FutureFeed Shared Responsibility

Customer Responsibility Matrix

FutureFeed Shared Responsibility

This matrix documents the division of responsibilities between FutureFeed and its customers under CMMC 2.0 / 32 CFR Part 170. It is provided as a customer convenience tool; a formal CRM is not a regulatory requirement for Contractor Risk Managed Assets (CRMAs).

Rev. April 2026

Download PDF

Recommended Asset Classification: Contractor Risk Managed Asset (CRMA)

FutureFeed is a GRC platform hosted in AWS GovCloud (US) with achieved FedRAMP Moderate Equivalency. It is not a CUI asset and does not perform technical security enforcement within a customer’s CUI boundary. Customers must document this CRMA classification within their own System Security Plan (SSP). Treating FutureFeed as out-of-scope is a common and avoidable scoping error – assessors routinely review GRC platforms.

FutureFeed Platform-managed
Customer Customer action required
Shared Joint responsibility
Policy Organizational policy
The Matrix

Responsibilities by Owner

Filter by control owner, or browse all responsibilities grouped by category below.

01

Platform & Infrastructure Security

Secure Hosting Environment

AC / SC
FutureFeed

Description

FutureFeed operates entirely within AWS GovCloud (US), managed by Project Hosts. Infrastructure-level security controls – including physical security, availability, and boundary protection – are the exclusive responsibility of FutureFeed and its hosting partners.

Notes / Customer Actions

No customer action required. FedRAMP Moderate Equivalency documentation is available upon request.

Data Encryption (Transit & Rest)

SC-8 / SC-28
FutureFeed

Description

All data transmitted to and stored within FutureFeed is encrypted using industry-standard protocols. Encryption key management and cipher configuration are managed by FutureFeed.

Notes / Customer Actions

Customers should ensure local endpoints and browsers support modern TLS configurations.

Platform Logging & Monitoring

AU-2 / AU-12 / SI-4
FutureFeed

Description

FutureFeed is responsible for logging, monitoring, and maintaining platform integrity, including audit logs of system events and platform-level anomaly detection.

Notes / Customer Actions

FutureFeed does NOT provide security monitoring within a customer’s CUI boundary. Customers must maintain independent SIEM/logging for their own environments.

Application Security & Patch Management

SI-2 / SA-11
FutureFeed

Description

FutureFeed manages application-layer security including vulnerability management, patch deployment, and secure development practices for the FutureFeed platform itself.

Notes / Customer Actions

Customers are responsible for patching their own endpoints, browsers, and network infrastructure used to access the platform.

System Availability & Business Continuity

CP-9 / CP-10
FutureFeed

Description

FutureFeed maintains backup, recovery, and business continuity processes for the platform and all customer data stored within it.

Notes / Customer Actions

Customers should maintain local copies of critical SSP artifacts to support their own compliance program continuity independent of platform availability.

02

Identity & Access Management

Application-Level Access Controls

AC-2 / AC-3
FutureFeed

Description

FutureFeed provides and enforces role-based access controls within the platform, defining permitted actions and accessible data for each role at the application layer.

Notes / Customer Actions

Customers must assign roles appropriately and review permissions regularly to maintain the principle of least privilege.

Multi-Factor Authentication Enforcement

IA-2(1) / IA-2(2)
FutureFeed

Description

FutureFeed enforces MFA for all user access to the platform. MFA cannot be bypassed or disabled by users or customer administrators.

Notes / Customer Actions

Customers must ensure all users complete MFA enrollment. Loss of MFA access must be reported to FutureFeed support promptly.

User Account Lifecycle Management

AC-2 / PS-4 / PS-5
Customer

Description

Customers are solely responsible for managing user account lifecycles within their FutureFeed tenant – provisioning new users, modifying roles, and promptly deprovisioning accounts upon personnel departure or role change.

Notes / Customer Actions

Action Required

Establish a formal onboarding/offboarding process. Document periodic access reviews in the customer’s SSP. FutureFeed provides the opportunity to configure time-limited access for users with temporary needs.

Periodic Access Review

AC-2(j) / CA-7
Customer

Description

Customers must periodically review all user accounts and permissions within FutureFeed to verify access remains appropriate and no unauthorized or stale accounts exist.

Notes / Customer Actions

Action Required

Document review frequency, methodology, and results. CMMC assessors may request evidence of completed access reviews.

03

Data Governance & CUI Boundary Integrity

CUI Non-Introduction Policy

AC / CM / MP
Policy

Description

Customers must maintain and enforce an organizational policy explicitly prohibiting the intentional upload or storage of CUI within FutureFeed. FutureFeed is a governance and documentation platform – not an authorized CUI repository.

Notes / Customer Actions

Action Required

Formalize in writing; reference in SSP; brief all FutureFeed users on this restriction prior to granting access.

Inadvertent CUI Spill Response

IR-4 / MP-6
Shared

Description

If CUI is inadvertently introduced, the customer bears responsibility for detecting the spill and initiating incident response. FutureFeed is capable of securely containing CUI if introduced, but is neither designed nor scoped as a CUI system.

Notes / Customer Actions

Include FutureFeed in incident response runbooks as a potential spill surface. Notify FutureFeed support immediately upon confirmed or suspected CUI introduction.

