As of April 1, 2026, 1factory has officially achieved FedRAMP Moderate Equivalency, verified by Lunarline, Inc., an independent FedRAMP-accredited Third-Party Assessment Organization (3PAO). This validation ensures our platform meets the security mandates of DFARS 252.204-7012 for the management of Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). To meet these requirements, 1factory operates a dedicated, logically isolated hosting environment engineered specifically for the Defense Industrial Base.
⚠ Critical compliance warning: CMMC 2.0
If you currently access 1factory via www.1factory.com/signin or our validated environment at val.1factory.com/signin, you are not in a CMMC-compliant environment. To maintain compliance and eligibility for DoD contracts, you must migrate to our isolated GovCloud environment.
Understanding equivalency requirements
Under DFARS 252.204-7012 (b)(2)(ii)(D), defense contractors must verify that their Cloud Service Providers (CSPs) meet the FedRAMP Moderate baseline. Because 1factory provides software to private defense contractors rather than selling directly to government agencies, we use the DoD CIO Equivalency path -- a formal, accepted compliance route where a 3PAO audit proves we meet the exact same security standards as FedRAMP Marketplace-listed providers.
Our 3PAO audit and related package provides customers with the necessary Body of Evidence (BoE) to satisfy federal auditors and CMMC 2.0 Assessors during your organization's certification process.
Independent 3PAO attestation and results
Lunarline, Inc. conducted an exhaustive independent assessment of 1factory's infrastructure against the FedRAMP Moderate control baseline. Results of the Security Assessment Report (SAR):
| Control implementation | 100% of FedRAMP Moderate baseline security controls are fully implemented and operational. |
| DoD CIO memo compliance | Complete body of evidence formatted and aligned for federal review under the DoD CIO Equivalency memorandum. |
| Validated remediation | Every risk identified during the assessment was independently verified as closed by the 3PAO. |
| Technical maturity | Incident response, configuration management, and data integrity protocols validated per federal standards. |
Continuous monitoring and risk governance
1factory utilizes a 3PAO-validated Continuous Monitoring framework to maintain an ongoing security posture:
- Active POA&M management: 1factory maintains a Plan of Action and Milestones (POA&M), supported by automated daily vulnerability scanning and rapid-response patch management.
- Continuous monitoring: Risk management practices align with established FedRAMP ConMon requirements, ensuring security posture is maintained between assessment cycles.
- Audit transparency: Our governance model provides the audit trail required for CMMC 2.0 Level 2 readiness, reducing the administrative burden during your own assessment.
Common questions
Why won't my current environment meet the new requirements?
Prior to November 2025, many organizations were compliant using AWS GovCloud (ITAR compliant) hosting paired with third-party validation to NIST 800-171. With the finalization of CMMC 2.0, NIST 800-171 alone is no longer sufficient for Cloud Service Providers. The DoD now mandates that CSPs handling CUI must meet the FedRAMP Moderate baseline or equivalent. Our GovCloud environment is the only 1factory environment audited to this higher standard.
What is CUI and CDI?
CUI (Controlled Unclassified Information) is the broad label for unclassified information that requires safeguarding. CDI (Covered Defense Information) is a specific DoD term for sensitive data that requires protection under DFARS 252.204-7012.
Why isn't 1factory listed on the FedRAMP Marketplace?
The FedRAMP Marketplace is primarily a catalog of Cloud Servicer Providers serving federal agencies, and typically requires a direct federal agency sponsor. Because 1factory serves private defense contractors rather than government agencies directly, we use the DoD CIO Equivalency path -- a formally recognized and equally rigorous compliance route.
What is required of DoD contractors?
To handle CUI and CDI, aerospace and defense suppliers must obtain CMMC certification. This validates that your operations align with DFARS 252.204-7012.
What is required of 1factory as a Cloud Service Provider?
For customers to achieve CMMC compliance, 1factory must meet FedRAMP Moderate Equivalent standards, requiring security controls in accordance with NIST SP 800-53. Our GovCloud environment satisfies this requirement.
Request your compliance package
We provide the following documentation to authorized organizations under NDA. Contact your account representative or email sales@1factory.com to confirm your environment and request access.
- System Security Plan (SSP)
- Letter of Attestation (LoA)
- Security Assessment Report (SAR)
- Body of Evidence (BoE)
References
CMMC Program -- DoD CIO Overview
DFARS 252.204-7012 -- Safeguarding Covered Defense Information