1 - Definitions

• “FCI” (Federal Contract Information): Information provided by or generated for the Government under a contract not intended for public release. FCI does not include CUI. (FAR 52.204-21). (Acquisition.gov)

• “CUI” (Controlled Unclassified Information): Information the Government creates or possesses, or that an entity creates for or on behalf of the Government, that requires safeguarding or dissemination controls pursuant to law, regulation, or Government-wide policy. (CMMC Program / NIST 800-171 context). (Federal Register)

• “Level 1 Self-Assessment”: The contractor’s annual self-assessment (and senior official affirmation) against the 17 basic safeguarding requirements in FAR 52.204-21, posted to SPRS, as described in the DoD CMMC Level 1 Self-Assessment Guide. (Defense CIO)

• “Level 2 Self-Assessment (non-prioritized)”: A contractor self-assessment against the 110 NIST SP 800-171 controls allowed only for non-prioritized acquisitions, with the score and annual affirmation posted to SPRS, per DoD CMMC 2.0 rulemaking. (Federal Register, Defense CIO, Defense CIO)

• “FedRAMP-Equivalent”: A cloud environment independently assessed by a FedRAMP-recognized 3PAO showing 100% implementation of the FedRAMP Moderate baseline with no open POA&Ms, and a complete Body of Evidence (SSP, SAP, SAR, closed POA&M). (DoD FedRAMP-equivalency memo). (Acquisition.gov)

2 - Scope of Services (What You’re Buying)

2.1 FCI-Only Enclave. CUI Vault (Level 1 and Level 2 Self-Assessment tiers) provides an enclave designed to help you implement and evidence the 17 FAR 52.204-21 controls (Level 1) and, where applicable, complete a Level 2 self-assessment (non-prioritized) without hosting CUI. (Acquisition.gov, Defense CIO, Defense CIO)

2.2 No CUI Handling. These tiers MUST NOT be used to store, process, or transmit CUI or other information subject to DFARS 252.204-7012 (covered defense information) or any requirement for FedRAMP Moderate (or equivalent). If you need to handle CUI, you must migrate to CUI Vault Pro (available only after our FedRAMP-equivalency is achieved). (Acquisition.gov)

2.3 Self-Assessment Tooling. We provide guidebooks, templates (SSP, POA&M), and an auto-scoring workbook to assist you in preparing your SPRS submission. You are solely responsible for the accuracy of the score and affirmation. (Defense CIO, Defense CIO, Arnold & Porter)

2.4 Certification Use Rights While the subscription to CUI Vault (Level 1 / Level 2 Self-Assessment tiers) is active and in good standing, Customer may reference the platform and its provided documentation/templates as part of its self-assessment, SSP, POA&M, and SPRS submission. Upon termination, expiration, or suspension of the subscription, Customer must cease representing—publicly or in any submission to the Government, a prime contractor, or a C3PAO—that it relies on, inherits from, or otherwise uses CUI Vault to meet any control requirement.

3 - Customer Responsibilities

3.1 Data Classification. You will classify data before ingestion and ensure no CUI or covered defense information is uploaded to CUI Vault (Level 1 / Level 2 Self-Assessment tiers). (Acquisition.gov, Acquisition.gov)

3.2 Implement Required Controls. You remain responsible for implementing and maintaining: • The 17 basic safeguarding controls for Level 1. (Acquisition.gov, Defense CIO) • All 110 NIST SP 800-171 controls for Level 2 self-assessment (non-prioritized) to the extent applicable to your environment (even if the enclave itself is FCI-only). (Federal Register, Defense CIO)

3.3 SPRS Posting & Affirmations. You (not CUI Vault) will post your scores and annual affirmations to SPRS and maintain all evidence for DoD review. (Defense CIO, Defense CIO, Arnold & Porter)

3.4 Access Management & Device Compliance. You will provision/de-provision users promptly, enforce MFA, and ensure only compliant, authorized devices access the enclave. (Aligned to FAR 52.204-21 and NIST 800-171 IA/AC families). (Acquisition.gov, Defense CIO)

3.5 Incident Reporting. If you suspect CUI was inadvertently introduced, you must notify us within 24 hours and immediately follow DFARS 252.204-7012 incident reporting if applicable. (Acquisition.gov)

3.6 Migration to CUI Vault Pro. Prior to handling CUI or if any solicitation/contract clause (e.g., DFARS 252.204-7012) applies, you agree to migrate to a FedRAMP-equivalent environment (CUI Vault Pro) or another compliant solution.

4 - Our Responsibilities (What We Provide)

4.1 Platform Security Baseline. We operate the enclave to support your Level 1 / Level 2 self-assessment activities, but do not represent or warrant FedRAMP-equivalency for these tiers.

