Log In or Sign Up

Does your proposal software need FedRAMP? A compliance guide for GovCon teams in 2026.

FedRamp High Blog Post Image

Published on March 17, 2026

by Christina Carter

The answer depends on one question most vendors would rather you didn't ask.

Every GovCon software vendor selling into the proposal space is talking about FedRAMP right now. Procurement Sciences announced FedRAMP Moderate Authorization three days ago. GovSignals claims to be the only AI proposal platform at FedRAMP High. Unanet picked up FedRAMP Moderate Equivalency in January. AutogenAI Federal runs inside a FedRAMP High boundary through Palantir FedStart.

The pitch from all of them is some version of the same idea, including ones we talk about on stargazy, and that is - compliance is now table stakes for Federal GovCon proposal technology.

That statement is half right and half sales pressure. Whether your proposal software actually needs FedRAMP depends on a single threshold question that most of the compliance conversation skips entirely: does the tool process Controlled Unclassified Information?

If it does, the compliance requirements are real, specific, and getting stricter by the quarter. If it doesn't, you may be paying a premium for security controls that solve a problem you don't have.

This piece walks through what the compliance frameworks actually require, where the lines sit today, and how to make a defensible decision about which proposal tools belong in your stack.

The compliance stack, explained without jargon

Three frameworks matter for GovCon proposal software. They overlap, but they govern different things.

FedRAMP (Federal Risk and Authorization Management Program) applies to cloud service providers that store, process, or transmit federal data. It is a government-wide programme run by GSA that standardises security assessments for cloud products. There are three impact levels: the counts are: Low = 156 controls, Moderate = 323 controls, High = 410 controls (June 2025). The level is set by the potential damage if the system is compromised. FedRAMP authorisation means a full audit by a recognised third-party assessment organisation (3PAO), followed by federal agency or PMO sign-off, and listing on the FedRAMP Marketplace. As of mid-2025, the Marketplace lists 430 authorised cloud service offerings.

CMMC (Cybersecurity Maturity Model Certification) is a DoD-specific framework that verifies defence contractors actually meet the cybersecurity standards they've been self-attesting to under NIST SP 800-171 since 2017. The final DFARS rule was published on September 10, 2025 and took effect on November 10, 2025. Phase 1 is now live. Phase 2 begins November 10, 2026, at which point third-party C3PAO certification becomes a broader condition of award for Level 2 contracts. Full mandatory compliance across all applicable DoD contracts arrives by November 2028.

NIST SP 800-171 contains the 110 security requirements that protect CUI in non-federal systems. It is the operational backbone of CMMC Level 2. When people say a contractor needs to "be CMMC-compliant," what they mean in practice is that the contractor's systems handling CUI must implement these 110 requirements and be able to prove it to an assessor.

govcon compliance framework relationship

The relationships between these three are straightforward. FedRAMP governs the cloud service provider. CMMC governs the contractor. NIST 800-171 provides the security requirements that both draw from. A contractor using a FedRAMP-authorised cloud tool for CUI can inherit many controls from the cloud provider, which simplifies their own CMMC assessment. A contractor using a non-authorised tool has to defend every control themselves.

CUI is the threshold, not "federal work"

The most common mistake in this conversation is treating all federal proposal work as if it carries the same compliance burden. It doesn't.

Controlled Unclassified Information has a specific legal definition maintained by the National Archives. There are 20 category groupings in the CUI Registry, covering everything from controlled technical information to export-controlled data to financial records subject to bank secrecy requirements. The key categories that show up in proposal work include source selection information provided by the government, controlled technical data from government-furnished documents, export-controlled specifications under ITAR or EAR, and certain past performance details tied to classified or sensitive programmes.

Here is where the distinction matters. A contractor's own internal win themes, boilerplate responses, and generic past performance narratives are almost certainly not CUI. A contractor's budget projections are not CUI unless they're a federal agency reporting to OMB. Your marketing materials, your team bios, and your standard capability statements are not CUI.

