FedRAMP High-Ready · Zero Trust · CMMC Level II Compliant
The only SECaaS platform purpose-built to protect CUI with true client-side E2EE.
Data is encrypted on the client before transmission, stored encrypted at rest, and decrypted only on the authorized recipient's device. The server never has access to plaintext data or encryption keys.
MFA + time-sensitive encrypted token generated
ECDH P-256 derives shared secret on client
AES-256-GCM encrypts data + signs with ECDSA
Ciphertext + metadata sealed in KB02 structure
Encrypted bundle stored on server — zero plaintext
Recipient verifies identity via MFA
Download encrypted KB02 bundle from server
SHA-256 integrity check + ECDSA signature validation
ECDH + HKDF reconstructs AES key on client
AES-256-GCM decrypts — plaintext visible only to recipient
⚡ ZERO-KNOWLEDGE ARCHITECTURE
The Enablement® server never sees plaintext data, encryption keys, or shared secrets. All cryptographic operations happen client-side.
Every component is FIPS 140-2 aligned and mapped to NIST SP 800-171 / CMMC Level II controls.
Total overhead: ~500 bytes + per-recipient wrapped keys. AES key is never stored — derived at runtime via ECDH + HKDF.
FedRAMP-certified cloud storage providers protect infrastructure, not CUI data. CMMC requires end-to-end CUI protection that Box, OneDrive, Google Drive, AWS S3, and Dropbox fundamentally cannot provide.
| CMMC Requirement | Enablement® | Box | OneDrive / SharePoint |
Google Drive |
AWS S3 / GovCloud |
Dropbox |
|---|---|---|---|---|---|---|
| Client-Side E2E Encryption | ✔ True E2EE — keys never leave client | ✘ Server-side only | ✘ Server-side only | ◐ Client-side via API only | ◐ SSE-C (you manage keys) | ✘ Server-side only |
| Zero-Knowledge Architecture | ✔ Server never accesses plaintext | ✘ Provider holds keys | ✘ Microsoft holds keys | ✘ Google holds keys | ◐ Depends on config | ✘ Dropbox holds keys |
| CUI Classification & Tagging | ✔ Automated via AAD manifest | ◐ Manual labels | ◐ Sensitivity labels | ✘ No CUI awareness | ✘ No CUI awareness | ✘ No CUI awareness |
| FIPS 140-2 Encryption | ✔ AES-256-GCM, ECDSA P-256 | ✔ AES-256 | ✔ AES-256 | ✔ AES-256 | ✔ AES-256 | ✔ AES-256 |
| Policy-Enforced Access (View/Print/Download) | ✔ Cryptographically bound in AAD | ◐ UI-level only | ◐ IRM (limited) | ◐ UI-level only | ✘ Not available | ◐ UI-level only |
| Non-Repudiation (Digital Signatures) | ✔ ECDSA on every bundle | ✘ Not available | ✘ Not built-in | ✘ Not available | ✘ Not available | ✘ Not available |
| Tamper Detection (Integrity) | ✔ GCM tag + SHA-256 hashes | ◐ Checksums only | ◐ Checksums only | ◐ Checksums only | ✔ Checksums + versioning | ◐ Checksums only |
| CMMC Level II Certified | ✔ Purpose-built for CMMC | ✘ FedRAMP only | ◐ GCC High (partial) | ✘ FedRAMP only | ✘ FedRAMP only | ✘ No FedRAMP |
| Multi-Recipient Key Distribution | ✔ Wrapped CEK per recipient | ✘ Shared link model | ✘ ACL-based | ✘ ACL-based | ✘ Bucket policies | ✘ Shared link model |
| Audit Trail for Each Process | ✔ Per-process action audit with retention | ◐ Basic admin logs | ◐ Unified audit log | ◐ Activity dashboard | ✔ CloudTrail | ◐ Basic events |
These providers protect their infrastructure — not your CUI. Here's where each falls short.
Server-side encryption means Box holds the keys. CUI is decrypted at rest on their servers. No digital signatures, no cryptographic access policy enforcement, no CUI-aware classification. FedRAMP authorization covers Box's infrastructure, not your data protection.
Not CMMC CompliantEven GCC High still uses Microsoft-managed encryption keys. Sensitivity labels provide UI-level classification but no cryptographic enforcement. IRM offers limited protection but keys are managed server-side by Microsoft.
Not CMMC CompliantClient-side encryption available via API but requires custom implementation. Google holds standard encryption keys. No CUI awareness, no CMMC-specific controls, no policy enforcement at the cryptographic layer.
Not CMMC CompliantSSE-C allows customer-managed keys but places the entire implementation burden on the contractor. No built-in CUI tagging, no access policy binding, no digital signatures. FedRAMP covers AWS infrastructure, not the CUI workflow.
Partial — Heavy DIYNo FedRAMP authorization. Server-side encryption with Dropbox-held keys. No CUI awareness, no compliance controls, no digital signatures. Not viable for any DoD contractor handling CUI.
Not CMMC CompliantPurpose-built from the ground up for CMMC compliance — not retrofitted from consumer cloud storage.
Encryption and decryption happen exclusively on the client. The server never has access to plaintext data, encryption keys, or shared secrets — eliminating insider threat risk.
Access policies (view, print, download) are bound into the AAD manifest and verified during decryption. Unlike UI-level restrictions, these cannot be bypassed.
Every KB02 bundle includes an ECDSA digital signature, providing mathematical proof of who encrypted the data — critical for DoD audit and legal requirements.
The AAD manifest automatically classifies and tags CUI metadata — artifactId, sensitivity, permissions — all cryptographically sealed and tamper-evident.
Not just infrastructure compliance — full CMMC Level II coverage including SC, AC, AU, and IA control families, validated through Enablement's Zero Trust architecture.
Each recipient gets their own wrapped Content Encryption Key — no shared links, no shared passwords. Revocation is per-recipient without affecting others.