CMMC 2.0 and Cloud: What Your Hosting Environment Must Look Like

Introduction

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is now in active implementation. For defense contractors hosting Controlled Unclassified Information (CUI), your cloud environment is not just infrastructure; it is your compliance boundary. Assessors will scrutinize how your hosting environment protects CUI across all 14 NIST 800-171 control families.

This guide translates CMMC Level 2 requirements into concrete cloud architecture decisions.

Understanding the Scope

CMMC Level 2 requires implementation of all 110 security controls from NIST SP 800-171 Rev 2 (Rev 3 was published in May 2024 with 97 controls, though CMMC assessments continue to use Rev 2 under DoD guidance). Your cloud environment must address these controls wherever CUI is stored, processed, or transmitted.

Scope definition is critical. A well-architected cloud environment isolates CUI workloads into a defined enclave, reducing the number of systems subject to assessment. Resist the temptation to run CUI and non-CUI workloads in the same accounts or subscriptions.

FedRAMP as Your Foundation

CMMC assessors expect CUI to reside in cloud environments that meet FedRAMP Moderate (at minimum) or FedRAMP High baselines. This is not optional; DFARS 7012 already requires it.

Practical implications:

• AWS: Use GovCloud regions for CUI workloads
• Azure: Use Azure Government (GCC High for Microsoft 365)
• Google Cloud: Use Assured Workloads with IL4 configuration
• Other CSPs: Verify FedRAMP Moderate authorization on the FedRAMP Marketplace

Using a FedRAMP-authorized environment does not mean you inherit all controls. You are responsible for controls above the infrastructure layer, including configuration, access management, and monitoring.

Encryption Requirements

CMMC requires encryption of CUI at rest and in transit using FIPS 140-2 validated cryptographic modules (FIPS 140-3 for new implementations).

At Rest

• Enable default encryption on all storage services (S3, EBS, RDS, Azure Blob, Azure Managed Disks)
• Use customer-managed keys (CMK) through AWS KMS or Azure Key Vault, not service-managed keys
• Ensure the key management service itself uses FIPS 140-2 validated HSMs
• Document key rotation policies (annual rotation at minimum)

In Transit

• Enforce TLS 1.2 or higher on all endpoints
• Disable older TLS versions and weak cipher suites
• Use VPC/VNet endpoints for service-to-service communication to keep traffic off the public internet
• Configure Application Load Balancers with security policies that enforce FIPS-compliant cipher suites

Access Control Architecture

Access control spans multiple CMMC domains, including AC, IA, and PE. Your cloud environment must implement:

Multi-factor authentication for all user access to the cloud console and CLI. Hardware tokens (FIDO2) are preferred; SMS-based MFA is insufficient for CUI environments.

Least privilege access using role-based access control. Define roles aligned to job functions, not individuals. Audit role assignments quarterly.

Privileged access management for administrator accounts. Use just-in-time access elevation (AWS IAM Identity Center temporary elevated access, Azure PIM) rather than persistent admin privileges.

Session controls including automatic session timeout, concurrent session limits, and session locking after inactivity.

Logging and Monitoring

CMMC requires comprehensive audit logging and continuous monitoring. Your cloud environment must capture:

• All API calls (CloudTrail, Azure Activity Log)
• All authentication events (success and failure)
• All access to CUI data stores
• Network flow logs (VPC Flow Logs, NSG Flow Logs)
• DNS query logs for threat detection

Logs must be tamper-evident. Write audit logs to a dedicated, immutable storage bucket with object lock or legal hold. Retain logs for at least one year, with 90 days readily accessible for analysis.

Deploy a SIEM or equivalent analysis platform. AWS Security Hub, Azure Sentinel, or a third-party SIEM must correlate events and generate alerts for suspicious activity.

Network Segmentation

Isolate your CUI enclave with defense-in-depth network controls:

• Dedicated VPC/VNet for CUI workloads, separate from corporate IT
• Network ACLs and security groups with explicit deny-all defaults
• Web Application Firewall (WAF) on all public-facing endpoints
• Private subnets for databases and application tiers
• No direct internet access for CUI compute instances; route through NAT gateways and proxies with content inspection

Incident Response in the Cloud

Your cloud architecture must support the CMMC incident response requirements:

• Pre-staged forensic analysis tools (AMIs/VM images with forensic toolkits)
• Automated snapshot capabilities for evidence preservation
• Isolation procedures to quarantine compromised instances without destroying evidence
• Documented playbooks for cloud-specific incidents (credential compromise, data exfiltration, resource hijacking)

Configuration Management

Maintain baseline configurations for all cloud resources and detect drift:

• AWS Config rules or Azure Policy to enforce configuration standards
• Infrastructure as Code (Terraform, CloudFormation) with version-controlled templates
• Automated remediation for common misconfigurations (public S3 buckets, unencrypted volumes)
• Golden AMIs/VM images hardened to CIS benchmarks

Preparing for Assessment

Before your CMMC Level 2 assessment, ensure you can demonstrate:

A clear system security plan (SSP) that maps each of the 110 controls to your cloud implementation

A Plan of Action and Milestones (POA&M) for any gaps, though assessors have limited tolerance for open POA&Ms on critical controls

Evidence of continuous monitoring, not point-in-time compliance

Documented policies that align with your technical implementation

Conclusion

CMMC 2.0 compliance in the cloud is achievable, but it demands intentional architecture. Start with a FedRAMP-authorized foundation, build a well-scoped CUI enclave, and implement controls that you can demonstrate to assessors with evidence. The investment in getting your cloud environment right pays dividends beyond compliance; it genuinely protects the sensitive data your agency customers trust you with.