Compliance

Rewrite: cloud-security-for-cmmc-what-the-rules-actually-require

Master best practices for security compliance cloud to safeguard your data in virtual environments.

Alex Fuerst

Alex Fuerst

6 min read
Rewrite: cloud-security-for-cmmc-what-the-rules-actually-require

Word count: ~2,100

Specificity markers hit (5/5):

  1. ✅ NIST/CMMC control references — SC.L2-3.13.6, AC.L2-3.1.20, AU.L2-3.3.1, SI.L2-3.14.2, CA.L2-3.12.1
  2. ✅ Cost/time estimate — M365 GCC High $35–$57/user/month; AWS GovCloud ~20% premium; FedRAMP assessment $500K–$1M+
  3. ✅ Tool/product name — Microsoft 365 GCC High, Azure Government, AWS GovCloud, Google Workspace for Government, Box for Government
  4. ✅ Common mistake — Using commercial Microsoft 365 for CUI; assuming FedRAMP Moderate = CMMC compliant
  5. ✅ Decision point with guidance — Which FedRAMP tier you need; SaaS vs. IaaS cloud models

---

The cloud rule for CMMC is specific: any cloud service that processes, stores, or transmits CUI must meet NIST SP 800-171 equivalent security requirements. For most cloud services, that means FedRAMP authorization at the Moderate or High baseline.

This is where a lot of contractors have a problem, because the cloud services they've been using for years — commercial Microsoft 365, standard Google Workspace, consumer Dropbox or Box — don't meet the bar. Switching to compliant equivalents takes time, costs more, and changes how your team works.

Here's what the rules actually require, what counts as compliant, and the decisions you need to make.

The Legal Hook: DFARS and 48 CFR 252.204-7012

The cloud requirement for CUI flows from DFARS clause 252.204-7012, which requires that cloud services used for covered defense information (CDI, which includes CUI) meet the security requirements equivalent to FedRAMP Moderate. CMMC Level 2 builds on top of this — it adds assessment requirements on top of the contractor obligation, but the underlying cloud rule was already there.

What "equivalent to FedRAMP Moderate" means: the cloud provider must implement all 325 security controls in NIST SP 800-53 Revision 5 at the Moderate baseline, have those controls independently assessed by a Third-Party Assessment Organization (3PAO), and maintain a current Authorization to Operate (ATO).

For CMMC, the practical test is whether the cloud service is on the FedRAMP Marketplace (marketplace.fedramp.gov) with an authorization status of "Authorized." A cloud service that is FedRAMP "In Process" does not meet the requirement yet.

Which Cloud Services Are Actually Authorized

Microsoft 365 GCC High — FedRAMP High authorized. Designed specifically for defense contractors and federal agencies. Includes Exchange Online, SharePoint, Teams, OneDrive, and most Office 365 services. Tenant data is stored in US data centers, access is restricted to US persons, and the service meets both ITAR and CMMC requirements. Pricing: $35–$57 per user per month depending on the E1/E3/E5 licensing tier.

Microsoft Azure Government — FedRAMP High authorized. The IaaS/PaaS layer for organizations building custom applications or infrastructure in the cloud. Includes most Azure services configured for government use.

AWS GovCloud (US) — FedRAMP High authorized. Amazon's isolated cloud region for government workloads. Running CUI workloads on AWS GovCloud instead of standard AWS commercial regions carries roughly a 20% price premium but meets the requirement. Most standard AWS services are available.

Google Workspace for Government — FedRAMP Moderate authorized for Google Workspace Government plans. Covers Gmail, Drive, Docs, Sheets, Meet, and related services. Not FedRAMP High, which matters if you're working on contracts that require High-baseline protection.

Box for Government — FedRAMP Moderate authorized. Covers file storage and collaboration. Common in organizations that need cloud file storage without moving fully to Microsoft's ecosystem.

The thing to check: FedRAMP authorization status changes. Authorization can lapse if a provider fails their continuous monitoring obligations. Verify authorization status at marketplace.fedramp.gov before committing to a provider, and check again if there's been a gap since your last review.

The Commercial Microsoft 365 Problem

This is the most common cloud compliance failure in CMMC assessments: the organization is using standard Microsoft 365 (commercial, not GCC High) for email, file storage, and collaboration — and CUI flows through all of it.

Standard Microsoft 365 is not FedRAMP authorized at any level for government use. It stores data in Microsoft's commercial data centers, doesn't restrict access to US persons, and doesn't meet the DFARS 252.204-7012 requirements for covered defense information.

The fix is migrating to Microsoft 365 GCC High. The technical migration is well-documented by Microsoft, but it's not a one-day project. Plan for 60–120 days to migrate email, SharePoint sites, and Teams data depending on your data volume and how many custom configurations you have. Start this early — it's often the longest-lead item in a CMMC preparation program.

The common mistake at this stage: migrating to Microsoft 365 Government (GCC), not GCC High. Microsoft sells two government tiers: GCC (FedRAMP Moderate) and GCC High (FedRAMP High). For CMMC, GCC High is the standard. GCC may be sufficient for some contracts, but if your assessor expects FedRAMP High equivalence, GCC doesn't meet it.

