If you're a VAR or government contractor using Quote.ly, you've probably faced this question:

"Where should I store CUI Basic to stay compliant?"

It's a critical question because where you store Controlled Unclassified Information directly impacts your compliance posture and your ability to win federal contracts. With Quote.ly available in both Salesforce and Virtual Dojo, understanding the compliance implications of each deployment option matters.

What Is CUI Basic?

CUI (Controlled Unclassified Information) is sensitive but unclassified information that requires safeguarding. CUI Basic requires baseline protections as outlined in NIST SP 800-171. For most VARs and government contractors, this includes procurement-sensitive information, pricing data for government quotes, technical specifications in RFQ responses, customer contact information for federal agencies, and contract terms.

If you're building quotes for federal customers, there's a good chance some of that data qualifies as CUI Basic.

Understanding Quote.ly's Two Deployment Options

Quote.ly gives you two architectural choices, each with different implications for where your CUI Basic data lives.

Quote.ly in Salesforce means all your quoting data lives inside Salesforce's cloud infrastructure. Your compliance requirements flow directly from Salesforce's environment.

Quote.ly in Virtual Dojo means all your quoting data lives inside Virtual Dojo's platform, which is purpose-built for government contractor compliance. Your CRM continues to work as your system of record for customer data, whether that's Salesforce, ConnectWise, HubSpot, or something else.

Option 1: Quote.ly in Salesforce

When you run Quote.ly inside Salesforce, your quoting data is stored in Salesforce's infrastructure. For CUI Basic, this means you need Salesforce GovCloud.

Why Not Salesforce Commercial?

Salesforce Commercial Cloud is SOC 2 and ISO 27001 certified, but it is not compliant for storing CUI Basic data. Despite being a secure enterprise platform, it lacks the FedRAMP authorization required for CUI Basic handling. Salesforce Commercial was not designed to meet NIST SP 800-171 requirements, and auditors will not accept it as a compliant environment for CUI Basic storage.

This is a hard line, not a gray area. If you're handling CUI Basic in Quote.ly within Salesforce, you must use GovCloud.

Salesforce GovCloud: The Compliant Path

Salesforce GovCloud is Salesforce's dedicated environment for government customers, hosted on AWS GovCloud infrastructure. It's FedRAMP Moderate authorized, aligns with CMMC Level 2, and meets NIST SP 800-171 requirements. This is the environment designed specifically for CUI Basic.

GovCloud provides a clear compliance story that auditors understand and accept. When a CMMC assessor asks where your quoting data lives, "Salesforce GovCloud, which is FedRAMP Moderate authorized" is a straightforward answer.

The tradeoffs are significant though. GovCloud costs substantially more than Commercial Salesforce, typically two to three times higher for smaller organizations. The feature set is more limited compared to Commercial Salesforce since not all features are available in the GovCloud environment. Migration isn't simple and you can't flip a switch to move from Commercial to GovCloud. And if you do both commercial and government work, you may need to maintain two separate Salesforce instances.

For a typical VAR, the financial impact is considerable.

Option 2: Quote.ly in Virtual Dojo

When you run Quote.ly inside Virtual Dojo, your quoting data is stored in Virtual Dojo's compliance infrastructure while your CRM remains unchanged.

Virtual Dojo is pursuing FedRAMP Moderate Equivalency, targeting completion in Q3 2026. This aligns with CMMC Level 2 and implements NIST SP 800-171 controls at the platform level. The architecture separates concerns: Quote.ly's quoting data and CUI Basic information lives in Virtual Dojo's compliant environment, while your CRM continues as your customer system of record. CRM data syncs to Virtual Dojo for quoting purposes, but CUI-sensitive quote data remains in the compliant Virtual Dojo environment.

This architectural approach means your existing CRM doesn't need to be compliant for CUI Basic storage. Whether you use Salesforce Commercial, Dynamics, HubSpot, or another system, it can stay as-is. The compliance burden sits with Virtual Dojo, not with your CRM infrastructure. You use a single instance for both commercial and government quotes without needing separate environments.

The CMMC Level 2 Connection

FedRAMP Moderate authorization aligns with CMMC Level 2 requirements, which is the certification level most defense contractors need. During a CMMC assessment, assessors examine every system that touches CUI Basic, including your quoting platform.

Both deployment options provide defensible compliance positions. With Quote.ly in Salesforce GovCloud, all quoting CUI is stored in a FedRAMP Moderate authorized environment. With Quote.ly in Virtual Dojo, all quoting CUI is stored in a platform pursuing FedRAMP Moderate Equivalency that aligns with CMMC Level 2.

The difference isn't in compliance coverage. Both paths address the same requirements. The difference is in cost structure, CRM flexibility, and operational complexity.

Understanding the Decision Factors

Several factors influence which deployment option makes sense for your organization.

Salesforce ecosystem investment matters significantly. Organizations deeply integrated across multiple Salesforce products (Sales Cloud, Service Cloud, Marketing Cloud) and planning a broader GovCloud migration may find Quote.ly in GovCloud a natural fit.

Federal revenue concentration plays a role. Organizations with substantial federal revenue already justifying major compliance investments may absorb GovCloud costs more easily. Organizations with mixed commercial and government portfolios benefit from Virtual Dojo's single-instance approach.

Budget constraints are straightforward. The $317,000 three-year cost difference between options is substantial for most VARs under $10M in revenue. That capital has alternative uses in business development, marketing, operations, or profit.

CRM strategy and flexibility matters for future planning. Committing to Salesforce GovCloud creates long-term ecosystem lock-in. The Virtual Dojo approach allows CRM changes without impacting quoting compliance.

The Core Question

Both paths achieve CMMC Level 2 compliance for your quoting platform. The core question isn't about compliance coverage. The question is about cost, operational complexity, and strategic flexibility.

Are you committed to Salesforce as your system of record across your business, planning a broader GovCloud migration, and able to absorb the associated costs? Then Quote.ly in Salesforce GovCloud is a viable path.

Are you using a PSA platform or prefer CRM flexibility, need to optimize costs, or want to avoid vendor lock-in? Then Quote.ly in Virtual Dojo offers the same compliance outcome with different tradeoffs.

What You Cannot Do

What's not viable is storing CUI Basic in Salesforce Commercial through Quote.ly. This is non-compliant and will not pass CMMC assessment. If you're currently doing this, you need to either migrate to GovCloud or move to a compliant quoting platform like Virtual Dojo.

The compliance requirement is binary. Either your quoting data lives in a compliant environment, or it doesn't. There's no middle ground that auditors will accept.