Not CUI Compliant
4 NIST 800-171 gaps detected. Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
WPS Office
by Kingsoft
FedRAMP Status
Not FedRAMP Authorized
Impact Level
N/A
Category
Office Suite
Overview
WPS Office is a commercial office suite developed by Kingsoft, a Chinese software company. It is not FedRAMP authorized and its foreign ownership raises additional security concerns for defense contractors.
CUI Risk Assessment
Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
Using WPS Office in a Defense Contractor Environment
WPS Office presents significant compliance challenges for defense contractors handling CUI. As a Chinese-owned office suite (Kingsoft Corporation), it automatically triggers Section 889 concerns under NDAA 2019 and cannot be used within CMMC Level 2 authorization boundaries for CUI processing. Defense contractors typically use office suites for technical drawings (ITAR/EAR controlled), proposal development with proprietary cost data, personnel records containing PII, and contract modifications. Within a CMMC Level 2 boundary, WPS Office would require complete air-gapping from CUI networks, effectively making it unusable for its intended purpose. No compensating controls can address the fundamental foreign ownership and lack of FedRAMP authorization issues. DCMA assessors specifically flag office suites during CMMC assessments, checking for data flow diagrams showing CUI document creation and storage. Recent DIBCAC reviews have cited contractors using non-authorized office suites as high-severity findings under NIST 800-171 controls 3.1.1 (access control) and 3.13.1 (boundary protection). The tool's cloud synchronization features, even when disabled, create residual compliance risks that assessors scrutinize during network boundary reviews.
Deployment & Architecture
Deployment Model: Hybrid (cloud + on-prem)
WPS Office lacks FedRAMP authorization. Using this tool for CUI processing violates DFARS 252.204-7012 requirements. Defense contractors must evaluate FedRAMP-authorized alternatives or implement and document compensating controls in their POA&M.
Migration Guidance
Defense contractors must immediately migrate away from WPS Office for all CUI-related activities. Migration timeline: 4-6 weeks minimum. Phase 1 (Week 1): ISSO conducts data inventory to identify all CUI documents within WPS Office, coordinate with data owners for classification review. Phase 2 (Weeks 2-3): Export all documents using WPS Office native export functions to Microsoft Office formats (.docx, .xlsx, .pptx), ensuring no metadata or formatting loss that could affect technical drawings or specifications. Phase 3 (Weeks 3-4): Deploy FedRAMP-authorized alternative (Microsoft 365 GCC High recommended at $35-45/user/month, or on-premises Office LTSC at $300-500/user one-time). Phase 4 (Weeks 4-5): User training on new platform, focusing on CUI handling procedures and collaboration features. Phase 5 (Week 6): Update SSP sections 9 (System Environment), 13 (System Interfaces), and authorization boundary diagrams to reflect WPS Office removal. Create POA&M entries for any residual data cleanup. Total migration cost estimate: $50,000-150,000 for 100-user organization including licensing, training, and compliance documentation updates.
Migration Checklist
- 1ISSO shall immediately inventory all CUI documents stored in or created with WPS Office to establish migration scope per NIST 800-171 3.1.1 requirements.
- 2Data owners must classify and export all CUI documents from WPS Office using native export functions while maintaining NIST 800-171 3.8.2 media protection requirements.
- 3System administrator shall deploy Microsoft 365 GCC High or equivalent FedRAMP-authorized office suite within the established CMMC Level 2 authorization boundary.
- 4ISSO shall update the System Security Plan (SSP) to remove WPS Office from software inventory and boundary diagrams per DFARS 252.204-7012 requirements.
- 5Contracts officer must verify all proposal development and contract modification processes no longer utilize WPS Office for CUI handling.
- 6System administrator shall configure new office suite with appropriate DLP policies and CUI marking requirements per NIST 800-171 3.1.3.
- 7ISSO shall create POA&M entries documenting WPS Office removal timeline and residual risk mitigation per CMMC Level 2 assessment requirements.
- 8Legal counsel shall review all existing contracts to ensure WPS Office removal doesn't affect deliverable formatting requirements or intellectual property protections.
- 9ISSO shall conduct user training on new office suite focusing on CUI handling procedures and collaboration restrictions per NIST 800-171 3.2.1.
- 10System administrator shall implement network monitoring to prevent future WPS Office installations and cloud synchronization attempts per NIST 800-171 3.13.1.
Compliance Cross-References
WPS Office's non-compliance creates cascading failures across multiple NIST 800-171 control families. Access Control (AC) violations include 3.1.1 (system access limitations) and 3.1.2 (system access transactions) due to uncontrolled CUI processing capabilities. System and Communications Protection (SC) violations encompass 3.13.1 (boundary protection) and 3.13.8 (transmission confidentiality) through unauthorized cloud synchronization features. The tool directly violates DFARS 252.204-7012 adequate security requirements and triggers DFARS 252.204-7021 cybersecurity maturity assessments. Within CMMC Level 2 domains, WPS Office affects Access Control (AC), System and Information Integrity (SI), and Configuration Management (CM) practices. While WPS Office isn't explicitly covered under FedRAMP requirements due to its non-authorization status, contractors using it in CUI environments automatically fail FedRAMP equivalency standards required for CMMC Level 2 compliance, creating systematic assessment failures across all evaluated control families.
NIST 800-171 Violations
Using WPS Office for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
WPS Office has 4 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Frequently Asked Questions
Is WPS Office FedRAMP authorized?
No. WPS Office is not FedRAMP authorized. Its development by a Chinese company raises supply chain risk concerns under NIST 800-171.
Can I use WPS Office with CUI?
No. WPS Office is not authorized for CUI and its foreign-developed software may pose additional supply chain risks under DFARS requirements.
What is a compliant alternative to WPS Office?
Microsoft 365 GCC High is the recommended FedRAMP High authorized office suite for defense contractors handling CUI.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack WPS Office compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days