UnderDFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), if acontractoruses acloud-based serviceto store, process, or transmitControlled Unclassified Information (CUI), the cloud providermustmeet the security requirements ofFedRAMP Moderate or equivalent.
Key Requirements from DFARS 252.204-7012 (c)(1):
CUI stored in the cloud must be protected according to FedRAMP Moderate (or higher) requirements.
The cloud provider must meetFedRAMP Moderate baseline security controls, which align withNIST SP 800-53moderate impact level requirements.
The cloud provider must also ensure compliance withincident reportingandcyber incident response requirementsin DFARS 252.204-7012.
Why is the Correct Answer "FedRAMP Moderate" (B)?
A. FedRAMP Low → Incorrect
FedRAMP Lowis intended for systems withlow confidentiality, integrity, and availability risks, making itinadequate for CUI protection.
B. FedRAMP Moderate → Correct
FedRAMP Moderate is the minimum required level for CUIunder DFARS 252.204-7012.
It provides a security baseline for protectingsensitive but unclassified government data.
C. FedRAMP High → Incorrect
FedRAMP Highapplies to systems handlinghighly sensitive information (e.g., classified or national security data), which is not necessarily required for CUI.
D. FedRAMP Secure → Incorrect
There isno official FedRAMP Secure categoryin FedRAMP guidelines.
CMMC 2.0 References Supporting this Answer:
DFARS 252.204-7012(c)(1)
Specifies thatcontractors using external cloud services for CUI must meet FedRAMP Moderate or equivalent.
CMMC 2.0 Level 2 Requirements
CUI must be protected using NIST SP 800-171 security requirements, whichalign with FedRAMP Moderate controls.
FedRAMP Security Baselines
FedRAMP Moderateis designed for systems that handlesensitive government data, including CUI.
