Cloud Computing and CMMC: Navigating the Requirements
Cloud computing has transformed how organizations operate, and defense contractors are no exception. From email and file storage to collaboration platforms and enterprise applications, cloud services are deeply embedded in modern business operations. However, when your organization handles Controlled Unclassified Information, the cloud environment you use must meet specific security requirements that go well beyond standard commercial cloud offerings.
The intersection of CMMC compliance and cloud computing is one of the most complex and frequently misunderstood aspects of the certification process. Defense contractors must understand the relationship between CMMC requirements, FedRAMP authorization levels, and the various cloud service offerings available to them. Making the wrong cloud choices can result in compliance gaps, assessment failures, and potentially the loss of defense contracts. This guide clarifies what you actually need and helps you make informed decisions about your cloud strategy.
Understanding FedRAMP and Its Role in CMMC
The Federal Risk and Authorization Management Program, commonly known as FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP establishes three impact levels — Low, Moderate, and High — each with increasing security requirements based on the sensitivity of the data being processed.
For CMMC Level 2 compliance, any cloud service provider that processes, stores, or transmits CUI must meet FedRAMP Moderate baseline requirements at minimum. This is because the security controls at the FedRAMP Moderate level are designed to protect information where the loss of confidentiality, integrity, or availability could have a serious adverse effect — which aligns with the sensitivity level of CUI.
FedRAMP authorization is not a simple certification. Cloud service providers undergo rigorous assessment by independent third-party assessment organizations, and their authorization is reviewed and approved by the Joint Authorization Board or individual federal agencies. The authorization process evaluates hundreds of security controls across the cloud provider’s infrastructure, operations, and management practices. This thorough evaluation provides defense contractors with assurance that the underlying cloud platform meets stringent security standards.
It is important to understand that FedRAMP authorization of a cloud platform does not automatically make everything you do in that platform CMMC-compliant. FedRAMP addresses the security of the cloud infrastructure itself — the shared responsibility model means that you are still responsible for properly configuring and using the cloud services, implementing your own access controls, and following proper CUI handling procedures within the cloud environment.
FedRAMP Moderate vs FedRAMP High: What Do You Need?
The distinction between FedRAMP Moderate and FedRAMP High is significant and directly impacts both your compliance posture and your costs. FedRAMP Moderate includes approximately 325 security controls and is the minimum authorization level required for cloud services processing CUI. Most defense contractors handling CUI will find that FedRAMP Moderate authorized services meet their CMMC requirements.
FedRAMP High includes approximately 421 security controls and is designed for cloud systems processing the government’s most sensitive unclassified data, where the loss of confidentiality, integrity, or availability could have severe or catastrophic adverse effects. While not explicitly required by CMMC Level 2 for all situations, some defense contracts may specify FedRAMP High requirements based on the sensitivity of the specific CUI involved.
The practical implication of this distinction is primarily cost. Cloud services authorized at FedRAMP High are significantly more expensive than their FedRAMP Moderate counterparts. Unless your specific contract requirements or the nature of your CUI mandate FedRAMP High, you may be able to achieve CMMC compliance with FedRAMP Moderate authorized services at substantially lower cost.
However, there is an important nuance regarding the Department of Defense. The DoD has established its own cloud security requirements through the Defense Information Systems Agency Cloud Computing Security Requirements Guide. For cloud services used by the DoD, impact levels are categorized as IL2, IL4, IL5, and IL6. CUI processing in DoD environments typically requires IL4 or IL5, which maps most closely to FedRAMP Moderate and FedRAMP High respectively. Understanding which impact level applies to your situation requires careful review of your contract requirements.
Microsoft 365 GCC vs GCC High: Making the Right Choice
Microsoft 365 is the most common productivity platform among defense contractors, and Microsoft offers several government-specific cloud environments. Understanding the differences between these environments is essential for making cost-effective compliance decisions.
Microsoft 365 Government Community Cloud, or GCC, is a cloud environment that meets FedRAMP Moderate requirements and provides data residency within the United States. GCC is hosted in Microsoft’s government cloud infrastructure, which is physically separated from commercial cloud environments. For many defense contractors handling CUI, GCC provides adequate security controls at a reasonable cost premium over commercial Microsoft 365.
Microsoft 365 GCC High is a more restrictive environment that meets FedRAMP High and DoD IL5 requirements. GCC High provides additional security controls including ITAR compliance support, enhanced personnel screening for Microsoft operations staff, and stricter network isolation. The licensing costs for GCC High are substantially higher than GCC — typically two to three times the cost of commercial Microsoft 365 licenses.
The decision between GCC and GCC High depends on your specific contract requirements and the nature of the CUI you handle. If your contracts specify ITAR data or DoD IL5 requirements, GCC High is necessary. If your CUI handling falls within the standard FedRAMP Moderate requirements and your contracts do not specify elevated cloud requirements, GCC may be sufficient and significantly more affordable.
It is worth noting that migrating between GCC and GCC High is not a simple upgrade. Moving from commercial Microsoft 365 to either government environment requires a tenant migration, which is a complex project involving data migration, reconfiguration of security settings, and potential disruption to business operations. Similarly, moving from GCC to GCC High involves another migration. Planning your cloud strategy correctly from the beginning avoids the cost and disruption of multiple migrations.
Other Cloud Services for CUI Processing
While Microsoft 365 dominates the defense contractor landscape, organizations may also use other cloud services that process, store, or transmit CUI. Each of these services must meet the applicable FedRAMP requirements.
Amazon Web Services GovCloud is a FedRAMP High authorized cloud infrastructure platform designed for government workloads and sensitive data. AWS GovCloud provides isolated regions operated by personnel who are United States citizens on United States soil, making it suitable for hosting applications and data that require FedRAMP High or DoD IL5 compliance.
