Not CUI Compliant
4 NIST 800-171 gaps detected. Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
GoToMeeting
by GoTo
FedRAMP Status
Not FedRAMP Authorized
Impact Level
N/A
Category
Video Conferencing
Overview
GoToMeeting is a commercial video conferencing service from GoTo (formerly LogMeIn). It is not FedRAMP authorized and should not be used for government meetings involving CUI.
CUI Risk Assessment
Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
Using GoToMeeting in a Defense Contractor Environment
GoToMeeting presents significant compliance risks for defense contractors handling CUI in virtual meetings. This tool typically processes sensitive data including technical drawings during design reviews, program schedules with milestone dates, cost proposals containing financial data, and participant PII during authentication. Within a CMMC Level 2 authorization boundary, GoToMeeting would need to reside within the CUI processing environment, requiring FedRAMP authorization which it lacks. The tool's commercial cloud infrastructure cannot provide adequate protection for CUI as mandated by NIST 800-171. No compensating controls can adequately address the fundamental issue of CUI processing in non-authorized infrastructure. DCMA and DIBCAC assessors consistently flag unauthorized video conferencing platforms during CMMC assessments, specifically noting violations when meeting recordings contain technical discussions or when screen sharing exposes CUI documents. Recent DCMA reviews have identified GoToMeeting usage as a systemic finding, particularly when defense contractors use it for program management offices (PMOs) discussing schedule performance or technical interchange meetings. Assessors examine meeting logs, recording storage locations, and participant access controls, finding that commercial platforms cannot meet required encryption standards, boundary protection, or audit logging requirements for CUI environments.
Deployment & Architecture
Deployment Model: Cloud SaaS (vendor-hosted)
GoToMeeting lacks FedRAMP authorization. Using this tool for CUI processing violates DFARS 252.204-7012 requirements. Defense contractors must evaluate FedRAMP-authorized alternatives or implement and document compensating controls in their POA&M.
Migration Guidance
Defense contractors must immediately migrate away from GoToMeeting for any meetings involving CUI. The migration timeline requires 6-8 weeks minimum. Phase 1 (Weeks 1-2): Conduct inventory of existing GoToMeeting accounts, identify CUI exposure incidents, and establish interim meeting protocols using compliant alternatives. Phase 2 (Weeks 3-4): Deploy FedRAMP-authorized alternatives like Microsoft Teams for Government or Adobe Connect FedRAMP, configure boundary protections, and establish encryption key management. Phase 3 (Weeks 5-6): Execute data migration including secure deletion of historical meeting recordings from GoToMeeting servers, transfer approved recordings to compliant storage following CUI marking and handling procedures. Phase 4 (Weeks 7-8): Complete user training on new platform security features, update security documentation, and validate compliance. Critical consideration: All CUI-related meeting recordings must be securely purged from GoToMeeting infrastructure with vendor-provided deletion certificates. Recommended alternatives include Microsoft Teams for Government ($8/user/month), Adobe Connect FedRAMP ($50/user/month), or on-premises solutions like Jitsi Meet. Migration costs range from $15,000-$50,000 for organizations with 100-500 users, including licensing, configuration, training, and compliance documentation updates. User training requires 4-8 hours per person covering CUI handling protocols in virtual environments.
Migration Checklist
- 1ISSO shall immediately audit all active GoToMeeting accounts and document CUI exposure incidents in the POA&M per NIST 800-171 requirement 3.13.8.
- 2Contracts officer must notify DCMA of non-compliant tool usage and provide remediation timeline per DFARS 252.204-7012 notification requirements.
- 3System administrator shall deploy FedRAMP-authorized alternative (Microsoft Teams Government or Adobe Connect FedRAMP) within the established authorization boundary.
- 4ISSO shall update the System Security Plan (SSP) to remove GoToMeeting from the authorization boundary diagram and add compliant replacement.
- 5System administrator must securely delete all meeting recordings and chat logs from GoToMeeting infrastructure and obtain vendor deletion certification.
- 6ISSO shall implement data loss prevention (DLP) policies blocking future GoToMeeting access from CUI processing systems per NIST 800-171 AC-4.
- 7Training officer must conduct mandatory security awareness training on CUI handling during virtual meetings for all affected personnel.
- 8ISSO shall configure audit logging on replacement platform to capture required events per NIST 800-171 AU family requirements.
- 9System administrator must establish encrypted communication channels and validate FIPS 140-2 compliance of replacement solution.
- 10ISSO shall document migration completion in authorization boundary diagram and submit updated documentation to authorizing official.
Compliance Cross-References
GoToMeeting's non-compliance creates cascading violations across multiple NIST 800-171 control families. Access Control (AC) violations include AC-4 (information flow enforcement) as CUI flows to unauthorized commercial infrastructure, and AC-17 (remote access) lacking required encryption and boundary protections. System and Communications Protection (SC) failures encompass SC-7 (boundary protection) since meetings occur outside authorized boundaries, SC-8 (transmission confidentiality) due to inadequate encryption standards, and SC-13 (cryptographic protection) lacking FIPS 140-2 validated modules. Audit and Accountability (AU) violations include AU-2 (audit events) and AU-6 (audit review) as meeting activities cannot be properly logged in contractor systems. This triggers DFARS 252.204-7012 flow-down requirements for adequate security and 252.204-7021 cybersecurity maturity model certification. For CMMC Level 2 assessments, this impacts Access Control (AC), System and Communications Protection (SC), and Audit and Accountability (AU) domains, creating findings that prevent certification. The violation chain extends to incident response (IR) controls as potential CUI spillage incidents cannot be properly tracked or remediated in commercial platforms outside contractor control.
NIST 800-171 Violations
Using GoToMeeting for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
GoToMeeting has 4 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Frequently Asked Questions
Is GoToMeeting FedRAMP authorized?
No. GoToMeeting does not hold FedRAMP authorization at any impact level.
Can I discuss CUI on GoToMeeting?
No. GoToMeeting is not authorized for CUI discussions. Use Zoom for Government or Webex for Government instead.
What is a compliant alternative to GoToMeeting?
Zoom for Government (FedRAMP Moderate) and Webex for Government (FedRAMP Moderate) are authorized video conferencing alternatives.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack GoToMeeting compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days