The best advice is to use a FedRAMP certified cloud service provider. The FedRAMP Moderate baseline is well established and understood by Cloud Service Providers (CSPs) that provide such service to the (United States Government (USG). Again the best solution would be to use a CSP service approved by FedRAMP at the “Moderate” level. However, if co-tenancy is not possible, it is acceptable to use a similar service that has not formally been approved by FedRAMP if the CSP can demonstrate to the contractor that it is equivalent. The demonstration of equivalency will need to be satisfied before the service can be used.

Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1

The URL for FedRAMP service providers: