DoD SAFE: The Complete 2026 Guide to Secure File Sharing for the U.S. Department of Defense

If you've ever tried to email a 200 MB engineering drawing to a Pentagon program manager, you already know the .mil mail gateway rejects almost anything over 10 MB. DoD SAFE (Secure Access File Exchange) at https://safe.apps.mil exists for exactly that gap — moving large or sensitive files between DoD personnel and external partners without standing up an FTP server, mailing a USB, or paying for a commercial transfer service.

What DoD SAFE Is (and Isn't)

DoD SAFE is a web-based, government-operated file-transfer service maintained by DISA. It uses HTTPS for transport and AES-256 at rest, requires CAC (Common Access Card) authentication to upload, and enforces a 7-day expiration on every package. It is FedRAMP-aligned and authorized for CUI.

It is NOT a collaboration platform, NOT a long-term storage system, and NOT authorized for classified information (SECRET / TS use SIPRNet, JWICS, or DoD SAFE-S — a separate classified system).

Limits You Need to Know in 2026

• Max package size: 8 GB total (across all files in one drop).
• Max recipients per package: 25 email addresses.
• File retention: 7 days, then automatic, unrecoverable deletion.
• Authentication: CAC required for senders; ECA (External Certification Authority) PKI certs also accepted.
• No CAC? Receive a drop-off request from a CAC holder and upload through that one-time link.

How to Send a Package (CAC Holders)

1. 1Navigate to https://safe.apps.mil and select your CAC certificate.
2. 2Click 'Drop-off' and enter recipient email addresses (.mil, .gov, or .com all work).
3. 3Drag your files into the upload area (max 8 GB total).
4. 4Add a note, set the expiration (1–7 days), and check 'Encrypt every file' for an extra password layer.
5. 5Click 'Drop-off Files'. Recipients get a notification email with a one-time download link.

How Civilian Contractors Receive Files (No CAC)

If you're a defense contractor without a CAC and need to receive files, you don't need an account at all — your government POC drops off the package and you get an email with a download link. The link works once, expires in 7 days, and requires the recipient email to match.

How to Request a Pickup (No-CAC Contractors Sending In)

Sending files INTO the .mil network without a CAC requires a 'pickup' authorization. Your government sponsor logs into SAFE, creates a 'Request a Pickup' link, and emails it to you. You then upload through that one-time link — the file lands in their SAFE inbox and they retrieve it.

What You Can and Can't Send

• ✅ Allowed: CUI, FOUO, ITAR/EAR technical data (with proper marking), engineering drawings, contract deliverables, large datasets, software builds.
• ❌ Not allowed: Classified information at any level, child sexual abuse material, malware samples without prior coordination, personal/non-government files.

DoD SAFE vs. Commercial Alternatives

DoD SAFE is free, government-owned, and DISA-operated — which makes it the default for contract deliverables and any data the government wants to keep inside its trust boundary. Commercial alternatives (Egnyte Government Cloud, Box for Government, Microsoft GCC High) are appropriate for ongoing collaboration but require contracts, FedRAMP authorization paperwork, and CMMC alignment if you handle CUI.

Cybrvault's CMMC & CUI Handling Support

Cybrvault helps Miami-area DoD contractors stand up compliant CUI workflows: CMMC Level 1 and Level 2 readiness assessments, GCC High tenant configuration, SAFE-vs-Egnyte decision support, and incident response when a CUI-mishandling event triggers DFARS 252.204-7012 reporting. Read more in our CMMC Level 1 requirements guide and NIST 800-171 checklist.