This question was posed on Cyber Security call. My initial reaction is that while there are FISMA and FedRAMP compliance rules. I think the true measure and thing to look for is how well does the user (non tech staff) understand and feel control over permissions and ability to control ROT (Redundant, Out-Of-Date And Trivial) content.
Other ways to evaluate vendors?
Compliance and record retention practices to note?