Is AWS Commercial with GuardDuty and KMS 'equivalent' to FedRAMP Moderate?

No. FedRAMP Moderate Equivalency requires a complete body of evidence — SSP, 3PAO SAR, POA&M, CRM, ConMon — against the FedRAMP Moderate baseline. Toggling security features in commercial AWS does not produce that evidence package. Use AWS GovCloud for CUI workloads.

Can I host CUI in a commercial region if I encrypt it with my own keys?

No, and customer-managed encryption keys do not change the underlying FedRAMP requirement. DFARS 252.204-7012 applies to systems that store, process, or transmit CUI — encryption at rest does not exempt the underlying CSP from being FedRAMP Moderate (or equivalent).

Do I need FedRAMP High instead of Moderate?

Only if your CUI category demands it (some specified CUI, IL5 workloads, or contracts that explicitly require FedRAMP High). For most subcontractors handling standard CUI, FedRAMP Moderate or Moderate Equivalent is the bar.

FedRAMP Moderate Equivalent vs Moderate: What CMMC Level 2 Actually Requires

FedRAMP Moderate Equivalent means a cloud service provider meets the FedRAMP Moderate baseline (325 controls from NIST SP 800-53 r5) and has a complete body of evidence — SSP, 3PAO assessment, customer responsibility matrix — proving it, but is not formally listed on the FedRAMP Marketplace. DoD's December 21, 2023 memo says a CSP handling CUI under DFARS 252.204-7012 must hit this bar. In practice, only AWS GovCloud (US), Azure Government / GCC High, and Google Assured Workloads currently meet it without controversy.

Where the rule came from

DFARS 252.204-7012 has required FedRAMP Moderate (or equivalent) cloud for CUI since 2017, but "equivalent" was undefined for years. CSPs and contractors interpreted it loosely. The December 21, 2023 memo from the DoD CIO ended the ambiguity by requiring a complete body of evidence:

A FedRAMP Moderate baseline System Security Plan.
A 3PAO-issued Security Assessment Report (SAR) against that baseline.
A Plan of Action and Milestones (POA&M).
A Customer Responsibility Matrix (CRM).
A Continuous Monitoring plan and ongoing scans.

Equivalent vs Authorized

FedRAMP Authorized

The CSP has been through the full FedRAMP PMO process, has a sponsoring agency or JAB provisional ATO, and is listed on marketplace.fedramp.gov. Examples: AWS GovCloud (High & Moderate), Microsoft Azure Government (High & Moderate), Google Workspace for Government.

FedRAMP Moderate Equivalent

The CSP has the body of evidence above but no ATO listing. Acceptable under DFARS 7012, but you (the contractor) are responsible for reviewing and accepting the equivalency package. If your C3PAO disagrees with the equivalency claim during a Level 2 assessment, you fail — even if the CSP says they're "equivalent".

What actually counts

AWS GovCloud (US-West, US-East) — FedRAMP High Authorized.
Microsoft Azure Government — FedRAMP High Authorized.
Microsoft 365 GCC High — FedRAMP High Equivalent and DoD IL5 authorized.
Google Assured Workloads for U.S. Government — FedRAMP High Authorized.

What doesn't count (even if vendors say it does)

Commercial AWS / Azure / GCP regions, even with "FedRAMP-aligned" controls toggled on.
Microsoft 365 Commercial or M365 GCC (the standard GCC tier — not GCC High).
"FedRAMP Ready" status — that means in-process, not equivalent.
SaaS tools that store CUI on commercial AWS — including most CRMs, project management tools, and AI assistants marketed as "secure".

What this means for your SSP

Your SSP must list every external system that touches CUI and the basis on which you accept it (Authorization number, or a documented equivalency review). Auditors will pull on this thread. The cleanest posture is to keep CUI in one FedRAMP-Authorized enclave and say so plainly in the SSP. Equivalency is legal but creates a paper trail you have to defend.

Mentioned in this guide

On the Armory platform

Sentinel — continuous monitoring

Frequently asked questions

Is AWS Commercial with GuardDuty and KMS 'equivalent' to FedRAMP Moderate?: No. FedRAMP Moderate Equivalency requires a complete body of evidence — SSP, 3PAO SAR, POA&M, CRM, ConMon — against the FedRAMP Moderate baseline. Toggling security features in commercial AWS does not produce that evidence package. Use AWS GovCloud for CUI workloads.
Can I host CUI in a commercial region if I encrypt it with my own keys?: No, and customer-managed encryption keys do not change the underlying FedRAMP requirement. DFARS 252.204-7012 applies to systems that store, process, or transmit CUI — encryption at rest does not exempt the underlying CSP from being FedRAMP Moderate (or equivalent).
Do I need FedRAMP High instead of Moderate?: Only if your CUI category demands it (some specified CUI, IL5 workloads, or contracts that explicitly require FedRAMP High). For most subcontractors handling standard CUI, FedRAMP Moderate or Moderate Equivalent is the bar.

Related guides

GCC High vs AWS GovCloud: Which Should a Small Contractor Pick?
Cloud & Hosting · 9 min read
CMMC Level 1 vs Level 2: Which Do You Actually Need?
CMMC Basics · 7 min read
DFARS 252.204-7012: A Plain-English Guide for Small Contractors
DFARS · 9 min read
Responding to a Prime's CMMC Flow-Down Letter (Template Inside)
Flow-Down · 7 min read