Secure Messaging

Signal

Name: Signal
Author: Signal Foundation

by Signal Foundation

Not FedRAMP Authorized

FedRAMP Status

Not FedRAMP Authorized

Impact Level

N/A

Overview

Signal provides strong end-to-end encryption but is NOT authorized for DoD or CUI communications. It lacks FedRAMP authorization, data retention controls, admin audit capabilities, and centralized management. The 2025 "Signal-gate" scandal highlighted the dangers of using consumer messaging for defense communications.

CUI Risk Assessment

NOT authorized for CUI or DoD information per DoD memorandum. No FedRAMP authorization, no data retention, no audit logging. The Signal-gate scandal highlighted the risks.

NIST 800-171 Violations

Using Signal for CUI without FedRAMP authorization may violate these NIST 800-171 controls:

3.1.1 3.1.2 3.3.1 3.8.1 3.13.8

FedRAMP Compliant Alternatives

AWS Wickr

Amazon Web Services — High Impact

Microsoft Teams GCC High

Microsoft — High Impact

Frequently Asked Questions

Is Signal approved for DoD communications?

No. DoD memoranda explicitly list Signal as not authorized for non-public DoD information. Despite strong encryption, it lacks FedRAMP authorization, audit trails, and data retention required for compliance.

But Signal has end-to-end encryption — is that not sufficient?

Encryption alone is not sufficient. NIST 800-171 requires audit logging (3.3.x), data retention (3.8.x), and centralized access control (3.1.x). Signal has none of these. Use AWS Wickr for authorized encrypted messaging.

Run a Full Tech Stack Audit

Check all your enterprise tools at once with our free CUI Compliance Auditor.

Launch CUI Auditor

← CUI Compliance Auditor

Overview

Frequently Asked Questions