For your assessor · Version 1.0, under counsel review
Custodia shared responsibility statement
Custodia is a compliance management tool that operates OUTSIDE your CUI boundary. It holds everything about your compliance, your SSP, your evidence of controls, your assessment records. It never holds your CUI. This page states the split so your C3PAO or DIBCAC assessor can place Custodia in your assessment scope quickly and correctly.
| Area | Custodia | Your organization |
|---|---|---|
| CUI (controlled drawings, specs, technical data) | Never stored, processed, or transmitted. Uploads carrying CUI markings are refused at intake. | Stays in your own environment (enclave, GCC High, file server). You control every copy. |
| FCI and compliance records (SSP, evidence of controls, POA&M, assessment results, affirmations) | Stored encrypted at rest under your workspace's own key. Access logged to your audit trail. | You author, confirm, and sign everything. Attestation is a human act with no API. |
| Evidence intake (uploads, task links, connectors, AI agents) | Encrypts, screens for CUI markings, runs AI review, and stages for your approval. Nothing counts automatically. | A person on your team accepts every artifact before it counts toward any control. |
| Your assessor's access | A read only seat with no advisory content, preserving assessor independence. | You invite and revoke the assessor. Their findings are theirs alone. |
| Encryption keys | Per workspace data keys wrapped under a platform key. Crypto shred on request makes your records permanently unreadable. | You may request crypto shred at any time. |
| Retention | Sealed assessment records kept six years per FAR 4.703, hashed for independent integrity verification. | You hold the originals of everything you uploaded. |
Why this keeps Custodia out of your CUI scope
Under the CMMC scoping guidance, an external service provider enters your assessment scope when CUI or security protection data resides on its systems. Custodia is architected so neither does: evidence describes your systems rather than containing controlled data, intake refuses CUI markings, and your records are ciphertext under your own workspace key. Your SSP can document Custodia as a compliance management tool outside the CUI boundary, with this page as the reference.
This statement describes the platform's architecture and is not legal advice. Whether a specific artifact is CUI, and how your assessor treats any tool, is a determination for you, your counsel, and your assessor. Full security overview.