Not CUI Compliant
4 NIST 800-171 gaps detected. Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
Wrike
by Citrix
FedRAMP Status
Not FedRAMP Authorized
Impact Level
N/A
Category
Project Management
Overview
Wrike is a commercial project management and work collaboration platform. Despite being owned by Citrix, Wrike itself does not hold FedRAMP authorization and is not approved for CUI.
CUI Risk Assessment
Not FedRAMP authorized. Using this tool for CUI creates compliance violations under NIST 800-171 and DFARS 252.204-7012.
Using Wrike in a Defense Contractor Environment
Wrike presents significant compliance risks for defense contractors handling CUI, particularly in program management contexts where technical specifications, financial data, and contractor performance information are routinely processed. Despite Citrix's strong enterprise credentials, Wrike lacks FedRAMP authorization and cannot legally process CUI per DFARS 252.204-7012 requirements. Defense contractors typically use Wrike for project tracking involving technical drawings, contract deliverables, financial reporting data, and personnel information - all potential CUI categories. Within CMMC Level 2 authorization boundaries, Wrike would require enclave isolation with compensating controls including data loss prevention, enhanced monitoring, and strict access controls - measures that conflict with Wrike's cloud-native architecture. DCMA and DIBCAC assessors consistently flag unauthorized cloud services during CMMC assessments, treating them as automatic Level 2 assessment failures. Recent DCMA compliance reviews have specifically cited project management platforms like Wrike as common violation sources, particularly when integrated with CAD systems or financial reporting tools. The tool's collaboration features, while valuable for project efficiency, create additional CUI exposure points through file sharing, commenting systems, and integration APIs. Compensating controls would require dedicated network segmentation, continuous monitoring, and formal risk acceptance documentation - typically exceeding the tool's operational value for most defense contractors.
Deployment & Architecture
Deployment Model: Cloud SaaS (vendor-hosted)
Wrike lacks FedRAMP authorization. Using this tool for CUI processing violates DFARS 252.204-7012 requirements. Defense contractors must evaluate FedRAMP-authorized alternatives or implement and document compensating controls in their POA&M.
Migration Guidance
Defense contractors must immediately cease CUI processing in Wrike and plan complete migration within 90 days to avoid DFARS compliance violations. Phase 1 (Weeks 1-2): Conduct comprehensive CUI data inventory within Wrike, identifying all projects, files, and communications containing technical specifications, financial data, or other controlled information. Export all project data using Wrike's native export functionality while maintaining audit trails for compliance documentation. Phase 2 (Weeks 3-6): Implement alternative solution such as Microsoft Project with GCC High, Smartsheet Gov, or on-premises solutions like Atlassian Data Center. Configure new platform with proper NIST 800-171 controls including multi-factor authentication, encryption, and audit logging. Phase 3 (Weeks 7-12): Migrate sanitized project data to compliant platform, conduct user training on new system and CUI handling procedures, update System Security Plan to reflect authorization boundary changes, and create POA&M entries documenting migration completion. User training requires 4-6 hours per person covering new platform functionality and CUI identification requirements. Migration costs typically range $15,000-$45,000 for small-to-medium contractors, including licensing, implementation services, and training. Alternative platforms include Microsoft Project GCC High ($35/user/month), Smartsheet Gov ($25/user/month), or self-hosted solutions like Redmine requiring dedicated infrastructure investment of $25,000-$75,000.
Migration Checklist
- 1ISSO must immediately audit all Wrike projects to identify CUI content and document findings in POA&M entry referencing DFARS 252.204-7012 violation.
- 2Contracts officer shall review all active contracts to determine CUI requirements and notify customers of migration timeline per FAR 52.204-21 requirements.
- 3System administrator must export all project data from Wrike using native export tools while maintaining chain of custody documentation for CUI materials.
- 4ISSO shall update System Security Plan to remove Wrike from authorization boundary diagram and document security control gaps created by unauthorized cloud service usage.
- 5Legal counsel must assess potential DFARS 252.204-7012 breach notification requirements and coordinate with contracting officers on customer communications.
- 6System administrator must provision FedRAMP-authorized alternative such as Microsoft Project GCC High or Smartsheet Government Cloud with appropriate security configurations.
- 7ISSO shall implement NIST 800-171 security controls (AC-2, AC-3, SC-7, AU-2) on replacement platform and document configuration in SSP appendices.
- 8Training coordinator must conduct mandatory CUI awareness training for all users covering new platform and proper identification of controlled unclassified information.
- 9ISSO must validate complete CUI data migration to compliant platform and document secure destruction of any remaining Wrike data per NIST 800-88 guidelines.
- 10Compliance officer shall update POA&M to close Wrike-related findings and schedule follow-up assessment to verify sustained compliance with CMMC Level 2 requirements.
Compliance Cross-References
Wrike's non-FedRAMP status creates cascading NIST 800-171 control failures across multiple families. Access Control (AC) violations include AC-2.1 (account management in unauthorized systems) and AC-3 (access enforcement outside approved boundaries). System and Communications Protection (SC) failures encompass SC-7 (boundary protection) when CUI crosses into unauthorized cloud infrastructure and SC-8 (transmission confidentiality) through uncontrolled data paths. Audit and Accountability (AU) controls AU-2 and AU-3 cannot function properly without authorized logging infrastructure. This triggers DFARS 252.204-7012 fundamental requirements and 252.204-7021 cybersecurity maturity requirements. Under CMMC Level 2 assessment domains, this impacts Access Control (AC.L2-3.1.1, AC.L2-3.1.2), System and Information Integrity (SI.L2-3.14.1), and Configuration Management (CM.L2-3.4.1) practices. The violation chain extends to FedRAMP requirements as any CUI processing system must operate within authorized cloud boundaries, making Wrike usage a direct compliance failure requiring immediate remediation and potential breach notification under DFARS reporting requirements.
NIST 800-171 Violations
Using Wrike for CUI without FedRAMP authorization may violate these NIST 800-171 controls:
Need a CUI-Compliant Alternative?
Wrike has 4 NIST 800-171 gaps. Get real-time alerts when compliant alternatives launch, plus AI-matched contract opportunities.
FedRAMP Compliant Alternatives
Related Compliance Assessments
Frequently Asked Questions
Is Wrike FedRAMP authorized?
No. Wrike does not hold FedRAMP authorization, even though its parent company Citrix has other FedRAMP authorized products.
Can I use Wrike with CUI?
No. Wrike is not authorized for CUI project management. Use Jira Cloud for Government or Smartsheet Government instead.
What is a compliant alternative to Wrike?
Jira Cloud for Government (FedRAMP Moderate) and Smartsheet Government (FedRAMP Moderate) are compliant alternatives.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack Wrike compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days