Skip to content
  • There are no suggestions because the search field is empty.

FutureFeed, CMMC 2.0, and Shared Responsibility

Why This Matters

FutureFeed exists to help defense contractors organize their cybersecurity information, manage their IT and compliance activities, and build a defensible System Security Plan (SSP).

That mission matters for CMMC scoping.

FutureFeed is not intended to be a primary system for hosting Controlled Unclassified Information (CUI). Its purpose is to document how CUI is protected across an organization — not to become the system where that CUI lives.

At the same time, FutureFeed is built and secured such that if CUI were to spill into the platform, it would be protected appropriately. That distinction is important and often misunderstood.

This article explains:

  • What FutureFeed is designed to do (and what it is not)
  • How it is classified under DoD CMMC regulations - and why we recommend CRMA
  • Why a Customer Responsibility Matrix (CRM) is not required for FutureFeed
  • Why FutureFeed will still provide one as a customer convenience
  • How our FedRAMP Moderate Equivalency effort fits into this picture

What FutureFeed Is Designed to Do

FutureFeed is a third-party Software-as-a-Service (SaaS) governance, risk, and compliance (GRC) platform designed to support internal security governance and CMMC compliance management activities. It helps organizations:

  • Document policies and procedures
  • Manage IT and security activities
  • Track control implementation and ownership
  • Coordinate remediation and POA&Ms
  • Build, maintain, and defend a compliant System Security Plan (SSP)

FutureFeed is a system of record for cybersecurity intent, design, and evidence — not for operational mission data.

What FutureFeed Is Not Designed to Be

FutureFeed is not designed, authorized or intended to be a CUI hosting system.

We do not position FutureFeed as:

  • A document repository for controlled technical data
  • A collaboration platform for CUI-bearing contract deliverables
  • A production system where CUI is routinely processed or transmitted

CUI should reside in systems that are purpose-built, authorized, and scoped specifically for that role.

Additionally, FutureFeed does not perform security protection functions for a customer's CUI enclave. It does not provide authentication services, logging infrastructure, endpoint protection, vulnerability scanning, or any technical enforcement capability within a CUI system boundary.

A Critical Distinction: Capability vs. Mission

FutureFeed can securely store CUI if it is inadvertently introduced.

That is a capability, not a mission.

This is an intentional design choice. Because FutureFeed stores sensitive cybersecurity and compliance data — including System Security Plans, network descriptions, vulnerabilities, and control implementations — it must be secured to a standard that assumes high sensitivity.

However:

The intended function of a system is what drives its CMMC asset classification — not hypothetical misuse.

This distinction is explicitly recognized in CMMC scoping guidance.

Sensitive Data: A Critical Distinction

Although FutureFeed does not store CUI, it does contain sensitive security-related information, including:

  • Control implementation details
  • System configuration references
  • Security architecture documentation
  • Risk assessments and POA&Ms
  • Compliance evidence artifacts

This information does not constitute CUI. However, unauthorized disclosure could increase risk to the confidentiality and security posture of a customer's CUI environment. This is why FutureFeed is secured to a high standard — and why it cannot be treated as out-of-scope.

CMMC Asset Classification: Our Recommendation Is CRMA

Under DoD CMMC 2.0 regulations (32 CFR Part 170), FutureFeed recommends that customers classify the platform as a Contractor Risk Managed Asset (CRMA).

Why CRMA Is the Right Classification

CRMAs are assets that:

  • Do not process, store, or transmit CUI
  • Are not directly involved in the technical protection or enforcement of CUI security controls
  • Are managed under the contractor's formal risk management program

FutureFeed meets this definition because:

  • It is external to the CUI System Boundary
  • It is not used for contract deliverables or operational CUI processing
  • It performs no security enforcement functions (monitoring, detection, prevention, or response) within the CUI enclave
  • Organizational policy prohibits CUI from being uploaded or stored in the platform

Why FutureFeed Is Not a CUI Asset

CUI Assets are systems whose intended function is to store, process, or transmit CUI as part of normal operations. FutureFeed does not meet that definition. While it is capable of protecting CUI if it is inadvertently introduced, that capability does not drive classification — intended function does.

