Partial CUI Compliance
1 NIST 800-171 gaps detected. Currently pursuing FedRAMP authorization. Not yet approved for CUI. Use with caution and document risk acceptance.
RingCentral
by RingCentral
FedRAMP Status
FedRAMP In Process
Impact Level
N/A
Category
Video Conferencing
Overview
RingCentral is a cloud communications platform offering video conferencing, messaging, and phone. It is currently pursuing FedRAMP authorization but is not yet approved for CUI communications.
CUI Risk Assessment
Currently pursuing FedRAMP authorization. Not yet approved for CUI. Use with caution and document risk acceptance.
Using RingCentral in a Defense Contractor Environment
RingCentral poses significant compliance challenges for defense contractors handling CUI. The platform typically processes sensitive communications including technical specifications, program schedules, financial data, and personally identifiable information (PII) during video conferences and messaging. Within a CMMC Level 2 authorization boundary, RingCentral's cloud-based architecture creates an external connection requiring careful evaluation of data flows and encryption. Since RingCentral is pursuing but has not achieved FedRAMP authorization, it cannot be considered an approved cloud service provider under DFARS 252.204-7012. Compensating controls would include end-to-end encryption verification, session recording restrictions, and documented risk acceptance for any CUI exposure. DCMA and DIBCAC assessors consistently flag unauthorized cloud communications platforms during CMMC assessments, particularly scrutinizing video conferencing solutions that may inadvertently capture CUI in recordings or chat logs. Recent DCMA compliance reviews have specifically cited defense contractors for using non-FedRAMP authorized communication platforms, resulting in findings under NIST 800-171 controls 3.13.8 (transmission confidentiality) and 3.13.11 (cryptographic mechanisms). The tool's current 'in-process' FedRAMP status means it exists in a compliance gray area where risk acceptance documentation is mandatory, and assessors will evaluate the organization's justification for continued use against available FedRAMP-authorized alternatives like Microsoft Teams GCC High or Cisco Webex for Government.
Deployment & Architecture
Deployment Model: Cloud SaaS (vendor-hosted)
RingCentral is pursuing FedRAMP authorization. Until authorized, this tool should not be used for CUI processing in production. Defense contractors should plan migration timelines and identify compensating controls.
Migration Guidance
Defense contractors must migrate away from RingCentral immediately for CUI communications due to its non-FedRAMP status. The migration timeline spans 8-12 weeks across three phases: assessment (weeks 1-2), implementation (weeks 3-8), and validation (weeks 9-12). Phase 1 involves cataloging current RingCentral usage, identifying CUI exposure points, and documenting data retention policies. Export all meeting recordings, chat histories, and voicemails following CUI data handling procedures with proper marking and encryption during transfer. Phase 2 requires deploying FedRAMP-authorized alternatives such as Microsoft Teams GCC High ($12-22/user/month) or Cisco Webex for Government ($25-40/user/month). User training must cover new platform features, CUI handling protocols, and security configurations. Update System Security Plans to remove RingCentral from the authorization boundary diagram and network architecture documentation. Create POA&M entries for any residual data cleanup activities. Phase 3 validates complete migration through user acceptance testing and compliance verification. The total migration cost ranges from $15,000-50,000 for small contractors (50-200 users) including licensing, professional services, and training. Medium contractors (200-1000 users) should budget $50,000-150,000. Recommended alternatives include Microsoft Teams GCC High for Office 365 environments or Cisco Webex for Government for dedicated solutions. Document the migration in the continuous monitoring program and notify the Contracting Officer of the compliance improvement.
Migration Checklist
- 1ISSO must immediately document RingCentral as a POA&M entry citing NIST 800-171 control 3.13.8 violation with 90-day remediation timeline.
- 2Contracts officer should review all active contracts containing DFARS 252.204-7012 to determine CUI exposure risk from continued RingCentral usage.
- 3System administrator must export all meeting recordings, chat logs, and voicemails using RingCentral's data export APIs while maintaining CUI marking requirements.
- 4ISSO shall update the authorization boundary diagram in the System Security Plan to remove RingCentral from approved external connections.
- 5Legal counsel must review data retention policies to ensure exported RingCentral data meets contract-specific CUI retention requirements.
- 6System administrator should procure FedRAMP-authorized alternatives such as Microsoft Teams GCC High or Cisco Webex for Government based on existing IT infrastructure.
- 7Training coordinator must develop user migration training covering new platform security features and CUI handling protocols per NIST 800-171 requirements.
- 8ISSO shall validate that replacement solution implements adequate transmission confidentiality controls to satisfy NIST 800-171 control 3.13.8.
- 9System administrator must deactivate all RingCentral accounts and revoke API access tokens within 30 days of alternative solution deployment.
- 10ISSO should update continuous monitoring procedures to include quarterly reviews of communication platform FedRAMP authorization status.
Compliance Cross-References
RingCentral's non-compliant status directly impacts NIST 800-171 control family SC (System and Communications Protection), specifically control 3.13.8 requiring transmission confidentiality and integrity for CUI communications. The platform's cloud architecture triggers DFARS 252.204-7012 adequate security requirements since it processes CUI outside approved cloud service providers. Under CMMC Level 2 assessment domains, RingCentral affects System and Communications Protection (SC) and Access Control (AC) practices, particularly SC.3.177 (employ FIPS-validated cryptography) and AC.2.016 (control remote access sessions). The violation chain begins with using non-FedRAMP authorized cloud services, leading to findings under SC.3.177 for inadequate cryptographic validation and SC.3.191 for uncontrolled external connections. This cascades to DFARS 252.204-7021 cybersecurity maturity requirements where inadequate cloud service vetting constitutes a Level 2 deficiency. FedRAMP requirements under 44 U.S.C. 3544 mandate government agencies only use cloud services with appropriate authorization, and defense contractors must demonstrate equivalent security through approved platforms to maintain adequate security posture required by DFARS clauses.
NIST 800-171 Violations
Using RingCentral for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
RingCentral has 1 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Related Compliance Assessments
Frequently Asked Questions
Is RingCentral FedRAMP authorized?
Not yet. RingCentral is in the FedRAMP authorization process but has not completed authorization.
Can I discuss CUI on RingCentral?
RingCentral is not yet authorized for CUI. If used, document a risk acceptance and plan migration to an authorized platform upon completion of your authorization review.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack RingCentral compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days