FedRAMP Authorized — Moderate Impact
Box for Government by Box. 6 compliance features verified.
Box for Government
by Box
Impact Level
Moderate
Status
Authorized
Pricing
mid market
Authorization Date: April 12, 2018 | Sponsoring Agency: GSA
Overview
Box for Government is a FedRAMP Moderate authorized cloud content management and collaboration platform. It provides secure file sharing, workflow automation, and content governance for government organizations. The platform supports granular permissions, watermarking, and classification labeling.
Key Features
Certifications & Authorizations
Deployment Options
NIST 800-171 Compliance Coverage
How to Procure Box for Government for Defense Contracts
Box for Government is available through GSA MAS (Multiple Award Schedule) under SIN 518210C (Cloud Computing Services) and SEWP V contracts. Government pricing includes significant discounts compared to commercial rates, typically 20-30% below standard Box Business pricing. The FedRAMP authorization package includes a comprehensive System Security Plan (SSP) defining the authorization boundary encompassing Box's application layer, AWS GovCloud infrastructure, and third-party integrations like DocuSign and Salesforce Government Cloud. Contracting officers must approve the data processing addendum specifying government data handling, the customer responsibility matrix outlining shared security controls, and export control compliance for ITAR/EAR regulated content. Standard procurement timeline spans 60-90 days including security review, legal approval, and technical configuration. For CMMC assessments, Box for Government operates as a external service provider requiring assessment of interface controls (AC-20, SC-7) and data flow documentation. The service boundary includes all content stored, processed, and transmitted through Box APIs and web interfaces. Include Box's CMMC self-attestation documentation and third-party assessment reports in your OSC (Organizational Seeking Certification) boundary analysis. Government tenancy ensures CUI handling meets NIST SP 800-171 requirements without additional customer security controls.
Compliance Cross-References
Box for Government's FedRAMP Moderate authorization directly supports DFARS 252.204-7012 compliance by providing adequate security for Controlled Unclassified Information (CUI) through NIST SP 800-171 aligned controls. The cloud service authorization satisfies DFARS 252.239-7010 cloud computing security requirements with GSA-approved risk assessment and continuous monitoring. Key NIST 800-171 control families addressed include Access Control (AC) through enterprise SSO integration and granular permissions, System and Communications Protection (SC) via FIPS 140-2 encryption in transit and at rest, and Audit and Accountability (AU) through comprehensive logging and SIEM integration. For CMMC Level 2 compliance, Box Government Cloud supports Asset Management (AM), Access Control (AC), System Security (SS), and Data Protection (DP) domains through native content governance, DLP policies, and retention management. The DoD Cloud Computing SRG Impact Level 2 authorization ensures controlled data handling meets mission assurance category requirements. Using Box for Government satisfies cloud service provider vetting requirements under DoDI 8510.01, eliminating the need for separate cloud security assessments when implemented within the defined authorization boundary and customer responsibility matrix.
Defense Contractor Use Case
Defense contractors use Box Government for secure file sharing with government clients, managing document workflows, and maintaining content governance policies for regulated data.
Related Products
More Productivity Products
Related Compliance Assessments
Frequently Asked Questions
What is the FedRAMP authorization level for Box for Government?
Box for Government is authorized at the FedRAMP Moderate impact level, with authorization granted on 2018-04-12 sponsored by GSA. The FedRAMP Moderate baseline includes approximately 325 security controls covering confidentiality, integrity, and availability.
Can defense contractors use Box for Government for CUI?
Box for Government is authorized at the FedRAMP Moderate baseline. While FedRAMP Moderate covers a broad range of government data, defense contractors handling CUI should carefully evaluate whether Moderate controls meet their specific DFARS 252.204-7012 and NIST 800-171 requirements. Some CUI categories may require FedRAMP High authorization depending on the sensitivity of the data and contract requirements.
How does Box for Government pricing compare to commercial?
Box for Government government pricing is generally competitive with commercial pricing, though the government edition may carry a premium of 10-20% to cover FedRAMP compliance and dedicated infrastructure costs. Mid-market organizations can often access government pricing through GSA Schedule contracts or reseller partners. Contact Box for a quote tailored to your organization size and requirements.
Browse All FedRAMP Authorized Tools
Search and filter 80+ FedRAMP authorized products for your defense contracting needs.
Open FedRAMP FinderTrack Box for Government FedRAMP compliance updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days