The CUI Risk Hiding in Your SEWP Inbox (And Why We're Fixing It)

Every morning, hundreds of RFQs land in the inboxes of government VARs across the country. Most teams process them the same way they always have: scan the solicitation, pull pricing, build the quote, hit send.

What a surprising number of those teams do not realize is that somewhere between 5 and 15% of the RFQs flowing through SEWP on any given day contain Controlled Unclassified Information in the attachments.

We know this because we track it. Devin Henderson, Virtual Dojo's founder and the active CEO of federal VAR DH Technologies, started monitoring it after noticing the pattern firsthand. On busy days, when 250 to 400 RFQs come out of SEWP alone, that percentage represents dozens of solicitations carrying data that has federal handling requirements attached to it.

The problem is that most VARs are not treating those RFQs any differently than the ones that do not contain CUI. They are opening the files, copying line items, pasting pricing into commercial tools, sometimes running them through AI to speed up the response, and moving on. That workflow has a compliance problem baked into every step.

What CUI in an RFQ Actually Means

CUI is not classified, but it is not ordinary either. Controlled Unclassified Information is any information the federal government creates or possesses that requires safeguarding under law, regulation, or government-wide policy. When it shows up in a SEWP solicitation attachment, the contractor receiving it takes on handling obligations the moment that file is opened.

Those obligations do not disappear because the file is in your email. They do not disappear because you are just using it to build a quote. And they absolutely do not disappear because you ran it through a commercial AI tool to save yourself an hour.

Under DFARS 252.204-7012, any cloud service that stores, processes, or transmits CUI must meet FedRAMP Moderate or FedRAMP Moderate Equivalency requirements. That means the quoting tool you are using. The CRM where you log the opportunity. The AI assistant you prompted with the line items. Every system that touches that data is in scope.

Most commercial quoting platforms are not FedRAMP authorized. Most commercial AI tools are not either. If you are using them to process RFQs that contain CUI, you are already outside the required security boundary, even if you have never thought about it that way.

The Honest Version of How We Got Here

We did not set out to solve a compliance problem. We set out to build a better quoting tool.

Devin had watched DH Technologies grind through SEWP quoting on VARStreet for years. The process was so click-intensive that even experienced reps dreaded it. Training new people on it was its own project. There was a spreadsheet making its way around the industry that could handle some of the SEWP-specific requirements, but calling it a solution was generous. It got the job done in a pinch, and that was about it.

When we built Virtual Dojo, the first goal was simple: make quoting faster and less painful. AI quote parsing, automatic line item extraction, contract vehicle-level formatting, CLIN checker automation. All of it designed to eliminate the manual work that was costing VARs hours every day.

But as we built, and as CMMC began moving from concept to requirement, it became clear that speed alone was not the point. The question was not just how fast can we process this quote. The question was where is this data going, and who can see it.

The Months Nobody Talks About

FedRAMP is one of those things that sounds manageable until you start. Then it does not.

We spent the better part of three months working through the FedRAMP Readiness Assessment process, which is the step before full FedRAMP Moderate authorization. The goal was to demonstrate that our controls, documentation, and security posture were serious enough that if a government sponsor came along, we could pass a full authorization assessment.

That process required documenting every control, explaining every Google Cloud native service to assessors who were not always familiar with the environment, and working through the edge cases that only show up when someone is actively looking for them. There were moments where locking something down for compliance broke something else entirely. PDF rendering stopped working. Small bugs appeared in places that had been stable for months.

There is a version of building software where you move fast and clean it up later. FedRAMP is not compatible with that approach, at least not once you get to a certain stage. Every change touches something else, and the pace of iteration slows in ways that can be genuinely frustrating when you are used to pushing updates quickly. However when customer data is on the line, that changes how seriously you take the work.

FedRAMP Ready Is Not FedRAMP Authorized, and That Is a Distinction Worth Understanding

When we complete our FedRAMP Readiness Assessment, Virtual Dojo will appear in the FedRAMP Marketplace as FedRAMP Ready. That designation means we have demonstrated the level of effort and commitment needed to pursue FedRAMP Moderate authorization, and that a government sponsor choosing to fast-track us would be doing so with confidence rather than uncertainty.

What it does not mean, and what people sometimes confuse, is that FedRAMP Ready is the same as authorized. It is not. Authorization requires a government agency to sponsor the assessment, and as a contractor-focused platform, that path is not the one we are on right now.

The path we are on is FedRAMP Moderate Equivalency, which is the compliance standard under DFARS 252.204-7012 for cloud service providers handling CUI without a government sponsor. Equivalency requires the same technical controls as FedRAMP Moderate authorization. The difference is that no POA&Ms are allowed, meaning no exceptions, no partial implementations, no findings left open. 100% compliance, assessed by an independent 3PAO, with a full body of evidence behind it.

It is a harder path in some ways, because there is no government agency co-signing the work. It is the right path for what we are building.

What This Means If You Are Responding to SEWP RFQs Today

If your quoting workflow runs through commercial tools, and you have not verified their FedRAMP status, there is a reasonable chance some portion of the CUI flowing through your inbox is being processed outside the required security boundary. That is not a hypothetical risk. As CMMC enforcement tightens and SEWP VI introduces new data requirements, the scrutiny on how contractors handle solicitation data is only going to increase.

The practical questions worth asking: Does your quoting platform hold any FedRAMP authorization or equivalency? What about your CRM? If you are using AI to help process RFQ attachments, what model is it using, and where is that data going?

These are not comfortable questions if you have been operating under the assumption that compliance is something you handle once a year during a self-assessment. But they are the right questions, and asking them now is a better outcome than finding out the hard way later.

We built Virtual Dojo to be the platform that lets you answer those questions confidently. That meant doing the FedRAMP work even when it was slow, expensive, and occasionally broke things we thought were finished. We think it was the right call.

We will let you know when we are done.