Not CUI Compliant
4 NIST 800-171 gaps detected. Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
HEY Email
by Basecamp
FedRAMP Status
Not FedRAMP Authorized
Impact Level
N/A
Category
Overview
HEY is a consumer-focused email service from Basecamp that reimagines inbox management. It is not FedRAMP authorized and lacks the security controls required for government CUI handling.
CUI Risk Assessment
Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
Using HEY Email in a Defense Contractor Environment
HEY Email poses significant compliance risks for defense contractors handling CUI. Email systems typically process multiple CUI categories including ITAR technical data, contract pricing information (FAR-based CUI), and personnel records containing PII. Within a CMMC Level 2 authorization boundary, email services must demonstrate robust access controls, encryption, and audit capabilities. HEY Email lacks FedRAMP authorization and operates as a consumer-grade service without the security architecture required for CUI protection. Compensating controls cannot adequately address fundamental gaps in system security planning, incident response capabilities, and cryptographic protections. During CMMC assessments, DCMA assessors will immediately flag unauthorized cloud email services as a critical finding, particularly examining data flows for CUI transmission and storage. The service's lack of dedicated government infrastructure, absence of required security documentation, and inability to provide FISMA-compliant continuous monitoring make it unsuitable for any defense contractor environment processing CUI.
Deployment & Architecture
Deployment Model: Cloud SaaS (vendor-hosted)
HEY Email lacks FedRAMP authorization. Using this tool for CUI processing violates DFARS 252.204-7012 requirements. Defense contractors must evaluate FedRAMP-authorized alternatives or implement and document compensating controls in their POA&M.
Migration Guidance
Defense contractors must immediately cease using HEY Email for any CUI-related communications and implement a 4-6 week migration timeline. Begin with a comprehensive data inventory to identify all CUI stored in HEY mailboxes, including attachments and embedded technical data. Export critical business correspondence using HEY's limited export capabilities while ensuring CUI is properly marked and transferred through approved channels. Migrate users to FedRAMP-authorized email solutions such as Microsoft 365 GCC High or Google Workspace for Government, which provide the required FISMA Moderate baseline controls. Update System Security Plans to remove HEY Email from the authorization boundary and revise data flow diagrams. Conduct mandatory user training on proper CUI handling procedures within the new compliant email environment. Document the migration in your POAM and notify your DCMA representative of the compliance remediation. Consider implementing DLP solutions to prevent future unauthorized cloud service usage.
Migration Checklist
- 1ISSO: Conduct immediate CUI data inventory across all HEY Email accounts within 5 business days
- 2Contracts team: Review all active contracts for CUI email transmission requirements and notify COR of service change within 1 week
- 3IT Admin: Procure FedRAMP-authorized email solution (Office 365 GCC High/Google Gov) - 2-3 weeks procurement cycle
- 4ISSO: Export all business-critical emails while segregating any CUI for secure transfer via approved methods within 2 weeks
- 5IT Admin: Configure new compliant email system with required NIST 800-171 controls (MFA, encryption, audit logging) - 1 week
- 6ISSO: Update System Security Plan and authorization boundary diagrams to reflect new email architecture within 2 weeks
- 7Training team: Conduct CUI handling refresher training for all users focusing on approved email usage - 1 week
- 8ISSO: Document migration completion in POAM and schedule follow-up CMMC readiness assessment within 30 days
Compliance Cross-References
HEY Email's non-compliance directly impacts NIST 800-171 control families AC (Access Control), AU (Audit and Accountability), SC (System and Communications Protection), and SI (System and Information Integrity). The service triggers DFARS 252.204-7012 clause requirements for adequate security on covered contractor information systems, creating contractual violations. Under CMMC assessment domains, this affects Access Control (AC.L2), Audit and Accountability (AU.L2), System and Communications Protection (SC.L2), and System and Information Integrity (SI.L2). The lack of FedRAMP authorization specifically violates AC.3.017 (separate duties), AU.2.041 (audit record review), SC.3.177 (session lock), and SI.3.211 (flaw remediation) requirements, making it incompatible with any CMMC Level 2 assessment.
NIST 800-171 Violations
Using HEY Email for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
HEY Email has 4 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Frequently Asked Questions
Is HEY Email FedRAMP authorized?
No. HEY Email is not FedRAMP authorized and is designed for consumer and small business use, not government compliance.
Can I use HEY Email with CUI?
No. HEY Email does not meet FedRAMP or NIST 800-171 requirements for CUI.
What is a compliant alternative to HEY Email?
Microsoft 365 GCC High (FedRAMP High) is the recommended email platform for defense contractors handling CUI.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack HEY Email compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days