CUI Compliant
0 NIST 800-171 gaps detected. FedRAMP authorized at Moderate impact level. Approved for CUI handling in DoD environments.
Webex for Government
by Cisco
FedRAMP Status
FedRAMP Authorized
Impact Level
Moderate
Category
Video Conferencing
Authorized: November 15, 2019 | Sponsor: Department of Homeland Security
Overview
Cisco Webex for Government is a FedRAMP Moderate authorized video conferencing and collaboration platform. It provides encrypted meetings, messaging, and calling for government users.
CUI Risk Assessment
FedRAMP authorized at Moderate impact level. Approved for CUI handling in DoD environments.
Using Webex for Government in a Defense Contractor Environment
Webex for Government operates within FedRAMP Moderate authorization boundaries and is specifically designed for CUI handling in defense contractor environments. This platform typically processes ITAR-controlled technical data, export-controlled engineering drawings, financial performance reports containing sensitive pricing data, and DoD-specific operational briefings with classification markings. Within CMMC Level 2 authorization boundaries, Webex for Government functions as an approved external service provider, requiring proper boundary documentation in System Security Plans showing encrypted data flows between contractor networks and Cisco's government cloud infrastructure. Defense contractors must implement compensating controls including endpoint security verification, meeting recording policies aligned with CUI retention requirements, and user access controls mapped to contract-specific need-to-know determinations. DCMA and DIBCAC assessors consistently evaluate this tool's implementation by reviewing encryption configurations, user provisioning processes tied to contract personnel lists, and audit log retention policies. Recent DCMA compliance reviews have focused on ensuring contractors properly configure guest access restrictions and implement adequate session recording controls when CUI is discussed. The tool's FedRAMP Moderate authorization provides strong foundation for CMMC Level 2 compliance, but assessors verify that contractors maintain proper configuration management and don't inadvertently expose CUI through improper sharing settings or inadequate user training on CUI handling protocols during virtual meetings.
Deployment & Architecture
Deployment Model: Government Cloud (FedRAMP boundary)
Webex for Government operates within a FedRAMP-authorized boundary. CUI can be processed within the authorization scope, but contractors must verify their specific use case falls within the system's security boundary as documented in the SSP.
Implementation Guide
Defense contractors implementing Webex for Government for CUI environments should plan a 6-8 week deployment timeline across three phases: initial configuration (weeks 1-2), pilot testing with CUI scenarios (weeks 3-4), and full production rollout (weeks 5-8). Configuration phase requires ISSO coordination with Cisco Government Cloud support to establish proper tenant isolation, enable required audit logging, and configure encryption settings meeting FIPS 140-2 requirements. CUI data handling considerations include establishing meeting recording policies aligned with contract data retention requirements and implementing proper guest access controls to prevent unauthorized CUI exposure. User training requires 8-12 hours covering CUI marking protocols in virtual environments, proper screen sharing controls when technical drawings are displayed, and incident reporting procedures for potential CUI spillage during meetings. Compliance documentation updates include modifying SSP Section 10 (System Environment) to reflect Webex integration points, updating authorization boundary diagrams to show encrypted communication flows, and creating POA&M entries for ongoing configuration monitoring requirements. Integration costs typically range $15,000-$35,000 including initial configuration, user training development, and compliance documentation updates. Ongoing operational costs average $25-$45 per user monthly for government cloud licensing plus administrative overhead for maintaining CMMC-compliant configurations and audit trail management.
Configuration Checklist
- 1ISSO must coordinate with Cisco Government Cloud support to provision tenant within FedRAMP Moderate boundary and configure FIPS 140-2 encryption settings.
- 2System administrator shall implement single sign-on integration with contractor's Active Directory to ensure user provisioning aligns with contract personnel access lists per DFARS 252.204-7012.
- 3ISSO shall configure audit logging retention policies to meet 1-year minimum requirement and establish automated log forwarding to contractor's SIEM solution.
- 4System administrator must disable public meeting creation capabilities and implement guest access controls requiring approval workflow for external participants.
- 5ISSO shall update System Security Plan Section 10.2 to document Webex integration points and data flow diagrams showing encrypted communication paths.
- 6Training coordinator must develop CUI-specific user training covering screen sharing protocols, meeting recording policies, and incident reporting procedures.
- 7ISSO shall create POA&M entries for quarterly configuration reviews and monthly user access audits to maintain CMMC Level 2 compliance.
- 8System administrator must implement endpoint compliance checking to ensure only managed devices can access CUI-enabled Webex sessions.
- 9ISSO shall establish meeting recording classification procedures aligned with contract CUI categories and retention schedules.
- 10Contracts officer must review current DoD contracts to ensure Webex for Government usage aligns with approved collaboration tool listings in contract clauses.
Compliance Cross-References
Webex for Government's FedRAMP Moderate authorization directly supports NIST 800-171 control families including AC (Access Control) through its identity federation capabilities, SC (System and Communications Protection) via FIPS 140-2 encryption implementation, and AU (Audit and Accountability) through comprehensive session logging. This compliance status satisfies DFARS 252.204-7012 requirements for adequate security controls when processing CUI, while the government cloud deployment model addresses DFARS 252.204-7021 cloud computing security requirements. For CMMC Level 2 assessments, Webex for Government impacts Access Control (AC.L2), System and Information Integrity (SI.L2), and System and Communications Protection (SC.L2) assessment domains, requiring assessors to verify proper configuration management and user training implementation. The FedRAMP authorization provides inherited controls for physical security and infrastructure protection, reducing contractor assessment scope while requiring documentation of proper tenant configuration and user access management procedures aligned with contract-specific CUI handling requirements.
Other FedRAMP Authorized Video Conferencing Tools
Related Compliance Assessments
Frequently Asked Questions
Is Webex for Government FedRAMP authorized?
Yes. Cisco Webex for Government holds FedRAMP Moderate authorization for video conferencing and collaboration.
Can I discuss CUI on Webex for Government?
Webex for Government is authorized at Moderate and can be used for CUI discussions at that impact level.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack Webex for Government compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days