← All posts

FedRAMP Moderate vs High vs Standard Cloud: Which Email Providers Actually Meet CMMC?

cmmccomplianceemail

Your CMMC consultant told you that your email provider needs to be “FedRAMP authorized.” You Googled it and found three authorization levels, dozens of authorized products, and no clear answer about which one you actually need for CMMC Level 2.

Here is how FedRAMP authorization levels work, which level matters for CMMC, and which email providers meet the requirement.

What FedRAMP is

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that standardizes security assessment for cloud products used by federal agencies. A FedRAMP authorization means the cloud service has been independently assessed against a set of security controls derived from NIST SP 800-53.

FedRAMP is not CMMC. They are different frameworks with different purposes. But CMMC references FedRAMP because DFARS 252.204-7012 requires that cloud service providers used to store CUI meet security requirements equivalent to FedRAMP Moderate.

The three authorization levels

FedRAMP Low

Designed for cloud systems handling data where loss would have limited adverse effect. Think public-facing websites and non-sensitive collaboration tools.

Not sufficient for CUI. No email provider at FedRAMP Low meets CMMC requirements for handling Controlled Unclassified Information.

FedRAMP Moderate

Designed for cloud systems where loss of confidentiality, integrity, or availability would have a serious adverse effect. This covers most CUI handling scenarios.

This is the minimum for CMMC. DFARS 252.204-7012 explicitly requires “security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline” for cloud service providers processing, storing, or transmitting CUI.

FedRAMP High

Designed for cloud systems handling the most sensitive unclassified data, where loss would have severe or catastrophic adverse effect. Includes additional controls beyond Moderate.

Exceeds CMMC requirements. FedRAMP High meets and exceeds the Moderate baseline. If your provider is FedRAMP High authorized, it satisfies the FedRAMP requirement for CMMC.

What “equivalent to FedRAMP Moderate” means

The DFARS clause says “equivalent to,” not “authorized at.” This distinction matters.

The DoD CMMC FAQ clarifies: if a contractor uses an external cloud service provider to process, store, or transmit CUI, that CSP must meet FedRAMP Moderate (or equivalent) security requirements. The CSP does not necessarily need a formal FedRAMP Authorization to Operate (ATO), but it must demonstrate equivalent security controls.

In practice, your C3PAO will ask for one of the following:

  1. FedRAMP ATO at Moderate or High. Listed on the FedRAMP Marketplace. This is the clearest path.
  2. FedRAMP In Process status. The CSP is actively pursuing authorization and has been accepted by the FedRAMP PMO.
  3. Documented equivalence. The CSP has been independently assessed against the FedRAMP Moderate baseline controls. Your C3PAO will scrutinize this more heavily than a formal ATO.

Self-attestation without independent assessment is not sufficient. “We follow FedRAMP guidelines” without evidence is a finding.

Which email providers have FedRAMP authorization

Microsoft 365 GCC High

FedRAMP High ATO. Listed on the FedRAMP Marketplace. Meets and exceeds FedRAMP Moderate requirements. Built on Azure Government infrastructure.

The catch: Requires a separate tenant rebuild costing $50K to $200K. You cannot upgrade a commercial Office 365 tenant to GCC High.

Microsoft 365 GCC

FedRAMP Moderate ATO (technically FedRAMP High for the underlying Azure Government). GCC is the government community cloud, one step below GCC High.

The catch: GCC is designed for government agencies and their direct contractors. It meets FedRAMP Moderate but does not include the same level of isolation as GCC High. Some C3PAOs may question whether GCC alone satisfies DFARS requirements for CUI handling. The safest path is GCC High, which is the more expensive option.

Google Workspace

FedRAMP High ATO for the underlying Google Cloud Platform. Google Workspace itself holds FedRAMP authorization.