Google Cloud Platform also offers government-focused environments with FedRAMP authorizations at various levels. Google Workspace, the productivity suite equivalent to Microsoft 365, has achieved FedRAMP authorization for certain configurations, though its adoption among defense contractors remains lower than Microsoft’s government offerings.
For specialized applications such as customer relationship management, enterprise resource planning, or project management, defense contractors must verify that each cloud service they use has appropriate FedRAMP authorization. Many popular commercial SaaS applications do not have FedRAMP authorization and therefore cannot be used to process CUI. This restriction often requires defense contractors to identify FedRAMP-authorized alternatives for their standard business tools.
When evaluating any cloud service for CUI processing, verify the current FedRAMP authorization status through the official FedRAMP Marketplace. Authorizations can expire or be revoked, and relying on outdated authorization information could create compliance gaps. The FedRAMP Marketplace provides current authorization status, authorization level, and the specific services covered by each authorization.
The Shared Responsibility Model and CMMC
One of the most critical concepts for defense contractors to understand is the shared responsibility model in cloud computing. This model defines the security responsibilities that are handled by the cloud service provider and those that remain with the customer organization. Misunderstanding this division of responsibility is a common source of compliance gaps.
In the shared responsibility model, the cloud service provider is responsible for security of the cloud — the physical infrastructure, network infrastructure, virtualization layer, and the cloud platform itself. The customer is responsible for security in the cloud — the data, applications, identity management, access controls, encryption configurations, and operating system and network configurations for any infrastructure-as-a-service components.
For CMMC compliance, this means that even though your cloud provider has FedRAMP authorization, you are still responsible for implementing and managing numerous security controls within the cloud environment. Multi-factor authentication must be configured and enforced by your organization. Access controls must be established and maintained by your administrators. Data loss prevention policies must be created and managed by your team. Audit logging must be configured and monitored by your security personnel.
During a CMMC assessment, the C3PAO will evaluate both the cloud provider’s authorization status and your organization’s implementation of customer-side security controls. Having a FedRAMP-authorized cloud platform is necessary but not sufficient — you must also demonstrate that you have properly configured and are actively managing the security controls within your cloud environment.
Cloud Architecture Strategies for CMMC Compliance
Several architectural strategies can help defense contractors achieve CMMC compliance in the cloud while managing costs effectively. The most common approach is the enclave strategy, where CUI processing is isolated in a dedicated cloud environment that meets all CMMC requirements, while general business operations may continue in a commercial cloud environment.
This enclave approach reduces the scope of your CMMC assessment by limiting the number of systems and users that must meet the full set of CMMC Level 2 requirements. For example, if only twenty of your one hundred employees handle CUI, you might maintain a GCC High environment for those twenty users while the remaining eighty use commercial Microsoft 365 for non-CUI business activities.
Network segmentation between cloud environments is essential for this strategy to work. Clear boundaries must exist between your CUI processing enclave and your general business environment, with controlled interfaces that prevent unauthorized CUI flows between environments. Your System Security Plan must clearly document these boundaries and the controls that enforce them.
Another strategy involves using virtual desktop infrastructure to provide controlled access to CUI. Users access a secure virtual desktop environment for CUI processing while using their standard workstation for general business activities. This approach can simplify endpoint management and reduce the number of physical devices that fall within your CMMC assessment boundary.
Common Cloud Compliance Mistakes
Defense contractors frequently make mistakes when implementing cloud solutions for CUI processing. Awareness of these common pitfalls can help you avoid them in your own environment.
Using commercial cloud services for CUI is perhaps the most fundamental mistake. Standard Microsoft 365, Google Workspace, Dropbox, and similar commercial services do not meet FedRAMP requirements and cannot be used for CUI processing, storage, or transmission. Even temporarily storing a CUI document in a commercial cloud service creates a compliance violation.
Assuming FedRAMP authorization covers all customer responsibilities is another common error. As discussed in the shared responsibility model section, you must implement and manage your own security controls within the cloud environment. Simply subscribing to a FedRAMP-authorized service does not make you compliant.
Neglecting to verify the scope of FedRAMP authorization can also cause problems. A cloud provider may have FedRAMP authorization for some services but not others. Verify that the specific services you plan to use are covered by the provider’s authorization. Using unauthorized services from an otherwise authorized provider creates compliance gaps.
Failing to properly configure data loss prevention and information barriers in cloud environments allows CUI to flow to unauthorized locations. Cloud collaboration features are designed to make sharing easy, which is exactly the opposite of what CUI protection requires. Configuring appropriate restrictions on sharing, forwarding, and external collaboration is essential.
Planning Your Cloud Strategy
Developing an effective cloud strategy for CMMC compliance requires balancing security requirements, operational needs, and budget constraints. Start by identifying all cloud services currently in use and determining which ones process, store, or transmit CUI. This inventory forms the basis for your cloud compliance planning.
Next, evaluate each service against FedRAMP requirements and determine which services need to be replaced or upgraded to FedRAMP-authorized alternatives. Develop a migration plan that prioritizes the most critical services and minimizes disruption to business operations.
Finally, ensure your team has the skills and knowledge to properly configure and manage security controls in your chosen cloud environment. Cloud security configuration is a specialized skill, and misconfigurations are a leading cause of security incidents and compliance failures.
Easy Compliances provides detailed training on cloud security for CMMC compliance, including practical guidance on configuring Microsoft 365 GCC and GCC High environments, implementing data loss prevention policies, and managing the shared responsibility model. Our courses help your team build the expertise needed to maintain a secure and compliant cloud environment throughout your CMMC certification lifecycle.