IT Documentation for Defense Contractors
On-premises inside your CMMC Level 2 boundary — datacenter, GCC High, or GovCloud
CMMC Is Live. Your Documentation Platform Might Be the Problem.
If you're a prime, subcontractor, or MSP serving the defense industrial base, CMMC Level 2 is no longer future work. The final rule took effect December 2024. New DoD solicitations already carry CMMC clauses. By November 2026, third-party C3PAO certification is the default for any contract involving Controlled Unclassified Information (CUI).
Your IT documentation platform stores network diagrams, firewall configs, credentials, IP schemes, and runbooks. If any of that belongs to a defense contractor handling CUI, your documentation platform is an External Service Provider (ESP) inside the assessment boundary — which means it needs FedRAMP Moderate authorization.
No commercial SaaS IT documentation platform is on the FedRAMP Marketplace today. Not ours in cloud form. Not any competitor. SOC 2 Type II, ISO 27001, encryption at rest and in transit — none of them are FedRAMP, and your C3PAO will flag the gap.
Run IT Portal Inside Your Boundary
Deploy IT Portal on-premises inside your assessed enclave. The application inherits your authorization boundary — your C3PAO assesses it as an internal application, not an external service provider. The FedRAMP question goes away.
Your Datacenter
Run on Windows Server inside your own physically assessed facility. Standard pattern for internal apps across the DIB.
Azure GCC High
Deploy into your Microsoft GCC High tenancy alongside Teams, SharePoint, and Defender for CUI workflows.
AWS GovCloud
Provision on EC2 in AWS GovCloud. Pair with Bedrock on GovCloud (FedRAMP High) for in-boundary AI features.
What Your C3PAO Will Test
- Authentication & Identity (IA domain): SSO via SAML 2.0 and OIDC — tested with Entra ID, ADFS, Okta, and Duo. MFA enforceable organization-wide. Configurable password policy covering complexity, length, history, expiration, and account lockout.
- FIPS 140 Cryptography (SC domain): Windows CAPI/CNG exclusively — no OpenSSL or third-party crypto libraries. Runs cleanly under FIPS-validated modules when FIPS mode is enabled on the host. TLS 1.2+ with configurable cipher suites.
- Audit Logging (AU domain): Five REST API endpoints expose login/logout, user access, admin access, password views, and password changes. Your SIEM polls on a schedule — no outbound connections from your CUI enclave. Works with Splunk, Azure Sentinel, Elastic, or a PowerShell cron.
- Access Control (AC domain): Role-based access scoped to record types. Separation of duties between admin and user functions. Least privilege enforced at the application layer.
- AI in Boundary: AI features use a customer-defined proxy. Leave it unconfigured to disable cleanly, or point it at AWS Bedrock on GovCloud (FedRAMP High authorized) so CUI never leaves your boundary.
We've Done the Compliance Homework
CMMC L2 Customer Responsibility Matrix
All 110 practices mapped to IT Portal, customer, or shared responsibility. CMMC practice IDs (AC.L2-3.1.1) and NIST SP 800-171 cross-references. The format your C3PAO works from.
On-Premises Deployment & Compliance Guide
Deployment targets, host hardening (FIPS, BitLocker, TLS baseline), SSO/MFA, RBAC, audit logging, SIEM integration patterns, AI proxy architecture.
Software Bill of Materials (SBOM)
Available on request for your vulnerability management program.
Serving the Defense Industrial Base
If you're an MSP with DIB clients, CMMC affects you two ways.
- You're already in scope. If your systems touch client CUI — storing network configs, credentials, infrastructure documentation — you're an External Service Provider and part of their assessment.
- It's a market opportunity. The DoD estimates 76,000+ organizations need CMMC Level 2 certification. Most need help getting there. Demonstrating a compliant documentation stack — CRM and deployment architecture in hand — beats competitors still figuring it out.
Evaluating IT Documentation for a CMMC Environment?
Get the full compliance package — Customer Responsibility Matrix, On-Premises Deployment Guide, and a technical walkthrough with our team.
Frequently Asked Questions
Yes, via on-premises deployment inside your assessed boundary. Because IT Portal runs as an internal application, your C3PAO assesses it within your environment's authorization boundary rather than as an External Service Provider — which is how commercial SaaS documentation platforms end up blocked by the FedRAMP Moderate requirement for cloud services handling CUI. A Customer Responsibility Matrix mapping all 110 practices is available in the CMMC compliance package.
IT Portal's SaaS cloud is not on the FedRAMP Marketplace — and as of 2026, no commercial SaaS IT documentation platform is. For CUI workloads, the supported path is on-premises deployment inside your own assessed boundary (your datacenter, Azure GCC High, or AWS GovCloud), where the application inherits your environment's authorization rather than needing its own FedRAMP ATO.
Yes. IT Portal's on-premises deployment runs on Windows Server and supports any assessed enclave. FIPS 140 cryptography is enforced via Windows CAPI/CNG, TLS 1.2+ with configurable cipher suites, SSO via SAML 2.0/OIDC, and audit logs delivered to your SIEM through a polled REST API so no outbound connections from your CUI enclave are required.
IT Portal exposes five REST API endpoints covering login/logout with source IP, user access (CRUD on records), admin access and configuration changes, password views, and password modifications. Your SIEM polls on a schedule — Splunk REST Modular Input, Azure Sentinel Logic Apps, Elastic HTTP JSON input, or a scheduled PowerShell script. No outbound connections leave your CUI enclave for log delivery; your SIEM owns the independent copy and tamper-evidence.
Yes, with care. IT Portal's AI features route through a customer-defined proxy — the application never calls an AI service directly. Three configurations: leave the proxy unconfigured and AI features are cleanly disabled; point the proxy at AWS Bedrock on GovCloud (Claude on Bedrock GovCloud is FedRAMP High authorized) to keep CUI in boundary; or point it at a commercial endpoint for non-CUI environments. For CUI, only the first two are acceptable.
