R3 Cybersecurity Compliance

CMMC/FedRamp Compliance for CUI and ITAR

R3 GovCloud - CMMC/FedRamp Compliance for CUI and ITAR

R3 supports Federal Government requirements for managing CUI and ITAR information based upon CMMC, FedRamp and DFAR standards. In 2023, with the planned release of the CMMC Assessment Process (CAP) guidelines and Federal Interim Rules, contractor CMMC v2 Level 2 compliance will begin to become a requirement for an increasing number of DOD contracts and subcontracts.

We support these requirements by providing R3 business solutions through the R3 GovCloud Workplace cloud service offering. This is one of our 3 cloud offerings (SaaS). It has the technical systems and operational support to enable Federal Government Contractors to be CMMC-compliant and meet ITAR requirements.

Your R3 GovCloud Workplace consisting of one or more R3 business solutions instantly becomes a CMMC-compliant and ITAR-compliant enclave. This means that it is a logically and physically separated domain. This can be leveraged to reduce the scope of applicability for the security requirements of your organizations’ CMMC assessment. This reduces the cost, complexity and speed to CMMC compliance.

R3’s 3 core solutions to Win contracts (WinCenter), Manage contracts (Contract Management), and Deliver contracts (Program Management) cover the bulk of the collaborative information systems used by GovCon to process, store and transmit CUI. Thus, once the information is within our enclave you are able to manage the information and your work through the end-to-end contract lifecycle. Enhanced by our fine-grained Role Based Security, you are empowered to open up the system to users across your organization, to drive productivity, eliminate gaps and cracks, while maintaining CMMC, ITAR and core security compliance.

All customers using the R3 GovCloud Workplace service, utilize either Microsoft Office 365 or GCC High. We use Single Sign On (SSO) for customers’ users to access R3 business solutions within the R3 GovCloud Workplace environment. We operate within a Shared Responsibility relationship with customers as you control authentication and access of your users. Through this model customers are able to leverage the R3 GovCloud Workplace enclave and continue to use just Office 365, and thereby, avoid the significant cost of having to move their organization to Microsoft GCC High.

Here are some of the key cybersecurity compliance standards that we follow in the R3 GovCloud Workplace:

  • CMMC v2 Level 2 – meeting 106/110 of the controls based upon NIST 800-171
  • FedRamp Moderate Equivalent – in addition to the CMMC controls we comply with the 61 NFO and 58 NCO controls to support NIST 800-53 requirements as our baseline for FedRamp Moderate Equivalency
  • DFARS 252.204-7012 – we support paragraphs c-g covering FedRamp Moderate Equivalency and DOD Incident Response
  • AWS Infrastructure – AWS GovCloud US West is certified for FedRamp High and DOD SRG Levels 4 and 5
  • ITAR support – All R3 technical personal are US citizens and AWS GovCloud West certifies US Citizens only

For more information about our 3 cloud service offerings including details of the R3 GovCloud offering see R3 Cloud Offerings.