Hello. We had a client spring on us at the last second prior to launching their new website that since they are a government contractor they must abide by FedRAMP. Im not a lawyer (obviously). So I did some digging and it seems fedRAMP only applies to cloud hosting.

So my first suggestion was can't we just launch on a Dedicated (bare metal) server? Then fedRAMP would not apply to their website. They came back with this:

As a defense contractor, we are required to use FedRamp-authorized cloud service providers for storing, processing, or hosting any CUI/CTI

Which still doesn't make sense to me if their website isn't on the cloud, why would cloud regulations apply to it? Is there a requirement to use cloud infrastructure? Also, the website essentially just has a contact form where visitors can submit a business inquiry, and a few landing pages with lead generation forms. Would anything submitted on those be considered CUI/CTI at that point?

Sorry if these are dumb questions and thank you for the help. IF you have any insight or recommendations I very much appreciate them.

​