The practical implication is a mid-market IT services firm bidding on civilian agency task orders through GSA OASIS, where the RFP is publicly posted on SAM.gov and the proposal content is the contractor's own intellectual property, does not have a regulatory requirement to run its proposal software in a FedRAMP-authorized environment. The tool is functioning as an internal business system, not as a cloud service processing federal data.

Contrast that with a defence prime managing a proposal for a classified programme, where the RFP includes controlled technical data, the proposal requires reference to CUI-designated past performance, and the pricing model incorporates government cost data. In that scenario, every cloud tool that touches that data is inside the contractor's CMMC assessment boundary. Every one.

The question for proposal teams is not "do we work with the government?" The question is, "Does CUI enter this system at any point in our proposal process?"

What changed in 2025 and 2026 that makes this urgent

CMMC stopped being theoretical

The DFARS final rule published September 10, 2025 created the mechanism for CMMC to appear in solicitations and contracts. Phase 1 began November 10, 2025. Contracting officers can now condition contract awards on CMMC self-assessments, and some programmes are already requiring Level 2 C3PAO certification at their discretion. By November 2026, third-party certification requirements become standard for Level 2. By November 2028, CMMC clauses become mandatory in all applicable DoD contracts. If a contractor's proposal tools are inside the CUI boundary and running on non-compliant cloud infrastructure, they have a gap that an assessor will find.

FedRAMP Equivalency lost its ambiguity

The DoD CIO issued a memorandum in January 2024 making it explicit: FedRAMP Moderate Equivalency does not equal FedRAMP Moderate Authorization. With authorised services, the CSP maintains security standards under government oversight. With equivalent services, the contractor bears the burden of verifying and defending the provider's security posture, contract by contract. There is no government-wide acceptance. The practical difference: a FedRAMP-authorised platform gives CMMC assessors a clean inheritance story. An equivalent platform forces the contractor to document and defend the provider's controls themselves.

AI tools entered the CUI boundary

When a proposal team uses an AI drafting tool and feeds it government-furnished documents, past performance write-ups referencing sensitive programmes, or pricing data built on government cost models, that AI system is processing CUI. The tool's data handling, model training practices, data residency, and access controls all become compliance-relevant. Every major AI proposal vendor is now racing to get FedRAMP credentials precisely because their customers' CMMC assessors are asking about it. Procurement Sciences secured Moderate Authorization. AutogenAI Federal operates at FedRAMP High. GovSignals claims FedRAMP High. The non-compliant AI tools in the market create a specific, measurable risk for defence contractors.

FedRAMP Authorized vs. Equivalency vs. "compliant infrastructure"

The proposal software market has three tiers of compliance posture, and the differences between them are not cosmetic.

FedRAMP Authorized means the application itself has completed the full authorization process, been audited by a 3PAO, received an Authority to Operate from a federal agency or the PMO, and is listed on the FedRAMP Marketplace. The authorization covers a defined boundary, and the provider submits to continuous monitoring: monthly vulnerability scans, annual reassessments, POA&M tracking, and incident reporting. CMMC assessors can accept inherited controls from authorized services without additional contractor documentation.

FedRAMP Moderate Equivalency means the provider has implemented the same NIST 800-53 controls, been assessed by a 3PAO, and produced a Body of Evidence that demonstrates alignment. But there is no government sponsor, no Marketplace listing, and no centralised government oversight of the provider's ongoing compliance. The contractor using an equivalent service has to validate the provider's security independently for each contract. Unanet took this path for its ERP GovCon product in January 2026. It is a legitimate security posture, but it places more compliance burden on the buyer.

"Built on FedRAMP-authorized infrastructure" is the most commonly misunderstood claim. Many SaaS vendors host on AWS GovCloud or Azure Government, both of which are FedRAMP-authorised at the infrastructure layer. Hosting on authorized infrastructure does not make the application FedRAMP-authorised. The SaaS application has its own authorization boundary. The infrastructure provider's controls cover the physical servers, networking, and hypervisor layer. The application's access controls, data encryption, multi-tenancy isolation, and vulnerability management are the application provider's responsibility. When a vendor says "we run on AWS GovCloud," they are describing where the servers sit, not the security posture of their software.

