. Equivalency now requires 100% compliance with the FedRAMP Moderate baseline, validated by a FedRAMP-recognized third-party assessment organization (3PAO) and documented in a formal body of evidence.
The consequence of getting this wrong doesn't fall on your cloud service provider (CSP). If a non-compliant cloud platform is involved in a cyber incident, you bear the reporting obligation and the contract consequence.
The following is a tool-by-tool inventory of the most common spillage patterns and the compliance reality of the standard commercial tier for each. If you're walking through your own environment, use this as a checklist.
Typical spillage pattern:
Compliance status: Microsoft 365 Commercial does not meet DFARS 7012 or CMMC Level 2 security requirements for storing, processing, or transmitting CUI. Government Community Cloud (GCC) High is the most commonly selected compliant path for defense contractors working through this transition. GCC High operates from U.S. government-dedicated data centers and satisfies FIPS and FedRAMP Moderate requirements that the commercial tenant does not.
Typical spillage pattern:
Compliance status: Standard Google Workspace and standard Google Cloud are not FedRAMP Moderate authorized for CUI. Google Workspace Assured Workloads is the path being marketed for defense workloads, but you must independently verify the body of evidence before relying on it. Vendor marketing materials are not a substitute for documented authorization.
Typical spillage pattern:
Compliance status: Dropbox Business and standard Dropbox tiers are not FedRAMP Moderate authorized. Dropbox doesn't currently offer a configuration that satisfies DFARS 7012 for CUI data storage or handling.
Typical spillage pattern:
Compliance status: Standard Slack isn't authorized for CUI. Slack offers GovSlack for federal government customers, but it requires explicit procurement and verification. It isn't a default upgrade from a commercial account.
Typical spillage pattern:
Compliance status: Standard Zoom (including Zoom AI Companion features) isn't authorized for CUI. Zoom for Government is FedRAMP Moderate authorized, but the commercial product isn't. The transcript and AI summary risk is particularly underappreciated. Many contractors don't realize those outputs are being stored in a non-compliant cloud platform.
Most CUI spillage in SaaS is the product of three predictable conditions:
Commercial SaaS is designed for frictionless workflows. That design is fundamentally incompatible with the access controls, audit logging, and incident reporting security requirements DFARS 7012 imposes.
Standard IT cybersecurity monitoring catches malware and credential theft. It doesn't catch a program manager forwarding a CUI-marked PDF to a personal Gmail account to print from home, or an engineer pasting controlled source code into an AI tool to debug it. Sensitive data moves through these gaps constantly, and most organizations have no visibility into it.
This is the difference between a functional IT environment and a compliant CUI environment. It's the most common reason contractors fail a DCSA review or a CMMC Level 2 self-assessment despite having cloud computing infrastructure and security tooling in place. Having a security vendor isn't the same as having a CUI-compliant enclave.
The gap is also a supply chain risk. When CUI flows into non-compliant tools used by subcontractors, the prime contractor's compliance posture doesn't end at its own firewall. It extends to every information system in the data-sharing chain, which is part of why understanding who is responsible for protecting CUI across your supply chain matters as much as your own environment.
Not all cloud migration paths lead to a compliant destination. The key distinction is between commercial cloud infrastructure and government-specific cloud environments built to meet federal security requirements.
For most small businesses and mid-size defense contractors working through this transition, the practical options break down as follows:
What doesn't qualify: any standard commercial SaaS tier, regardless of the vendor's cybersecurity posture, unless it holds current FedRAMP Moderate authorization with a documented body of evidence. The vendor's use cases page and security whitepaper are not authorization.
International Traffic in Arms Regulations (ITAR) controlled data carries additional handling requirements layered on top of CUI compliance. If your contracts involve export-controlled technical data, verify requirements separately before selecting a cloud platform.
Treat it as a CUI spillage incident, not an IT cleanup task.
The reporting clock under DFARS 7012 is 72 hours from discovery of a cyber incident. Unauthorized disclosure of CUI in a non-compliant environment qualifies. Here's what the response sequence should look like:
SaaS spillage is the most common, least visible CUI compliance failure in the defense industrial base. The consequences for getting it wrong can affect your contract eligibility.
Download the CUI Incident Response Checklist and walk through it against your current tool stack. By reviewing the checklist before a spillage, you'll determine whether you could actually execute the required response within the 72-hour window if a spillage were discovered today.
The most widely adopted options are:
The common requirement across all of them is FedRAMP Moderate authorization, a documented body of evidence, and validation by a recognized 3PAO. Be sure to verify current authorization status directly, since FedRAMP authorization can lapse or carry conditions that affect your specific use cases.
No. Microsoft 365 Commercial (including standard Office 365, Teams, OneDrive, and SharePoint) does not meet DFARS 252.204-7012 requirements for CUI. GCC High is Microsoft's compliant path for defense contractors, operating from dedicated U.S. government data centers with FIPS-validated encryption and the security controls required for CUI data protection.
Microsoft 365 Copilot on a commercial tenant isn't authorized for CUI. Copilot processes, and in some configurations stores, content from your Microsoft 365 environment in the commercial cloud. If your tenant handles CUI, enabling Copilot on a non-GCC High environment creates a spillage risk. Copilot for Microsoft 365 Government (GCC High) is a separate offering with a distinct compliance posture; verify its current status before deploying, as the rollout for GCC High Copilot features is ongoing.
Generally, no, not without explicit authorization and a documented set of security controls applied to that device. DFARS 7012 requires that all information systems processing, storing, or transmitting CUI meet NIST SP 800-171 requirements. A personal computer is unlikely to satisfy those requirements without significant configuration, monitoring, and documentation.
CUI must be stored in environments that meet the FedRAMP Moderate baseline (for cloud platforms and SaaS) or NIST SP 800-171 requirements (for on-premises or private cloud environments). Approved cloud environments require a documented body of evidence, not just vendor claims. Standard commercial SaaS does not qualify by default regardless of a vendor's general cybersecurity posture.
Yes. Pasting CUI into any commercial AI tool, such as ChatGPT, Copilot on a commercial tenant, or Google Gemini, constitutes processing controlled unclassified information in a non-authorized environment and should be treated as a spillage event. Establish explicit acceptable use policies for AI tools before the question becomes a compliance incident.
CUI is categorized as either CUI Basic or CUI Specified. CUI Basic follows the standard handling and data protection requirements in the CUI Federal Register. CUI Specified requires additional or different handling controls defined by the relevant law, regulation, or government-wide policy for that category. The category marking on a document tells you which requirements apply. For more on what counts as CUI in the first place, see ISI's overview of what is CUI.
No. As of the December 2023 DoD CIO memo, SOC 2 reports and vendor self-attestations no longer satisfy the equivalency requirement under DFARS 7012. Compliance requires 100% alignment with the FedRAMP Moderate baseline, validated by a FedRAMP-recognized 3PAO, and documented in a body of evidence the contractor can produce. A SOC 2 report does not map to FedRAMP Moderate security controls and cannot substitute for them.
DFARS 252.204-7012 requires reporting of a cyber incident within 72 hours of discovery. Unauthorized disclosure of CUI in a non-compliant environment qualifies as a reportable incident. The clock starts at discovery, which is why having a prepared, documented response process matters before you need it.