Why FutureFeed Is Likely Not a Security Protection Asset (SPA)

While the classification of an asset is based on how it is used by the organization, Security Protection Assets provide security-related capabilities — such as monitoring, enforcement, detection, or prevention — that directly protect the CUI environment. FutureFeed documents and manages security governance, but it does not perform technical security protection functions within a customer's CUI boundary. It supports the security program; it does not enforce it.

Why FutureFeed Cannot Be Treated as Out-of-Scope

Even as a CRMA, FutureFeed cannot be treated as out-of-scope. It contains sensitive security documentation that, if disclosed, could increase risk to a customer's CUI enclave. Assessors routinely review GRC platforms during evaluations. Treating a GRC platform as out-of-scope is a common and avoidable scoping error.

How Risks Are Managed Under a CRMA Classification

Risks associated with FutureFeed's use are managed through FutureFeed's formal risk management process, including:

  • Vendor security due diligence and review
  • Contractual security and confidentiality protections
  • Role-based access controls
  • Multi-factor authentication enforcement
  • Encryption of data in transit and at rest
  • Periodic review of user access and stored artifacts
  • Organizational policy prohibiting CUI upload

FutureFeed monitors and manages risks associated with the platform to ensure that its use does not introduce unacceptable risk to a customer's CUI enclave.

Customer Responsibility Matrix (CRM): Required vs. Optional

Under CMMC 2.0:

  • Customer Responsibility Matrices are required for CUI Assets
  • They are not required for Contractor Risk Managed Assets

Because FutureFeed is intended to serve as a CRMA, a CRM is not a regulatory requirement for its use.

That said,  clarity benefits everyone.

Why FutureFeed Will Provide a CRM Anyway

Although not required, FutureFeed provides a Customer Responsibility Matrix as a customer convenience and clarity tool.

The CRM:

  • Clearly documents responsibility boundaries
  • Reduces friction during assessments
  • Helps customers explain FutureFeed's role to assessors
  • Reflects our validated system boundaries following our achieved FedRAMP Moderate Equivalency

This is about customer experience and audit efficiency, not regulatory obligation.

Hosting and FedRAMP Moderate Equivalency

FutureFeed is hosted entirely in AWS GovCloud (US), with infrastructure managed by Project Hosts.

FutureFeed has achieved FedRAMP Moderate Equivalency. Lunarline was engaged to perform the independent audit, and that process is now complete. This achievement reinforces the security posture that supports the CRMA classification and provides customers with additional assurance that FutureFeed's environment is managed to a high standard. Supporting materials and the finalized CRM are available to customers.

Shared Responsibility (High-Level)

FutureFeed is responsible for:

  • Platform and infrastructure security
  • Application-level access controls
  • Logging, monitoring, and system integrity
  • Secure hosting and operations
  • Enforcing policy prohibitions on CUI storage within the platform

Customers are responsible for:

  • User access management
  • Ensuring CUI is not intentionally uploaded or stored in the platform
  • Operating FutureFeed in accordance with internal policies
  • Documenting FutureFeed's CRMA classification within their own SSP and scoping decisions

The CRM formalizes this model.

Bottom Line

  • FutureFeed's mission is governance, not CUI hosting
  • FutureFeed does not perform security enforcement functions within a customer's CUI boundary
  • FutureFeed recommends customers classify the platform as a Contractor Risk Managed Asset (CRMA)
  • CRMs are not required for CRMAs under CMMC — but FutureFeed provides one anyway as a customer benefit
  • FutureFeed has achieved FedRAMP Moderate Equivalency, and supporting documentation is available

FutureFeed helps you organize, explain, and defend your cybersecurity program — so when an assessor asks "how do you protect CUI?", you have a coherent, credible answer.

That's the point.

FutureFeed Footer – Newest