Matt stares at the screen. The deadline was yesterday. The file is ready. And now he needs to get this contract modification package to the contracting officer at another agency — plus the legal team at his own office — before 5 p.m Surprisingly effective..
He could email it. But the attachment is 47 MB. The email system bounces anything over 25.
He could use the shared drive. But the other agency doesn't have access, and the VPN setup takes three days and a help desk ticket he doesn't have time to wait for.
He could print it, scan it, and fax it. People still do that. He's seen it.
Matt is a government employee who needs to share. And every option feels like a compromise between speed, security, and "will this get flagged by the ISSO?"
What Is Secure File Sharing in Government
It's not Dropbox. Worth adding: it's not Google Drive. It's not WeTransfer with a prayer.
Secure file sharing in government means moving controlled unclassified information (CUI), personally identifiable information (PII), or even just large acquisition packages between authorized parties — without violating NIST 800-171, FISMA, your agency's System Security Plan, or the terms of your Authority to Operate (ATO).
It means:
- Encryption at rest and in transit (AES-256 minimum, TLS 1.2+)
- Access controls tied to PIV cards or Entra ID with phishing-resistant MFA
- Audit logs that survive a FOIA request
- Data residency guarantees (CONUS-only for most civilian agencies)
- No shadow IT. No personal accounts. No "I'll just use my Gmail this once."
The Classification Matters
Not everything is CUI. But more things are than most people realize The details matter here..
A spreadsheet with contractor names, labor rates, and contract numbers? Could be CUI if it reveals critical infrastructure personnel. That's CUI — specifically, proprietary business information. A draft RFP with evaluation criteria? Worth adding: an org chart with direct phone numbers and office locations? Absolutely CUI Small thing, real impact..
The default assumption in government should be: treat it as controlled until the records officer says otherwise.
Why This Keeps Coming Up
Because the workarounds are exhausting.
Matt's situation plays out thousands of times a day across the federal workforce. A grants manager needs to collect financial reports from 40 subrecipients. On the flip side, a program analyst needs to send a 200 MB video of a site inspection to the COR. A FOIA officer needs to deliver 15,000 pages of responsive records to a requester Took long enough..
The official docs gloss over this. That's a mistake.
The legacy tools weren't built for this And that's really what it comes down to..
- Email attachment limits — 25 MB is standard. Some agencies still enforce 10 MB.
- Shared drives — Great inside the enclave. Useless across agencies or with contractors who don't have network accounts.
- FTP/SFTP servers — Still exist. Often unmonitored, rarely patched, frequently forgotten.
- Physical media — Burned CDs, encrypted USBs, courier envelopes. Slow, auditable, and surprisingly common for high-side transfers.
The result? They zip files and password-protect them with "Password123.People improvise. Worth adding: they use personal Dropbox. " They screenshot documents and text them.
Every workaround creates risk. Every shortcut creates a finding.
How It Actually Works (When It Works)
There's no single tool. There's a stack. And knowing which layer to use for which scenario saves weeks of back-and-forth with your ISSO.
1. Agency-Approved Cloud Platforms (FedRAMP Authorized)
Most civilian agencies now have a FedRAMP High or Moderate authorized platform for external sharing.
- Microsoft 365 GCC High / DoD — OneDrive and SharePoint with external sharing enabled, conditional access policies, sensitivity labels, and DLP rules. If your agency uses this, it's usually the first stop.
- Google Workspace for Government — Similar capabilities, less common in civilian agencies but growing.
- Box for Government / Dropbox GovCloud — Purpose-built for external collaboration with granular permissions, watermarking, and expiration dates.
What to check before you use it:
- Is external sharing enabled at the tenant level? (Often disabled by default)
- Does your sensitivity label (CUI, PII, FOUO) allow external recipients?
- Are guest accounts allowed, or only federated identities?
- What's the file size limit? (OneDrive: 250 GB per file. SharePoint: 250 GB. But your admin may have set lower.)
2. Secure File Transfer Services (Managed File Transfer — MFT)
For recurring, automated, or high-volume transfers — especially between agencies or with industry partners — MFT is the standard.
