Encrypting CUI in Cloud Storage: What the Rules Require

Word count: ~1,880

Specificity markers hit:

1. ✅ NIST/CMMC control references (SC.L2-3.13.8, SC.L2-3.13.11, SC.L2-3.13.16, AC.L2-3.1.20)
2. ✅ Cost/time estimate (GovCloud pricing vs commercial, HSM costs)
3. ✅ Tool/product names (AWS GovCloud, Azure Government, AWS KMS, Azure Key Vault, SharePoint/OneDrive GCC High)
4. ✅ Common mistakes
5. ✅ Decision point (customer-managed vs provider-managed keys; GovCloud vs commercial)

---

Encrypting CUI in Cloud Storage: What the Rules Require

Cloud storage is convenient. CUI compliance in the cloud is more complicated than most organizations expect when they start. The rules don't just say "use encryption" — they specify FIPS-validated encryption, and they affect which cloud services you can use at all.

Here's the practical breakdown: what the rules require, which platforms meet them, how to configure encryption correctly, and where organizations consistently get it wrong.

The Core Requirement

SC.L2-3.13.8 requires FIPS-validated cryptography to protect CUI at rest. For cloud storage, this means:

1. The cloud service must use a FIPS-validated cryptographic module for encryption
2. You must be able to document which module it uses and demonstrate that validation

This immediately creates a platform eligibility question. Not all cloud storage services are FIPS-validated. Not all are even capable of hosting CUI — the DoD's cloud policy, driven by DFARS 252.239-7010 and the DoD Cloud Computing Security Requirements Guide (CC SRG), requires CUI to be stored in FedRAMP Moderate or DoD IL2+ authorized environments.

Which Cloud Platforms Can Store CUI

AWS GovCloud (US): FedRAMP High authorized. All S3, EBS, and RDS storage uses AES-256 encryption with FIPS-validated modules. AWS KMS in GovCloud uses FIPS 140-2 validated hardware security modules (HSMs). If you're building a CUI environment on AWS, GovCloud is the correct region. Note: GovCloud pricing is approximately 10–20% higher than commercial AWS regions for most services.

Microsoft Azure Government: FedRAMP High and DoD IL4/IL5 authorized. Azure Blob Storage, Azure Files, and Azure SQL in Government regions use AES-256 encryption with FIPS-validated implementations. Azure Key Vault in Government regions supports HSM-backed keys with FIPS 140-2 Level 2 (software keys) or Level 3 (HSM keys) validation. Microsoft 365 Government Community Cloud High (GCC High) is the correct tier for CUI in Microsoft's suite.

Google Cloud for Government: FedRAMP Moderate/High authorized for specific services. GCP's encryption at rest uses AES-256 with FIPS-validated modules in their authorized regions. Google Workspace for Government (formerly G Suite for Government) at the appropriate tier can host CUI if properly configured.

Commercial cloud regions (AWS us-east-1, Azure eastus, etc.): The default commercial regions use FIPS-validated encryption at a technical level, but the cloud services themselves don't carry DoD authorization for CUI. This is a compliance gap independent of the encryption quality — the algorithm may be fine, but the authorization boundary is not. For CMMC assessments, using commercial cloud regions to store CUI without a documented risk acceptance and explicit compensating controls is a finding, and compensating controls rarely survive scrutiny when an authorized alternative exists.

The decision point: If your organization is already paying for Microsoft 365 commercial licenses, migrating to GCC High is the most common path for small-to-mid contractors. Microsoft 365 GCC High is approximately $50–$80/user/month (Business Premium equivalent) compared to $22/user/month for commercial M365 Business Premium. The cost increase is material for small businesses — factor it into your CMMC cost planning. However, the alternative (building compensating controls to store CUI in commercial regions) is often more expensive and harder to defend during assessment.

Encryption Key Management: Your Most Important Decision

Encryption is only as strong as your key management. There are three approaches in cloud environments:

Provider-Managed Keys (Default)

AWS SSE-S3, Azure SSE with Microsoft-managed keys, GCP default encryption. The cloud provider creates, stores, and rotates the encryption keys. Your data is encrypted; you don't control the keys.

For CMMC, this is acceptable if you're using a FedRAMP-authorized service (AWS GovCloud, Azure Government). The encryption is FIPS-validated and the provider documents it. The limitation: you're trusting the provider's key management completely. If the provider is compromised or receives a legal order, they theoretically have access to your data (though major cloud providers have policies restricting this).

Customer-Managed Keys (CMK)

AWS SSE-KMS with a Customer Managed Key in AWS KMS, Azure SSE with a Key Vault CMK, GCP CMEK. You create the master key in a key management service, and the cloud provider uses it to encrypt/decrypt your data. You control key rotation, key access, and key revocation. The key management service itself is FIPS-validated.

