Our approach to cybersecurity compliance for the Defense Industrial Base has three components:

1. We are built on AWS GovCloud infrastructure, which has been authorized at the FedRAMP High level and is located entirely in the United States.
2. Our System Security Plan is based on the FedRAMP Moderate baseline, and we are currently working with a FedRAMP third-party assessment organization to obtain attestation in 2023.
3. Our system administrators and support staff are 100% US Persons located in the United States.
   
   

We have designed our compliance program to support customers who will require CMMC Level 2 and use Paperless Parts as an External Cloud Service Provider (CSP) to handle Controlled Unclassified Information (CUI). As part of a CMMC assessment, manufacturers will need to demonstrate that they have ensured their External CSPs satisfy “DFARS 7012″ requirements, which include security controls equivalent to FedRAMP Moderate. Based on the current information (including the draft CMMC Assessment Process released in July 2022), CSPs will need to provide a body of evidence and third-party attestation for FedRAMP Moderate equivalency. We are working with a leading authorized FedRAMP assessor and will have the required documentation available in the second half of 2023, well ahead of the Final Rule on CMMC.

Additionally, to support our customers’ CMMC requirements, we are working on a package of features including single sign-on support, audit exports, and advanced permissions.

Please find Paperless Parts’ ITAR Registration Letter (2022) here.