Bottom line: NextStage is built for use within CUI boundaries and in compliance with CMMC. NextStage has been independently assessed by a FedRAMP 3PAO as meeting FedRAMP Moderate equivalency, making it compliant with DFARS 252.204-7012, which regulates compliance baselines for Cloud Service Providers (CSPs).
This guide answers three questions: can you process CUI in NextStage, how do you assess it for your boundary, and how do you implement it?
What is NextStage?
NextStage is a growth platform for government contractors, helping teams track and develop federal government contracting opportunities from business development to proposal submission.
A system-of-record to track opportunities across all stages of the business development and proposal process
A market intelligence aggregation tool, bringing in opportunity data from a myriad of federal data sources
An AI-enabled proposal development tool to help build proposal drafts and content
Where does CUI enter NextStage?
CUI can enter the system from three distinct places.
Pre-award and capture data, and this is the fastest-growing path. RFPs, PWS/SOW content, sources-sought responses, draft solicitations, and government Q&A increasingly carry CUI markings well before award. For a capture and BD team, that material lands in NextStage as a matter of routine. The practical effect: CUI is entering your CRM during the pursuit phase.
User uploads. Attachments on records, such as opportunities, proposals, deliverables, technical data, and contract documents, are the most common path, and any of them can carry a CUI marking.
Typed or pasted content. Notes, custom fields, and activity history accumulate CUI whenever a user pastes an excerpt from a controlled document or summarizes one.
Because CUI enters through normal use, the safe assumption is that NextStage sits inside your CUI boundary, which is exactly why its equivalency status matters.
1. Can you process CUI in NextStage?
Yes. A cloud service that stores, processes, or transmits CUI is permitted under the DoD rules if it meets the FedRAMP Moderate baseline, either by authorization or by assessed equivalency. NextStage meets it by equivalency.
The governing requirements:
DFARS 252.204-7012(b)(2)(ii)(D). If a contractor uses an external cloud service provider to store, process, or transmit covered defense information, the CSP must meet security requirements equivalent to the FedRAMP Moderate baseline and comply with paragraphs (c) through (g) of the clause (cyber incident reporting, malicious-software handling, media preservation, forensic access, damage assessment).
32 CFR Part 170 (the CMMC Program Rule) carries this into CMMC: a CSP handling CUI must meet FedRAMP Moderate or equivalent. Section 170.19(c)(2) (Level 2 scoping, Table 4) governs how that CSP is treated within your assessment scope, and Section 170.4 defines CSP and ESP.
DoD FedRAMP Moderate Equivalency Memo (December 2023) defines what "equivalent" means: a full assessment by a FedRAMP 3PAO confirming 100% of the FedRAMP Moderate controls are met, with no control-related POA&Ms, documented in a Body of Evidence that includes a System Security Plan, a Security Assessment Report, and a customer responsibility matrix.
NextStage satisfies all of these requirements, making it suitable for use with CUI. The Body of Evidence and supporting compliance documents are available through the NextStage Trust Center at trust.nextstage.ai.
Frequently asked question: Why isn't NextStage listed on the FedRAMP Marketplace?
The FedRAMP Marketplace lists cloud services that have received a formal FedRAMP authorization, which requires a sponsoring federal agency that uses the service. NextStage's customers are government contractors, not federal agencies, so that sponsorship path doesn't apply to us.
Instead, NextStage follows the defined FedRAMP Moderate equivalency path. Equivalency assessments are not published on the Marketplace, so our absence there is expected rather than a gap.
2. How to assess NextStage for your boundary
Assessing NextStage means confirming and documenting that it belongs in your CUI boundary and that the control split is clear.
1. Obtain and review the Body of Evidence. Request NextStage's equivalency package through the NextStage Trust Center at trust.nextstage.ai, then confirm it contains the 3PAO assessment, the SSP, the SAR, and the responsibility matrix, and that the assessment is against the FedRAMP Moderate baseline with no control-related POA&Ms.
2. Review the responsibility matrix. It maps each control to NextStage, to you, or to shared, indicating which 800-171 requirements you can inherit and which remain yours. Treat it as the source of truth for the split.
3. Document NextStage in your SSP. Name it as a CSP within your CUI boundary, describe the data it handles, reference its equivalency status and Body of Evidence, and fold the responsibility-matrix split into your control descriptions. Retain the evidence for your C3PAO.
Your assessor will want to see the equivalency Body of Evidence, the responsibility matrix reflected in your SSP, and configuration evidence (Section 3) proving the customer-side controls are actually on.
3. How to implement, and what we've made easier
Two parts: the controls you configure, and the work NextStage has already done so that including it in your boundary is straightforward.
Configure these (each maps to an 800-171 family):
SSO + MFA for every user (IA). NextStage integrates with common IdPs, including Microsoft Entra (Commercial and GCC), Okta, Google Workspace, and more.
Role-based access and least privilege (AC). Users see only what they need.
Provisioning and deprovisioning (AC, PS). NextStage integrates with common directory services (e.g., Entra and Okta) for automated provisioning and deprovisioning.
What NextStage has done to make boundary inclusion easier:
NextStage makes the FedRAMP Moderate equivalency assessment and Body of Evidence itself available through the trust center.
A prebuilt responsibility matrix mapped to NIST 800-171, so your SSP work is fill-in rather than build-from-scratch.
Incident-notification support feeding your DFARS 7012 72-hour reporting obligation.