4.2 Documentation & Templates. We provide standard templates (SSP, POA&M, policy stubs) and a scoring workbook aligned to DoD’s assessment methodology, but final tailoring and accuracy are your responsibility. (Defense CIO, Defense CIO)

4.3 Future Upgrade Path. Upon completion of our FedRAMP-equivalency (validated by a FedRAMP-recognized 3PAO), we will offer a CUI Vault Pro upgrade path. (Acquisition.gov)

5 - Prohibited Data & Activities

You shall not store, process, or transmit in the Level 1 / Level 2 Self-Assessment tiers:

a. CUI, Covered Defense Information (CDI), ITAR data.

b. Personal Health Information (PHI) governed by HIPAA, PCI cardholder data, or any data requiring encryption/controls beyond FAR 52.204-21’s 17 safeguards. (Acquisition.gov)

c. Any data that contractually or legally requires FedRAMP Moderate (or equivalent). (Acquisition.gov)

6 - Representations & Warranties

6.1 No Compliance Guarantee. We do not guarantee that use of CUI Vault (Level 1 / Level 2 Self-Assessment tiers) will, by itself, satisfy your contractual or regulatory obligations.

6.2 Customer Affirmation. You acknowledge that Level 1 and certain Level 2 self-assessments are permitted by DoD only in specific circumstances (e.g., non-prioritized acquisitions), and you are responsible for determining which requirement applies to your contracts. (Federal Register, Defense CIO)

6.3 Misrepresentation / False Statements

Customer represents and warrants that all statements it makes to the DoD, a prime contractor, a C3PAO, DIBCAC, or any Government representative regarding its use of CUI Vault, its SPRS score, or its implementation of controls are accurate and not misleading. If Customer (i) knowingly or recklessly misrepresents its reliance on CUI Vault after termination or suspension, (ii) asserts that it is benefitting from CUI Vault’s controls when it is not subscribed, or (iii) otherwise submits a false certification or affirmation:

We may immediately terminate all remaining services;

Customer shall indemnify us for all damages, penalties, costs (including attorneys’ fees) arising out of or related to such misrepresentation, including any claims under the False Claims Act or similar laws;

Customer shall pay liquidated damages of $25,000 or 150% of the fees paid in the prior 12 months, whichever is greater, as a reasonable pre-estimate of the harm from reputational damage and increased regulatory scrutiny (not a penalty); and

We reserve the right to notify impacted primes, contracting officers, and/or the DoD of the misrepresentation to correct the record.

7 - Audit, Cooperation & Evidence

7.1 Agency / Prime Requests. If DoD, DCMA/DIBCAC, a C3PAO, or your prime contractor asks for evidence related to your self-assessment, you will provide it; we will reasonably cooperate regarding platform evidence we control. (Defense CIO)

7.2 Misuse / Breach. We reserve the right to suspend or terminate access if we detect, or reasonably suspect, CUI or other prohibited data in this tier.

7.3 Right to Audit and Notify Third Parties

If we have a reasonable basis to believe Customer is (a) handling CUI in an FCI-only tier, (b) continuing to rely on CUI Vault post-termination, or (c) misrepresenting the platform’s compliance posture, we may (i) request documentation sufficient to confirm compliance with these Terms, and (ii) notify affected primes, contracting authorities, or C3PAOs to prevent or remediate false certifications.

8 - Liability & Indemnification

8.1 Limitation of Liability. [Standard SaaS limitation—e.g., fees paid in the prior 12 months—except for willful misconduct, gross negligence, or IP infringement.]

8.2 Indemnity. You agree to indemnify us for claims, penalties, or costs arising from (i) misclassification of data (e.g., placing CUI in an FCI-only enclave), (ii) inaccurate or fraudulent SPRS submissions/affirmations, or (iii) failure to meet FAR/CMMC obligations that are assigned to you under this agreement.

9 - Changes in Law / Program Requirements

If DoD, FAR/DFARS, or CMMC program rules change so that the services provided here no longer meet the minimum legal or contractual requirements for your use case, you agree to migrate to a compliant environment (e.g., CUI Vault Pro) or terminate the service. (Federal Register)

10 - Term, Termination & Data Return

10.1 Either party may terminate for convenience with [30] days’ notice.

10.2 Upon termination, we will provide you with an export of your data and permanently delete remaining copies within 90 days, except as required by law.

10.3 Effect of Termination / Cancellation

Within ten (10) business days of termination, expiration, or suspension of the subscription:

a. Customer must remove all references to CUI Vault from any ongoing or future SSP, POA&M, SPRS submission, or annual affirmation, unless those submissions clearly state that the environment is no longer in use and the relevant inherited controls no longer apply.

b. Customer must, if its SPRS score or SSP/POA&M relied on CUI Vault artifacts, update or re-affirm its submissions to accurately reflect the current environment.

c. Customer shall no longer claim or imply that it inherits any controls from CUI Vault.

d. Upon our request, Customer shall provide written confirmation that the above actions have been completed.

10.4 Survival Sections 2.4, 3 (Customer Responsibilities), 5 (Prohibited Data & Activities), 6.3 (Misrepresentation), 7 (Audit & Cooperation), 8 (Liability & Indemnification), 9 (Changes in Law), 10.3 (Effect of Termination), and 11 (Governing Law, etc.) shall survive any termination or expiration of this Agreement.

11 - Governing Law, Venue, Order of Precedence

These Terms and Conditions will be governed by and construed in accordance with the laws of the State of California, excluding its body of law controlling conflict of laws. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Santa Clara County, California and the parties irrevocably consent to the personal jurisdiction and venue therein.