Skip to content
  • There are no suggestions because the search field is empty.

FutureFeed, CMMC 2.0, and Shared Responsibility

Why This Matters

FutureFeed exists to help defense contractors organize their cybersecurity information, manage their IT and compliance activities, and build a defensible System Security Plan (SSP).

That mission matters for CMMC scoping.

FutureFeed is not intended to be a primary system for hosting Controlled Unclassified Information (CUI). Its purpose is to document how CUI is protected across an organization — not to become the system where that CUI lives.

At the same time, FutureFeed is built and secured such that if CUI were to spill into the platform, it would be protected appropriately. That distinction is important and often misunderstood.

This article explains:

  • What FutureFeed is designed to do (and what it is not)
  • How it is classified under DoD CMMC regulations
  • Why a Customer Responsibility Matrix (CRM) is not required for FutureFeed
  • Why FutureFeed will still provide one as a customer convenience
  • How our FedRAMP Moderate Equivalency effort fits into this picture

What FutureFeed Is Designed to Do

FutureFeed is a governance, risk, and compliance (GRC) platform whose mission is to help organizations:

  • Organize cybersecurity and compliance information
  • Manage IT and security activities
  • Track control implementation and ownership
  • Coordinate remediation and POA&Ms
  • Build, maintain, and defend a compliant System Security Plan (SSP)

FutureFeed is a system of record for cybersecurity intent, design, and evidence — not for operational mission data.

What FutureFeed Is Not Designed to Be

FutureFeed is not designed or marketed as a CUI hosting system.

We do not position FutureFeed as:

  • A document repository for controlled technical data
  • A collaboration platform for CUI-bearing contract deliverables
  • A production system where CUI is routinely processed or transmitted

CUI should reside in systems that are purpose-built, authorized, and scoped specifically for that role.

A Critical Distinction: Capability vs. Mission

FutureFeed can securely store CUI if it is inadvertently introduced.

That is a capability, not a mission.

This is an intentional design choice. Because FutureFeed stores sensitive cybersecurity and compliance data — including System Security Plans, network descriptions, vulnerabilities, and control implementations — it must be secured to a standard that assumes high sensitivity.

However:

The intended function of a system is what drives its CMMC asset classification — not hypothetical misuse.

This distinction is explicitly recognized in CMMC scoping guidance.

CMMC Asset Classification: Where FutureFeed Fits

Under DoD CMMC 2.0 regulations (32 CFR Part 170), FutureFeed is classified as a Security Protection Asset (SPA).

This classification is deliberate, defensible, and aligned with the system’s mission.

Why FutureFeed Is a Security Protection Asset (SPA)

Under CMMC definitions:

  • Security Protection Assets are systems that provide security-related capabilities or support the protection of CUI.
  • Security Protection Data (SPD) is data used to design, implement, manage, or assess those protections.

FutureFeed qualifies as an SPA because:

  1. Its mission is security governance
    • Control documentation
    • Risk and remediation management
    • SSP development and maintenance
    • Audit readiness and evidence coordination
  2. It stores Security Protection Data
    • SSPs, policies, procedures
    • Control descriptions and mappings
    • Assessment artifacts and POA&Ms
  3. It supports — but does not perform — CUI processing
    • It documents how CUI systems are secured
    • It does not host operational CUI as part of normal use
  4. Its security posture is intentionally high
    • Hosted entirely in AWS GovCloud (US)
    • Infrastructure managed by Project Hosts
    • FedRAMP Moderate Equivalency audit completed and awaiting results

This is precisely the role DoD envisions for Security Protection Assets.

Why FutureFeed Is Not a CUI Asset

CUI Assets are systems whose intended function is to store, process, or transmit CUI as part of normal operations.

FutureFeed does not meet that definition.

While it is capable of protecting CUI if it appears, that is not its operational role, and capability alone does not drive classification under CMMC.

Why FutureFeed Is Not Out-of-Scope

FutureFeed cannot be treated as out-of-scope because:

  • It stores Security Protection Data
  • It directly supports the cybersecurity program
  • Assessors routinely review GRC platforms during evaluations

Treating a GRC platform as out-of-scope is a common and avoidable scoping error.

Customer Responsibility Matrix (CRM): Required vs. Optional

Under CMMC 2.0:

  • Customer Responsibility Matrices are required for CUI Assets
  • They are not required for Security Protection Assets

Because FutureFeed is an SPA, a CRM is not a regulatory requirement for its use.

That said, shared responsibility still exists, and clarity benefits everyone.

Why FutureFeed Will Provide a CRM Anyway

Although not required, FutureFeed will provide a Customer Responsibility Matrix as a customer convenience and clarity tool, aligned with the finalization of our security posture.

The CRM will:

  • Clearly document responsibility boundaries
  • Reduce friction during assessments
  • Help customers explain FutureFeed’s role to assessors
  • Reflect validated system boundaries following our FedRAMP Moderate Equivalency results

This is about customer experience and audit efficiency, not regulatory obligation.

Hosting and FedRAMP Moderate Equivalency Status

FutureFeed is hosted entirely in AWS GovCloud (US).

  • Infrastructure is managed by Project Hosts
  • Lunarline was engaged to perform the independent FedRAMP Moderate Equivalency audit
  • Audit activities are complete
  • Results are currently pending publication

Once finalized, FutureFeed will publish supporting materials and complete the CRM to reflect the validated posture.

Shared Responsibility (High-Level)

At a high level:

FutureFeed is responsible for

  • Platform and infrastructure security
  • Application-level access controls
  • Logging, monitoring, and system integrity
  • Secure hosting and operations

Customers are responsible for

  • User access management
  • Appropriate data usage
  • Ensuring CUI is not intentionally stored in the platform
  • Operating FutureFeed in accordance with internal policies

The forthcoming CRM will formalize this model.

Bottom Line

  • FutureFeed’s mission is governance, not CUI hosting
  • It is properly classified as a Security Protection Asset
  • CRMs are not required for SPAs under CMMC
  • FutureFeed will provide a CRM anyway, as a customer benefit
  • FedRAMP Moderate Equivalency results are pending and will finalize this posture

FutureFeed helps you organize, explain, and defend your cybersecurity program — so when an assessor asks “how do you protect CUI?”, you have a coherent, credible answer.

That’s the point.

FutureFeed Footer – Newest