Tools like:
- GoAnywhere MFT (widely used in DoD and civilian)
- MOVEit (common but check for recent CVEs)
- Globus (popular in research agencies like NSF, DOE, NIH)
- Axway / IBM Sterling (enterprise-grade, heavy lift)
These handle:
- Scheduled transfers with retry logic
- PGP encryption + SFTP/AS2/HTTPS protocols
- Detailed audit logs (who sent what, when, to whom, hash verification)
- Integration with agency identity providers (SAML/OIDC)
The catch: You need a server, an ATO, and usually a help desk ticket to provision a new trading partner. Not for "I need this sent today."
3. DoD SAFE / DOD365 / milSuite
If you're in DoD or working with DoD partners, you've probably used DoD SAFE (Secure Access File Exchange) Easy to understand, harder to ignore..
- Web-based, no account required for recipients
- 2 GB per file, 25 GB per package
- Files expire in 7 days (configurable)
- CAC/PIV authentication for senders
- Audit trail retained
Limitations: Not for long-term collaboration. No version control. No real-time co-authoring. And it's blocked on some classified networks Most people skip this — try not to. Took long enough..
4. ATO'd Collaboration Spaces (Teams, Slack Gov, Mattermost)
For ongoing work with external partners — especially contractors — a governed Teams channel or Slack Gov workspace often beats file-by-file transfers It's one of those things that adds up..
- Persistent chat + files + meetings
- Guest access with conditional access policies
- Retention labels for records management
- eDiscovery ready
But: Every external participant needs a guest account. Every guest account needs sponsorship. Every sponsorship needs a COR or COTR sign-off. Plan for two weeks minimum Small thing, real impact..
5. The "Last Resort" Options (And When They're Actually Approved)
Sometimes the approved tool can't do the job. On the flip side, the file is 500 GB. And the recipient is in a country with no FedRAMP presence. The network path doesn't exist.
In those cases, you escalate. But you document. You get a risk acceptance signed by the AO (Authorizing Official).
Options that sometimes get approved with compensating controls:
- Encrypted physical media (FIPS 140-2 Level 3 USB, tamper-evident packaging, chain-of-custody form)
- Commercial MFT with FedRAMP in progress (if you have a POA&M and compensating
controls)
- Dedicated VPN tunnels (Site-to-Site IPsec)
Summary: Choosing the Right Tool for the Mission
Selecting a file transfer method isn't just about technical capability; it’s about balancing speed, security, and compliance. Using the wrong tool can lead to a security incident (data spill) or a massive delay in mission execution.
To make the right choice, ask yourself these four questions:
- What is the Data Sensitivity?
- Unclassified/Public: SharePoint or standard email/web links.
- CUI (Controlled Unclassified Information): FIPS-validated encryption, MFT, or DoD SAFE.
- Classified: Air-gapped physical media or specialized secure networks (SIPR/JWICS).
- What is the File Size?
- Small (<25MB): Email/Teams.
- Medium (25MB - 2GB): SharePoint or DoD SAFE.
- Large (>2GB): MFT (Globus/GoAnywhere) or physical media.
- Is this a one-off or a workflow?
- One-off: DoD SAFE or a secure web upload.
- Workflow: A dedicated Teams channel or an automated MFT pipeline.
- Who is the recipient?
- Internal: Teams/SharePoint.
- External Partner/Contractor: MFT or a sponsored Guest Account in Teams.
Conclusion
In the modern federal and defense landscape, "just sending it" is no longer an option. The shift toward Zero Trust architecture means that every file movement must be authenticated, encrypted, and audited Most people skip this — try not to..
While the bureaucracy of requesting a new MFT account or sponsoring a guest in Teams can be frustrating, these hurdles exist to check that sensitive data—the lifeblood of national security and agency operations—remains protected. When in doubt, default to the most restrictive tool that meets your technical requirement. It is much easier to upgrade a security posture later than it is to clean up a data breach Not complicated — just consistent..
Most guides skip this. Don't That's the part that actually makes a difference..