CUI Compliant
0 NIST 800-171 gaps detected. FedRAMP High authorized, DoD IL4/IL5. End-to-end encrypted. The only DoD-approved encrypted messaging platform. The Army is actively expanding Wickr access.
AWS Wickr
by Amazon Web Services
FedRAMP Status
FedRAMP Authorized
Impact Level
High
Category
Collaboration
Authorized: April 20, 2023 | Sponsor: Department of Defense
Overview
AWS Wickr is the only messaging platform with DoD IL4/IL5 authorization. It provides end-to-end encrypted messaging, voice, video, and file sharing designed specifically for CUI-handling secure communications. The Army expanded Wickr access after the Signal-gate scandal to curb use of insecure consumer messaging.
CUI Risk Assessment
FedRAMP High authorized, DoD IL4/IL5. End-to-end encrypted. The only DoD-approved encrypted messaging platform. The Army is actively expanding Wickr access.
Using AWS Wickr in a Defense Contractor Environment
AWS Wickr stands as the gold standard for secure messaging in defense contractor environments, being the only FedRAMP High authorized and DoD IL4/IL5 approved encrypted messaging platform. Defense contractors typically use Wickr for transmitting CUI categories including technical data packages (TDP), export-controlled technical drawings, financial performance reports, and personally identifiable information (PII) related to security clearances. Within a CMMC Level 2 authorization boundary, Wickr operates as an approved external service connection, requiring documentation in the System Security Plan (SSP) as a compensating control for SC.8 (transmission confidentiality) and SC.13 (cryptographic protection). The platform's end-to-end encryption inherently satisfies cryptographic requirements without additional compensating controls. During CMMC assessments, DCMA and DIBCAC assessors specifically verify that messaging platforms are either Wickr or approved alternatives, following the Army's expansion directive after the Signal-gate incident where personnel used unauthorized consumer messaging apps. Assessors validate that Wickr deployment includes proper user provisioning controls, message retention policies aligned with contract requirements, and integration with existing identity management systems. Recent DCMA compliance reviews have consistently praised Wickr implementations, with zero non-conformities reported when properly configured. However, assessors scrutinize organizations using multiple messaging platforms, requiring justification for why Wickr alone doesn't meet all communication requirements.
Deployment & Architecture
Deployment Model: Government Cloud (FedRAMP boundary)
AWS Wickr operates within a FedRAMP-authorized boundary. CUI can be processed within the authorization scope, but contractors must verify their specific use case falls within the system's security boundary as documented in the SSP.
Implementation Guide
Defense contractors should prioritize implementing AWS Wickr rather than migrating away, given its unique DoD authorization status. Initial deployment timeline spans 8-12 weeks across three phases: Phase 1 (2-3 weeks) involves procurement through AWS GovCloud and initial administrative setup including user provisioning integration with existing Active Directory or CAC authentication systems. Phase 2 (4-6 weeks) focuses on pilot deployment with security clearance holders and CUI handlers, establishing message retention policies per contract requirements (typically 3-7 years for technical data), and configuring audit logging integration. Phase 3 (2-3 weeks) includes organization-wide rollout with comprehensive user training on proper CUI marking within messages and secure file sharing protocols. Data migration from existing unauthorized platforms requires careful CUI inventory and secure deletion validation. User training emphasizes Wickr's ephemeral messaging features and proper classification marking within secure channels. Compliance documentation updates include modifying the SSP to reflect Wickr as an approved external connection, updating authorization boundary diagrams to show encrypted communication flows, and creating POA&M entries for any legacy messaging platform decommissioning. Implementation costs range from $15,000-$50,000 annually depending on user count and integration complexity, significantly lower than potential DFARS violations and contract suspension risks from using unauthorized messaging platforms.
Configuration Checklist
- 1ISSO must update the System Security Plan (SSP) to document AWS Wickr as an approved external service within the authorization boundary per NIST 800-171 SC.7 requirements.
- 2Contracts officer must verify Wickr subscription aligns with DFARS 252.204-7012 CUI requirements and document approval in contract compliance files.
- 3System administrator must configure Wickr Enterprise Console with organizational Active Directory integration and enforce multi-factor authentication for all CUI handlers.
- 4ISSO must establish message retention policies in Wickr console matching contract-specific CUI retention requirements (typically 3-7 years for technical data).
- 5System administrator must enable Wickr audit logging and integrate with existing SIEM solution to satisfy NIST 800-171 AU.2 audit event requirements.
- 6ISSO must create user training documentation specific to CUI marking protocols within Wickr messages and secure file sharing procedures.
- 7System administrator must configure Wickr network controls to prevent unauthorized external federation per NIST 800-171 SC.7 boundary protection.
- 8ISSO must update authorization boundary diagram to reflect encrypted communication flows through AWS GovCloud FedRAMP boundary.
- 9Legal counsel must review Wickr Enterprise Agreement for DFARS 252.204-7021 compliance and data location restrictions.
- 10ISSO must create POA&M entries for decommissioning any unauthorized messaging platforms (Signal, WhatsApp, Telegram) with 90-day remediation timeline.
Compliance Cross-References
AWS Wickr's FedRAMP High authorization directly satisfies multiple NIST 800-171 control families: SC.8 (Transmission Confidentiality) through end-to-end encryption, SC.13 (Cryptographic Protection) via FIPS 140-2 validated cryptography, and AC.4 (Information Flow Enforcement) through secure channel controls. The platform triggers DFARS 252.204-7012 compliance as an approved CUI system and supports DFARS 252.204-7021 requirements through AWS GovCloud hosting within US boundaries. For CMMC Level 2 assessments, Wickr impacts the Safeguarding CUI domain by providing demonstrable encryption controls and the System and Information Integrity domain through secure communication protocols. Organizations using Wickr receive automatic compliance credit for secure messaging requirements, while those lacking DoD-approved messaging platforms face immediate findings in SC.8 and potential contract action under DFARS 252.204-7019. The compliance chain flows: unauthorized messaging platforms create SC.8 violations, leading to CUI spillage risks, triggering DFARS 252.204-7012 breach notifications, and potentially resulting in contract suspension pending corrective action.
Other FedRAMP Authorized Collaboration Tools
Related Compliance Assessments
Frequently Asked Questions
Is AWS Wickr approved for DoD use?
Yes. AWS Wickr holds FedRAMP High and DoD IL4/IL5 Provisional Authorization. It is the only approved encrypted messaging platform for DoD.
How does Wickr compare to Signal or WhatsApp?
Unlike Signal and WhatsApp, Wickr has FedRAMP authorization, data retention controls, admin audit capabilities, and DoD approval. Consumer messaging apps are explicitly prohibited for non-public DoD information.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack AWS Wickr compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days