pWin.ai has completed a FedRAMP Moderate-equivalency assessment for its cloud service offering. In the defense contractor context, that means our platform was assessed against the FedRAMP Moderate baseline and is supported by the body of evidence that is typically needed when evaluating cloud services used for Controlled Unclassified Information (CUI) and other covered defense information.
In this blog, we explain why we chose the DoD-relevant FedRAMP Moderate-equivalency path, what that means in practice, and how buyers should evaluate FedRAMP-related claims from cloud and AI vendors.
What Is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that standardizes security assessment, authorization, and continuous monitoring requirements for cloud products and services used by federal agencies.
FedRAMP baselines generally align to low-, moderate-, and high-impact systems, reflecting increasing severity of adverse impact if confidentiality, integrity, or availability is compromised:
Low: For systems with limited impact if compromised
Moderate: For systems where a breach could have serious adverse effects
High: For systems involving rare, extremely critical data categories
For defense contractors that use an external cloud service provider to process, store, or transmit covered defense information or CUI, DFARS guidance points to a FedRAMP Moderate-or equivalent cloud security baseline.
What is FedRAMP Moderate Equivalency and why did pWin.ai Choose It?
Under DoD guidance, a cloud service pursuing FedRAMP Moderate equivalency is assessed against the FedRAMP Moderate baseline and must achieve 100% compliance with that baseline at the conclusion of the 3PAO assessment, supported by a defined Body of Evidence.
FedRAMP Authorization and DoD Moderate Equivalency are different paths, and it’s vital to understand why Equivalency is so strict. In a traditional FedRAMP Authorization, a federal agency’s Authorizing Official (AO) has the power to accept residual risk. That means a cloud vendor can be “FedRAMP Authorized” even if they have open vulnerabilities or unmet controls (POA&Ms).
In the DoD Moderate-Equivalency path, there is no government AO to accept that risk. Because of this, the January 2024 DoD CIO Memorandum dictates that we must achieve 100% compliance with the FedRAMP Moderate baseline. For defense contractors terrified of supply chain risk, this provides massive reassurance: pWin.ai meets the standard outright, with no reliance on government waivers or accepted risks.”
“Equivalency” means:
- Our cloud service offering was assessed against the FedRAMP Moderate baseline.
- Our supporting Body of Evidence includes the materials customers expect to review for Moderate-equivalent cloud services, such as the SSP, SAP, SAR, and POA&M.
- Where appropriate, we make those materials available under NDA through our Trust Center or security review process.
- We are audited by a 3PAO (Third-Party Assessment Organization) or a qualified independent assessor.
pWin.ai is not currently claiming FedRAMP Authorization or a FedRAMP Marketplace listing. We chose the DoD-relevant Moderate-equivalency path because our near-term focus is supporting defense-contractor and industry use cases that require FedRAMP Moderate-equivalent cloud controls for covered defense information and CUI.
What Are the Three Different Concepts People Often Confuse?
This is where much of the confusion enters the discussion. There are three distinct concepts, and they should not be treated as interchangeable.
FedRAMP Authorized
A SaaS product is FedRAMP Authorized only when the Cloud Service Offering (CSO) itself has gone through the FedRAMP authorization process and appears on the official FedRAMP Marketplace. If a vendor claims full FedRAMP Authorization, but does not cite a Marketplace CSO listing, that is a red flag.
FedRAMP Moderate Equivalency under DoD/DFARS
FedRAMP Moderate Equivalency is a separate concept. In the DoD/DFARS context, it refers to demonstrating a security posture equivalent to FedRAMP Moderate for handling covered defense information and CUI. This is not the same thing as having a FedRAMP Marketplace authorization. It is also not a self-attestation exercise. Under DoD guidance in the context of DFARS 252.204-7012, equivalency requires:
100% control compliance
Verification by a FedRAMP-recognized Third Party Assessment Organization (3PAO)
A documented Body of Evidence
Independent validation
Operating inside a FedRAMP Authorized environment / inheriting controls
This is where the most market confusion (and sometimes vendor deception) can come into play. A SaaS product might be built on AWS GovCloud or Azure Government (which are FedRAMP Authorized). While inheriting infrastructure controls is a good start, it does not make the SaaS product itself FedRAMP Authorized or Equivalent. The SaaS layer must still be assessed on its own.
Think of it like renting a highly secure bank vault, but leaving the door to your specific safety deposit box wide open. Inheritance reduces the burden, but the SaaS application layer must still be independently assessed.
How to check this claim: If a vendor says “We are built on FedRAMP High infrastructure,” ask them: “Has your specific SaaS application layer been assessed by a 3PAO for 100% compliance with Moderate Equivalency, or are you only relying on your hosting provider’s authorization?”
Being built on FedRAMP-authorized infrastructure does not equal a Marketplace listing. Inheritance of controls may reduce what a vendor must build and assess directly, but it does not eliminate the need to assess the SaaS itself.
How Do I Check a Tool’s Claims?
Ask which of the three categories the vendor is actually claiming.
If the claim is FedRAMP Authorized, ask for the official FedRAMP Marketplace listing for that Cloud Service Offering.
Under DoD guidance, FedRAMP Moderate equivalency is more than an internal control mapping exercise. The published guidance centers on a defined Body of Evidence and validation by a FedRAMP-recognized 3PAO.
If a vendor claims ‘FedRAMP Authorized,’ ask for the specific CSO name, Marketplace designation, and authorizing agency. If the vendor instead describes an ‘authorized environment,’ ask whether the vendor’s own SaaS is the authorized CSO or whether it operates within someone else’s authorized boundary.
What is your plan for FedRAMP High equivalency?
Buyers often ask if they should hold out for a cloud vendor offering “FedRAMP High Equivalency.” The simple answer is: FedRAMP High Equivalency does not exist in DoD regulations.
Under DFARS 252.204-7012, the Department of Defense explicitly established FedRAMP Moderate Equivalency as the standard for contractors handling Controlled Unclassified Information (CUI). The DoD has never created or published a pathway, memo, or standard for “High Equivalency.” If a vendor is claiming High Equivalency, they are using a marketing term, not a recognized DoD compliance standard. We chose Moderate Equivalency because it is the exact, highest regulatory standard the DoD has actually established for defense contractors handling CUI.
What to Know About pWin.ai’s Security Posture
pWin.ai uses a federal-first security model aligned with NIST SP 800-53 Rev. 5 through its FedRAMP Moderate-equivalency work and is designed to support customers operating under NIST SP 800-171 Rev. 2/CMMC Level 2 requirements.
These federal frameworks are generally more prescriptive at the control-implementation level than broad commercial attestation frameworks such as SOC 2 and ISO/IEC 27001.
Prospective customers can request access to our Trust Center, scope documentation, and Body of Evidence review process by emailing info@pwin.ai.
pWin.ai’s Roadmap
We started our security journey at the top of the mountain. Because our federal-first security model aligns with NIST SP 800-53 Rev. 5, pWin.ai already operates at a level of rigor that exceeds broad commercial frameworks like SOC 2 or ISO/IEC 27001.
While we have invested heavily in our current control environment, we recognize the value of commercial attestations for standardizing procurement. We are targeting future SOC 2 and ISO audits as a “translation layer” to map our existing, rigorous federal controls into the commercial reporting formats procurement teams are accustomed to.
We monitor customer demand for deployment options in Microsoft’s national security cloud environments. Any future deployment would depend on customer sponsorship, service availability in the target environment, and the applicable authorization process. Any future work in higher-classification environments would be customer-specific and dependent on sponsorship, service availability, and the applicable approval process.