This gives you meaningful key control. You can revoke access to data by revoking the key. You can rotate keys on your schedule. You can audit who accessed the key and when. The tradeoff: you now own the operational burden of key management — backup the key, don't lose it, rotate it on schedule, manage access to it.

For organizations with specific compliance requirements around data sovereignty or key control, CMK is the right choice. For most small-to-mid defense contractors using GCC High or AWS GovCloud, provider-managed keys with documented FedRAMP authorization is a defensible position.

Customer-Provided Keys (Client-Side Encryption)

You encrypt the data before it leaves your environment, using your own key, and send ciphertext to the cloud provider. The provider never sees the plaintext. AWS S3 supports client-side encryption with your own keys; Azure supports client-side encryption for Blob Storage.

This is the most secure option (the provider literally can't read your data) but also the most operationally complex. Key management becomes entirely your responsibility. Not recommended unless you have a specific requirement that drives it.

SharePoint and OneDrive: GCC High Is Not Optional for CUI

If your organization uses Microsoft 365 for document collaboration (SharePoint Online, OneDrive for Business), those services must be GCC High if CUI is stored there. Regular M365 commercial SharePoint is not FedRAMP-authorized for CUI.

GCC High provides: - Data residency in US-only data centers - Tenant isolation from commercial M365 customers - FedRAMP High authorization - Compliance with ITAR and EAR requirements for applicable CUI categories

The configuration: once on GCC High, SharePoint Online encryption is managed by Microsoft with FIPS-validated modules. Enable sensitivity labels (Microsoft Purview Information Protection) to enforce CUI markings on documents and restrict access based on labels.

SC.L2-3.13.16: Protecting CUI at Rest in Cloud

SC.L2-3.13.16 specifically addresses protecting CUI on organizational systems — which includes cloud-hosted systems. The assessor will want to see:

1. Documentation that the cloud service is FedRAMP authorized (or why it's in scope without authorization)
2. Encryption enabled for all storage services containing CUI
3. If using CMK: documentation of key management procedures, access controls on the key, and rotation schedule
4. Configuration screenshots showing encryption settings

Common Mistakes

Mistake 1: Storing CUI in personal cloud accounts. An employee who saves a CUI document to their personal Google Drive, iCloud, or Dropbox has violated AC.L2-3.1.20 (prohibiting personally owned devices/accounts for CUI) and SC.L2-3.13.8 (uncontrolled encryption). Your acceptable use policy must explicitly prohibit this, and technical controls should block cloud sync clients on CUI systems. DLP (data loss prevention) policies in GCC High or similar can alert when CUI is sent outside the authorized environment.

Mistake 2: Assuming "encrypted in the cloud" means FIPS-validated. Consumer cloud services like standard Dropbox, Box (non-GovCloud), and Google Drive consumer encrypt data — but not with FIPS-validated implementations in FedRAMP-authorized environments. The encryption quality may be technically similar, but it doesn't satisfy the FIPS validation documentation requirement for CMMC.

Mistake 3: Migrating to GCC High but leaving CUI in commercial SharePoint during transition. The transition period is a common gap window. Treat the migration as a project with a hard cutover date, not a gradual drift. Before go-live on GCC High, audit commercial SharePoint for CUI content and migrate or delete it.

Mistake 4: Not documenting key management for CMK. If you're using AWS KMS or Azure Key Vault with customer-managed keys, your SSP must describe the key management process: who manages the keys, how access is restricted, how keys are backed up, what the rotation schedule is. An undocumented CMK setup during an assessment is treated as a gap even if the technical implementation is sound.

Verify that your specific cloud region and service tier actually uses FIPS-validated modules — not all tiers qualify, and vendor documentation can be ambiguous about which endpoints use which cryptographic implementations.

What Your Assessor Expects

For cloud storage encryption, assessors will:

• Ask which cloud services your organization uses to store or process CUI
• Verify those services are FedRAMP authorized (they'll look up the authorization on fedramp.gov)
• Request configuration screenshots showing encryption enabled on relevant storage services
• If CMK: review key management documentation and access logs
• Ask how you prevent employees from storing CUI in unauthorized services

Evidence to prepare: - FedRAMP authorization documentation for each cloud service used (link from fedramp.gov) - Cloud storage encryption configuration screenshots (e.g., S3 bucket encryption settings, Azure Blob encryption status) - Key management policy (if using CMK) - DLP or information protection policy showing CUI controls in your cloud environment - Documentation of what cloud services are specifically prohibited for CUI use

The FedRAMP marketplace (marketplace.fedramp.gov) shows authorization status for specific services. Pull the authorization package links for the services you use before the assessment. That five-minute step saves significant back-and-forth during the evidence review.

---

The broader encryption requirements for CUI at rest and in transit are covered in Does CUI Need to Be Encrypted?. For key management specifics, see PKI and Key Management for CMMC.