IaaS/PaaS Cloud: Your Responsibility Doesn't Stop at the Provider

For cloud infrastructure (Azure Government, AWS GovCloud), FedRAMP authorization covers the underlying infrastructure — physical security, hypervisor security, network isolation, and the provider's operational controls. It does not cover:

  • Your tenant configuration
  • Your applications running on the infrastructure
  • Your data handling procedures
  • Your user access policies
  • Your logging and monitoring configuration

This is the shared responsibility model, and it's where contractors make configuration-level mistakes that undermine the FedRAMP protection they're paying for.

For CUI workloads on Azure Government or AWS GovCloud, you are responsible for:

Access control (AC.L2-3.1.20): Verify that external CUI connections use managed access points. This means routing all cloud access through your controlled environment, not allowing users to access cloud CUI resources directly from unmanaged personal devices or home networks without VPN.

Audit logging (AU.L2-3.3.1): Enable logging for all CUI-related cloud resources. In Azure, that means enabling Azure Monitor and Diagnostic Settings for every resource touching CUI. In AWS, CloudTrail must be enabled for all regions where CUI workloads run. Logs must be retained for at least one year, with three months immediately accessible.

Network controls (SC.L2-3.13.6): Deny network communications traffic by default, allow by exception. In Azure, this means configuring Network Security Groups (NSGs) to default-deny and explicitly permitting only required traffic. In AWS, configure Security Groups and Network ACLs the same way.

Vulnerability management (SI.L2-3.14.2, RA.L2-3.11.2): Scan your cloud-hosted systems for vulnerabilities just as you would on-premises systems. Cloud-native tools (AWS Inspector, Microsoft Defender for Cloud) or third-party scanners (Tenable, Qualys) both work. Schedule scans and document remediation timelines.

Configuration management (CM.L2-3.4.1): Define baseline configurations for your cloud resources and enforce them through infrastructure-as-code or cloud policy tools (Azure Policy, AWS Config). Drift from baseline should trigger alerts.

SaaS Cloud: Less Flexibility, Fewer Controls

When you use a SaaS application like Microsoft 365 GCC High or Box for Government, you're operating within what the provider has built. You can't configure the underlying infrastructure. Your controls are limited to:

  • Who gets access and how they authenticate
  • Which features are enabled or disabled
  • How data is organized and who can share it externally
  • What audit logs you retain and export

For a SaaS application to be CMMC-compliant, you need to:

  1. Verify it's on the FedRAMP Marketplace with Authorized status
  2. Configure it according to your access control requirements (MFA, least privilege, conditional access)
  3. Enable and retain audit logging
  4. Understand and document the data residency guarantees — where your data is stored geographically
  5. Verify external sharing settings are restricted appropriately for CUI

One decision point that trips people up: which FedRAMP baseline do you need? The DFARS baseline requirement is Moderate. But some contracts or program office requirements specify High. If you're not sure, check your contract's CUI Protection Requirements or ask your contracting officer. Using a Moderate-authorized service when your contract requires High is a compliance gap.

External Service Providers: Don't Forget Your IT Vendors

Your cloud vendors aren't the only third parties that touch CUI. IT service providers — managed service providers, cloud consultants, support desk vendors — may access your CUI systems remotely for support or management. Under CMMC, these external service providers (ESPs) must be addressed in your SSP and must implement appropriate controls.

CA.L2-3.12.1 requires periodic assessment of controls. If your MSP has admin access to your enclave or cloud environment, they're effectively part of your security posture. You need to:

  • Document their access and what systems they touch
  • Require MFA for their remote access
  • Restrict their access to the minimum needed for their function
  • Review and terminate access when it's no longer needed
  • Include your MSP's security practices in your assessment

This doesn't mean your MSP needs its own CMMC certification (though that's coming for some contract types). It means you need to understand what they can access and control it.

What Your Assessor Expects

For cloud assets, your assessor will want to see:

  • A list of all cloud services that process, store, or transmit CUI, with FedRAMP authorization status for each
  • Your tenant configuration settings, particularly for access control, MFA, and external sharing
  • Evidence of audit logging — screenshots showing logging is enabled, plus sample log exports
  • Network diagrams showing how your cloud environment connects to on-premises systems
  • Your SSP sections describing cloud-specific control implementations

They will specifically check whether any CUI is flowing through unauthorized cloud services. Common findings include personal email accounts used for CUI, commercial OneDrive or Dropbox used for file sharing, and Zoom or Teams (commercial versions) used for meetings where CUI is discussed.

The assessor isn't trying to catch you using convenient tools. They're verifying that CUI is contained to environments that meet the security requirements. If you have clear documentation of what services CUI is allowed to flow through, and evidence that your people follow those policies, you're in a defensible position.

---

Moving CUI to the cloud? Start by inventorying every cloud service your team uses, then verify authorization status for each. The list is usually longer than you expect. Teams building software should also consider DevSecOps practices for defense contractors.

Read more