Three Tiers

What doesn't matter (despite the marketing)

SOC 2 Type II does not satisfy federal compliance requirements. SOC 2 is an AICPA standard for commercial service providers. It verifies that a company follows its own stated security policies. It does not map to NIST 800-53 or 800-171 controls. CMMC assessors do not accept SOC 2 reports as evidence of federal compliance. A vendor leading with SOC 2 as their primary security credential for GovCon buyers is demonstrating good commercial hygiene, not federal readiness.

FedRAMP Low is insufficient for any tool handling CUI. Under FIPS 199, the impact categorisation standard that FedRAMP inherits, systems processing CUI typically require Moderate or higher. Low covers systems where a breach would have limited adverse effect. Proposal data containing source selection information, controlled technical data, or government cost models does not fit that description.

On-premises deployment does not eliminate the compliance obligation. FedRAMP specifically governs cloud services, so a tool running entirely on a contractor's own servers does not need FedRAMP authorisation. But NIST 800-171 and CMMC still apply to those on-premises systems if they process CUI. The compliance requirement does not disappear. It moves from a FedRAMP question (is my cloud provider authorised?) to a direct implementation question (have I implemented all 110 NIST 800-171 controls on this system?). For most mid-market contractors, managing that implementation internally costs more than using an authorised cloud service.

"FedRAMP-compliant" is not a recognized designation. FedRAMP does not use the term "compliant." A service is either Authorized, In Process, Ready, or none of the above. Vendors describing themselves as "FedRAMP-compliant" without further qualification are using a marketing term with no regulatory standing. Ask for the Marketplace listing.

When FedRAMP matters and when it doesn't

The table below maps common GovCon proposal scenarios to their actual compliance requirements. The answers assume the contractor is using a cloud-based proposal tool (SaaS).

govcon fedramp scenario matrix

The buyer's checklist: 15 questions before selecting proposal software

Before signing a contract for any proposal management or AI proposal tool, a GovCon security or compliance lead should be able to answer these questions. The answers determine whether compliance is a real requirement or a marketing-driven concern.

Scope questions (answer these first)

  1. Does your proposal process involve government-furnished documents that carry CUI markings or designations (CTI, FOUO, export-controlled data)?

  2. Do your proposal teams reference past performance from programmes where the performance details are designated as CUI?

  3. Does your pricing team incorporate government cost data, DCAA-auditable rate structures, or controlled financial information into the proposal tool?

  4. Do you maintain separate instances or environments for CUI-bearing and non-CUI work, or does everything run in a single system?

  5. If you use AI features, does the AI ingest any of the content types described above?

If the answer to all five is "no," your compliance obligation for the proposal tool is minimal. If any answer is "yes," proceed to the compliance questions.

Compliance questions (if CUI is in scope)

  1. Is the vendor's product listed on the FedRAMP Marketplace? At what impact level (Low, Moderate, High)?

  2. If the vendor claims FedRAMP Equivalency rather than Authorization, who performed the 3PAO assessment and when was it completed?

  3. For equivalent solutions: does the vendor provide a complete Body of Evidence that your C3PAO can review during your CMMC assessment?

  4. Is the application deployed in a government cloud environment (AWS GovCloud, Azure Government, GCC High), or in the vendor's commercial cloud?

  5. Does the vendor's data handling policy confirm zero data retention for AI features? Is your proposal content excluded from model training?

Operational questions (regardless of CUI status)

  1. Does the vendor provide audit logs sufficient for CMMC assessment objectives (access logging, change tracking, data export records)?

  2. Does the tool support role-based access controls at the proposal level, including restricting access to pricing volumes separately from technical volumes?

  3. Can you export your entire content library and proposal history in a standard format if you need to migrate?

  4. Does the vendor support your existing workflow tools (SharePoint, Word, Teams) or require your team to work inside the vendor's proprietary interface?

  5. What happens to your data if the vendor loses its FedRAMP authorisation or goes out of business?

See stargazy's proposal technology evaluation framework here.

