Navigating the government regulatory landscape can be overwhelming, especially with the many acronyms and specialized terms involved. 

We break down the most critical terms below, providing clarity on each term and Onshape Government’s approach to meeting these standards. 

Key Regulations

Compliance with government regulations is paramount for organizations handling sensitive or controlled information. Here are some of the regulations that either Onshape, our customers, or both may need to address. Onshape Government is designed to help meet these requirements, making compliance simpler and more accessible.

ITAR/EAR (International Traffic in Arms Regulations/Export Administration Regulations)

These regulations control the handling and export of defense-related technologies and sensitive information, ensuring that Controlled Unclassified Information (CUI) remains protected from access by non-U.S. persons. This is often managed in secure environments like AWS GovCloud.

Onshape’s Position: Onshape Government is structured to support companies in achieving ITAR/EAR compliance. However, it is ultimately the customer’s responsibility to ensure compliance in their own use of the environment.

CMMC (Cybersecurity Maturity Model Certification)

Developed by the Department of Defense (DoD), CMMC sets cybersecurity standards across the Defense Industrial Base (DIB), focusing on protecting CUI and federal contract information.

Onshape’s Position: Onshape Government aligns with CMMC 2.0 requirements and will pursue certification as soon as accredited assessors are available.

FedRAMP (Federal Risk and Authorization Management Program)

This program standardizes security assessments for cloud services, ensuring they meet rigorous privacy and security requirements for federal agency use. FedRAMP certification confirms that a service is secure and compliant with federal guidelines.

Onshape’s Position: Onshape Government is designed with FedRAMP Moderate requirements in mind and is in the process of working with a third-party assessor (3PAO) to achieve Authorization to Operate (ATO). The certification process is lengthy, and Onshape aims to be “In Process” by mid-2025, with full certification targeted for 2026.

DFARS (Defense Federal Acquisition Regulation Supplement)

This set of regulations, an extension of the Federal Acquisition Regulation (FAR), mandates cybersecurity standards for contractors handling CUI in defense-related contracts. It includes requirements under NIST 800-171.

Onshape’s Position: Currently, Onshape does not intend to pursue DFARS certification but may consider it in the future based on customer demand.

Relevant Standards

Standards often serve as the foundation for regulatory compliance, defining specific security practices. Below are some of the key standards referenced by regulations like ITAR and FedRAMP.

NIST 800-171

NIST 800-171 outlines how to protect CUI in non-federal systems, setting precise controls to secure sensitive data.

Onshape’s Position: Onshape Government is implemented to align with NIST 800-171.

NIST 800-53

Another important standard from NIST, 800-53 provides guidelines for implementing security and privacy controls for federal information systems.

Onshape’s Position: Onshape Government is aligned with NIST 800-53 R5 requirements and is making ongoing efforts to fully meet this standard.

FIPS (Federal Information Processing Standards)

These standards, created by NIST, ensure the security of information systems that handle controlled or sensitive information. FIPS 140-3, in particular, covers cryptographic security requirements for protecting data.

Onshape’s Position: Onshape Government uses FIPS 140-3 approved cryptographic algorithms and validated modules.

Common Terms in Government Compliance

These terms may come up frequently in discussions about Onshape Government, especially when explaining its role in protecting sensitive information.

Controlled Unclassified Information (CUI)

CUI refers to information requiring safeguarding but not classified under national security categories. It is essential to protect CUI under frameworks like NIST 800-171.

Onshape’s Position: Onshape helps customers manage their CUI in compliance with various regulations.

Third-Party Assessment Organization (3PAO)

These independent organizations assess and validate cloud service providers’ compliance with FedRAMP standards, ensuring security and reliability.

Onshape’s Position: Onshape is working with a FedRAMP-accredited 3PAO to verify compliance with FedRAMP standards.

DISA (Defense Information Systems Agency)

DISA is a DoD agency responsible for IT support and secure communication for the U.S. military. It plays a crucial role in managing FedRAMP certifications for military use of cloud technology.

Onshape’s Position: While DISA is not directly relevant to Onshape’s day-to-day operations, it’s essential to know that this agency oversees defense cloud security requirements.

Onshape Ensures Trust

Onshape Government is committed to supporting organizations in meeting complex regulatory requirements. With a focus on aligning with federal standards, Onshape enables companies to safeguard their sensitive information within a secure, compliant environment. As regulations evolve, we will continue to adapt our offerings, working with accredited assessors and pursuing necessary certifications to ensure our customers can trust their data with Onshape.

Onshape Government

Eliminate bottlenecks and simplify compliance on
a cloud-native CAD & PDM platform built to meet
the needs of government agencies and contractors.