NIST SP 800-171

In October 2016, the U.S. Department of Defense (DoD) updated acquisition requirements for government contractors to provide more specific guidance in light of their continued use of cloud computing services as it relates to the transmission, storage, and processing of DoD controlled unclassified information (CUI). When cloud services containing CUI are part of a system operated on behalf of the U.S. Government, those cloud services must comply with the requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG). When cloud services are part of a system not operated on behalf of the U.S. Government, those cloud services are expected to comply with the Moderate Impact requirements defined by the Federal Risk and Authorization Management Program (FedRAMP).