Where this goes in the next 12 months

The CMMC Phase 2 deadline of November 2026 will force the first large-scale reckoning. Every defence contractor that has been self-attesting compliance while running CUI through non-authorised cloud tools will face a binary choice: remediate or lose eligibility. The C3PAO assessment capacity is already strained. Fewer than 600 certified assessors serve an estimated 80,000 contractors requiring Level 2 certification, and wait times are expected to exceed 18 months by Q3 2026.

On the FedRAMP programme side, the 20x initiative is redesigning how authorisations work. Phase 3, expected in the second half of 2026, will open wide-scale adoption of the new continuous compliance model, replacing the current document-heavy Rev5 process with machine-readable security evidence and automated validation. For software vendors, this lowers the cost and timeline of getting authorised. For buyers, it should increase the supply of genuinely authorised tools within 18 to 24 months.

The AI dimension will accelerate both sides of the split. Defence contractors will increasingly require FedRAMP-authorised AI tools because their assessors will require it. Civilian contractors and commercial-focused firms will continue using non-authorised tools because the regulatory pressure doesn't apply to them. The vendors that win will be those that can serve both markets without forcing the lower-risk buyers to subsidise the higher-risk compliance infrastructure they don't need.

cmmc-fedramp-20x-dual-timeline

For proposal leaders reading this now, audit your data flows before your C3PAO does. Know where CUI enters your proposal process. Make your software decisions on that basis, not on vendor marketing.

Frequently asked questions

Does every government contractor need FedRAMP-authorized proposal software?

No. FedRAMP is required for cloud services that process, store, or transmit federal data, which in a proposal context means Controlled Unclassified Information. Contractors bidding on civilian agency work with publicly available RFPs and contractor-authored content do not have a regulatory requirement for FedRAMP-authorised proposal tools. The requirement activates when CUI enters the system.

What is the difference between FedRAMP Authorization and FedRAMP Equivalency?

Authorization means the product has been audited by a 3PAO, received an Authority to Operate from a federal agency or the PMO, and is listed on the FedRAMP Marketplace with continuous government oversight. Equivalency means the provider has implemented equivalent controls and been assessed, but has no government sponsor, no Marketplace listing, and no centralised oversight. The DoD CIO has stated that these two are not interchangeable, and CMMC assessors may treat them differently.

Does hosting on AWS GovCloud make a product FedRAMP-authorized?

No. AWS GovCloud is FedRAMP-authorised at the infrastructure layer. A SaaS application running on GovCloud has its own authorization boundary that must be independently assessed. The infrastructure provider's authorization does not extend to applications built on top of it.

If I use AI proposal tools, does the AI need to be FedRAMP-authorized?

If the AI tool processes CUI (for example, if you feed it government-furnished documents, CUI-designated past performance, or controlled pricing data), then the AI system is inside your CMMC assessment boundary. The tool's data handling, model training practices, and access controls all become compliance-relevant. For DoD contractors handling CUI, the AI tool's FedRAMP status directly affects your compliance posture.

What is the CMMC timeline that matters for proposal teams?

Phase 1 began November 10, 2025 (self-assessments required for select contracts). Phase 2 begins November 10, 2026 (third-party C3PAO certifications become a broader condition of award). Full mandatory compliance by November 10, 2028. If your proposal tools handle CUI and sit inside your CMMC boundary, they need to be compliant before your next C3PAO assessment.

Do state and local government proposals require FedRAMP?

No. FedRAMP is a federal programme. State and local government work may be subject to GovRAMP (formerly StateRAMP), which uses the same NIST 800-53 foundation but is governed separately and currently voluntary in most jurisdictions.

References and source material

FedRAMP program resources

CMMC regulatory sources

FedRAMP Authorization vs. Equivalency

CUI identification and scoping

Vendor announcements referenced

Assessment and market context

Christina Carter

Christina Carter

I’m the founder of stargazy, the intelligence network for capture and proposal professionals. With 15+ years of running presales and proposal teams for B2B Enterprise, UK Public Sector, and US GovCon around the globe.

LinkedIn