JobBOSS2 (JobBOSS Squared) Within the CMMC Boundary

From Where the Server Sits to Who Is Responsible

A companion paper addresses the legacy E2 and JobBOSS systems that run on a server in the shop's own building, where the contractor owns every layer from the operating system down to the room the server sits in. The current product, JobBOSS2, changes the question, because it is frequently hosted by the vendor rather than installed on the contractor's hardware. A hosted arrangement divides responsibility between the vendor and the contractor rather than placing all of it on one party, and the CMMC analysis follows that division. The regulatory baseline is unchanged. The CMMC program, codified at 32 CFR Part 170 and effective December 16, 2024, requires the 110 security requirements of NIST Special Publication 800-171 Revision 2, demonstrated through a Level 2 assessment. What the hosted case adds is a second body of rules that govern the use of an external cloud service to hold CUI.

The Three Ways JobBOSS2 Is Deployed

JobBOSS2 can be installed on premises on the contractor's own server, hosted by the vendor in a commercial cloud, or hosted by the vendor in a separate government cloud offering built for defense work. Each arrangement carries a different answer. The on-premises option returns the contractor to the control work in the companion paper. The two hosted options are the subject here, and the commercial and government tiers are different environments that do not carry the same protections. A contractor that does not know which tier it is on cannot answer the CMMC question for its own data.

The Cloud Rule, and What FedRAMP Moderate Equivalency Requires

When a contractor uses an external cloud service to store, process, or transmit CUI, DFARS 252.204-7012 requires that the service meet security requirements equivalent to the FedRAMP Moderate baseline and that it support the incident reporting, forensic analysis, and media preservation obligations of the clause. The CMMC final rule carries this into the assessment, and the C3PAO evaluates the cloud service rather than taking it on faith. There are two ways to satisfy the rule. The first is a FedRAMP Marketplace authorization at Moderate or higher, which the contractor can verify directly. The second is FedRAMP Moderate equivalency.

Equivalency is more demanding than the word suggests. The December 21, 2023 DoD memorandum defines it as 100 percent compliance with the FedRAMP Moderate baseline, with all plans of action from the third-party assessment corrected and closed before equivalency is recognized, evaluated by a FedRAMP-recognized assessment organization with a penetration test, and supported by a body of evidence presented to the contractor. Running on a FedRAMP-authorized platform is necessary and not sufficient, because the controls that determine the outcome operate at the application and operational layers the vendor runs on top of the infrastructure. Operational plans of action that arise later, during continuous monitoring, are evaluated separately.

Shared Responsibility and Who Owns the CUI

Even when the offering meets the cloud rule, a hosted environment operates on a shared-responsibility model. The vendor implements and operates some controls, and the contractor retains others. The division is written in a customer responsibility matrix, which the contractor must obtain, read, and reflect in its System Security Plan. The controls the vendor carries can be inherited and cited. The controls assigned to the customer, including user access within the application, multifactor authentication where the matrix assigns it, the handling of CUI in reports and exports, and the security of the endpoints reaching the service, must be implemented and evidenced by the contractor. A hosted ERP carries part of the load and assigns the rest back.

The matrix divides the implementation of controls, but it does not divide accountability for the CUI. Under DFARS 252.204-7012 and the CMMC framework, the contractor remains the party obligated to safeguard the data and to report a cyber incident, regardless of which party operated the control that failed. A breach in the vendor's cloud, or in a managed service provider operating that environment on the contractor's behalf, is the contractor's reportable incident and the contractor's exposure, and the annual affirmation in the Supplier Performance Risk System that rests on inherited controls is the contractor's representation. Prudent diligence therefore includes a residual risk analysis, a review of whether the contractor's own cyber liability coverage responds to a loss of CUI inside the vendor's environment, and an incident response plan tested against the hosted scenario before an incident occurs.

The Pattern Beyond One Product

JobBOSS2 is a worked example of a question every defense manufacturer now faces with hosted software. The same analysis applies to any external cloud service that holds CUI, whether an ERP, a manufacturing execution system, a quality management system, a document or collaboration platform, or a governance and compliance tool. In every case the questions are the same. Does the offering meet the FedRAMP Moderate authorization or equivalency standard, shown by a Marketplace listing or a third-party attestation and body of evidence. What does the customer responsibility matrix assign to the contractor. And can the contractor implement and evidence the portion it retains. A contractor that learns to ask those questions of one hosted product can ask them of all of them.