Content & Artifact Review

CM-12 / MP-3
Customer

Description

Customers are responsible for reviewing all content and evidence artifacts uploaded to FutureFeed to ensure they do not contain CUI, export-controlled data, or information exceeding the platform’s authorized data classification.

Notes / Customer Actions

Action Required

Implement a pre-upload review step in internal workflows. Sensitive artifacts (SSPs, POA&Ms, architecture docs) – while not CUI – must be access-controlled appropriately.

Sensitive Security Documentation Handling

AC / MP
Customer

Description

FutureFeed stores inherently sensitive security information including control implementations, network references, vulnerability data, and POA&Ms. While not CUI, unauthorized disclosure could increase risk to the customer’s CUI environment.

Notes / Customer Actions

Assign roles deliberately using FutureFeed’s four available user roles:

RoleAppropriate For
No AccessPersonnel who no longer need platform access; use promptly on departure or role change
StandardActive compliance staff who contribute to SSP content and evidence
AdminLimited to personnel with a direct need to configure the tenant; minimize this count
Assessor (read-only)C3PAO assessors and internal auditors only; prevents modification of documentation

Periodically audit user role assignments and deprovision or downgrade anyone whose responsibilities no longer require access. Document reviews in your SSP.

Note: FutureFeed does not provide field-level or document-level access restrictions within a role – role assignment is your primary access control lever.

04

CMMC Scoping & Compliance Documentation

CRMA Classification & SSP Documentation

CA-2 / PL-2
Customer

Description

Customers are responsible for formally documenting FutureFeed’s classification as a Contractor Risk Managed Asset (CRMA) in their own SSP, including the rationale for that classification and how associated risks are managed.

Notes / Customer Actions

Action Required

Do not treat FutureFeed as out-of-scope. Reference FutureFeed’s FedRAMP Moderate Equivalency as part of the CRMA risk justification.

Vendor Risk Management & Due Diligence

SA-9 / SR-3
Shared

Description

FutureFeed maintains vendor security documentation and posture evidence (including FedRAMP Moderate Equivalency). Customers are responsible for conducting and documenting their vendor risk review as part of their supply chain risk management process.

Notes / Customer Actions

Download and follow FutureFeed’s CRM to demonstrate fulfillment of vendor risk management assessment requirements.

Contractual Security Protections

SA-9 / AT
FutureFeed

Description

FutureFeed maintains contractual confidentiality and security obligations with customers and establishes equivalent protections with subservice providers. These contractual controls support the CRMA classification risk framework.

Notes / Customer Actions

Retain the FutureFeed service agreement as vendor documentation. Its security terms are relevant to assessor inquiries.

05

Operational Governance & Training

Acceptable Use & Internal Policy Alignment

PL / PS
Customer

Description

Customers are responsible for operating FutureFeed in accordance with their internal security and acceptable use policies, and ensuring its use is consistent with their broader CMMC compliance posture.

Notes / Customer Actions

Action Required

Reference FutureFeed explicitly in internal acceptable use policies and system inventories. Inform users of restrictions before granting access.

User Awareness & Training

AT-2 / AT-3
Customer

Description

Customers are responsible for ensuring all FutureFeed users receive appropriate cybersecurity awareness training, including training on the prohibition against uploading CUI to the platform.

Notes / Customer Actions

Action Required

Document FutureFeed-specific restrictions in your internal training materials. Maintain training completion records as CMMC assessment evidence.

Incident Reporting to FutureFeed

IR-6 / IR-7
Shared

Description

FutureFeed monitors the platform and notifies customers of security events affecting the FutureFeed environment. Customers must report suspected security incidents, unauthorized access, or data integrity concerns within their FutureFeed tenant to FutureFeed support promptly. Real-time platform status and incident notifications are available at futurefeed.statuspage.io.

Notes / Customer Actions

Contact: [email protected] or 1-844-725-8252. Include FutureFeed in customer incident response procedures as both a potential incident surface and a notification recipient.

Guardrails

Explicit Customer Prohibitions

Do not intentionally upload, store, process, or transmit Controlled Unclassified Information (CUI) within FutureFeed. FutureFeed is not an authorized CUI system.

Do not use FutureFeed as a primary repository for controlled technical data, export-controlled documents, or CUI-bearing contract deliverables.

Do not classify FutureFeed as out-of-scope in your CMMC scoping analysis. It must be inventoried and classified as a CRMA in your SSP.

Do not share FutureFeed credentials across users or attempt to bypass multi-factor authentication requirements.

Do not assume FutureFeed provides security enforcement, monitoring, or incident response functions within your CUI enclave. It does not.

Important Scoping Note for CMMC Assessments

FutureFeed’s intended function is governance, risk management, and compliance documentation – not CUI hosting. Under CMMC 2.0 (32 CFR Part 170), asset classification is driven by intended function, not hypothetical misuse. Accordingly, FutureFeed recommends customers classify the platform as a Contractor Risk Managed Asset (CRMA).

A Customer Responsibility Matrix is not a regulatory requirement for CRMAs. FutureFeed provides this matrix as a customer convenience tool to reduce assessment friction. Customers should reference FutureFeed’s FedRAMP Moderate Equivalency – audited independently by Lunarline – as evidence supporting the CRMA risk determination.