Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud delivery model where applications are hosted by a provider and accessed over the internet — you use the software through a web browser rather than installing it on your own computers. Examples include Microsoft 365, Google Workspace, Salesforce, and Slack.

With SaaS, the provider manages the application, infrastructure, and most security — but you remain responsible for your data, your user accounts, and your configuration. For defense contractors, the key question with any SaaS tool is: Does it handle CUI, and if so, is it FedRAMP authorized at the appropriate level?

Why It Matters

SaaS tools are convenient but can create CUI leakage risks if employees use unauthorized services. Maintaining an inventory of approved SaaS tools and ensuring CUI never reaches unauthorized cloud services is a practical compliance requirement.