The catch: FedRAMP authorization applies to the platform, but configuring Workspace to actually meet CMMC requirements for CUI handling requires Enterprise Plus with Assured Controls Plus and Assured Workloads at the IL4 level. The base FedRAMP authorization does not mean your specific Workspace configuration is compliant. Your C3PAO will evaluate your configuration, not just Google’s authorization.

Proton

No FedRAMP authorization. Proton is not listed on the FedRAMP Marketplace. Proton is headquartered in Switzerland and hosted on Swiss infrastructure. It does not meet US data sovereignty requirements regardless of authorization status.

PreVeil

FedRAMP Moderate equivalency (not a formal ATO). PreVeil has achieved a DoD determination of FedRAMP Moderate equivalency, meaning the DoD has assessed PreVeil’s security controls as equivalent to the FedRAMP Moderate baseline. This is not the same as a formal FedRAMP Authorization to Operate (ATO) listed on the FedRAMP Marketplace.

The catch: PreVeil is an overlay on top of your existing email (Gmail or Outlook). The equivalency applies to PreVeil’s encrypted enclave, not to your underlying email system. Your base email provider still needs to meet its own compliance requirements. Calendar and contacts are not included in PreVeil, so those remain on your non-compliant base system.

Purpose-built compliant platforms

Newer platforms built specifically for CMMC compliance may hold FedRAMP authorization or be pursuing it through the FedRAMP 20x program. Check the FedRAMP Marketplace for current status. The key is whether the platform itself (not just its underlying infrastructure) has been assessed.

Common mistakes

Confusing infrastructure authorization with application authorization

AWS has FedRAMP High. That does not mean every application running on AWS is FedRAMP authorized. Your email provider’s application layer must be assessed independently, not just the infrastructure it runs on.

Assuming FedRAMP equals CMMC compliance

FedRAMP authorization satisfies one requirement of DFARS 252.204-7012. CMMC Level 2 has 110 practices across 14 domains. FedRAMP covers the cloud service provider’s security, not your organization’s implementation of access controls, audit logging, incident response, and the other 100+ practices your C3PAO will assess.

Relying on FedRAMP authorization alone without verifying configuration

Google Workspace has FedRAMP authorization. But a misconfigured Google Workspace deployment does not meet CMMC requirements. Your C3PAO assesses your configuration, not your provider’s authorization. If MFA is not enforced, DLP is not configured, or audit logging is not enabled, the FedRAMP authorization is irrelevant.

Not checking the FedRAMP Marketplace

The FedRAMP Marketplace (marketplace.fedramp.gov) lists every authorized cloud service with its authorization level, sponsoring agency, and authorization date. Before choosing a provider, verify their listing. Marketing materials that say “FedRAMP compliant” without a Marketplace listing should be treated skeptically.

How to verify your email provider

  1. Check the FedRAMP Marketplace for your provider. Note the authorization level (Low, Moderate, High) and the specific service that is authorized.
  2. Confirm the authorized service matches what you use. Microsoft has multiple authorized services. Make sure the one you use (not just a different Microsoft product) is authorized at the correct level.
  3. Review your configuration against NIST 800-171 controls. FedRAMP authorization of the provider does not mean your deployment meets CMMC. You must configure and operate the system correctly.
  4. Ask your provider for their FedRAMP documentation. The System Security Plan (SSP) and customer responsibility matrix tell you which controls the provider handles and which are your responsibility.
  5. Document everything for your C3PAO. Your assessor will ask about your cloud service provider’s authorization status and your configuration. Have the evidence ready.

The bottom line

FedRAMP Moderate is the floor, not the ceiling. Your email provider must meet it. But meeting FedRAMP Moderate does not make your email system CMMC compliant. It makes your provider eligible. The rest depends on how you configure, operate, and document your deployment.

If your current email provider is not FedRAMP Moderate authorized, no amount of configuration will close the gap. You need a different provider.

Get early access

Be first in line when we launch. Founding member pricing and a free CMMC Level 2 readiness checklist included.