AWS Public Sector Blog

Accelerating CMMC readiness: How AWS and Wiz help public sector organizations

AWS branded background with text "Accelerating CMMC readiness: How AWS and Wiz help public sector organizations"

For US government contractors and subcontractors, navigating the path to Cybersecurity Maturity Model Certification (CMMC) is no small task. The stakes are high, and the requirements are complex. With the Department of Defense (DoD)—also known as the Department of War—phasing CMMC into new and existing contracts, the pressure to get it right keeps growing. That’s why organizations are increasingly looking for efficient, scalable ways to examine their environments to prepare for CMMC assessments without overburdening teams or budgets.

Together, Amazon Web Services (AWS) and Wiz help contractors get clarity faster by discovering the location of contractually defined Controlled Unclassified Information (CUI), right-sizing the certification boundary, and collecting the evidence needed to demonstrate compliance with confidence. AWS and Wiz help automate these processes so organizations can assess their CMMC readiness quickly with less strain on administrative and organizational resources.

The CMMC final rule, 32 CFR Part 170 published October 15, 2024, categorizes CMMC compliance into three levels, with self-assessment sufficient for level 1 and some level 2 compliance, and CMMC third-party assessor organization (C3PAO) assessment needed for some level 2 and all of level 3. Wiz and AWS help provide many of the technical infrastructure and security controls necessary for CMMC and can help organizations to more quickly assess where they might have security gaps prior to beginning their CMMC assessment.

The following table outlines the scope, requirements, and assessment approach of the three levels.

 

An image displaying a table with the three CMMC levels (1-Foundational, 2-Advanced, 3-Expert) with their respective scope, requirements, and assessment approach.

Figure 1: Wiz and AWS help organizations to support and measure different technical controls required for CMMC levels 1–3

Why CMMC is a heavy lift

With nation-state sponsored threat actors continuing to target the defense industrial base (DIB), the CMMC framework has become critical for protecting CUI in nonfederal systems. The DoD now considers CMMC as essential and enforceable for contractors seeking to engage in defense-related work.

But many organizations are still asking foundational questions:

  • Which systems contain or process CUI?
  • What falls within the certification boundary?
  • How can we avoid over-auditing while ensuring compliance?

This uncertainty leads to common challenges:

  • Environmental blind spots complicate assessment scoping.
  • Over-auditing leads to increased costs and wasted effort.
  • Audit delays occur when teams can’t produce the right artifacts.
  • Mapping CUI data flows becomes guesswork.

When relying on legacy technologies and manual methodologies, gathering the necessary supporting evidence for CMMC compliance can be very challenging. For example, a large healthcare group handling CUI Specified patient data to help provide advanced medical care to active-duty service members reported spending 2 years trying to catalog where CUI was present, and which systems were interconnected. This effort was a challenge due to a lack of visibility, shadow IT, and dispersed ownership of workloads in their cloud environment. Wiz can help automate many of these processes and uncover shadow IT without requiring manual labor hours. Automation and visibility can significantly reduce the administrative effort necessary for CMMC certification readiness by greatly reducing manual collection and correlation of data needed during an assessment.

The power of Wiz and AWS

Wiz is a cloud security platform providing organizations with full visibility into their AWS Cloud environment. When Wiz is connected to AWS, Wiz helps public sector teams automate discovery of resources (including where CUI data resides), assess risk in context, and prove their security posture in a defensible way to help ease the burden of self-assessment and third-party audit.

By connecting to AWS environments without agents in minutes, Wiz can identify:

  • Which resources contain or connect to CUI
  • Which identities can access what, and from where
  • Which vulnerabilities or misconfigurations impact security

Having complete visibility with context regarding what resources are deployed within AWS, how those resources connect, and which identities have access is a critical component of CMMC level 2 and 3, and it’s available out of the box with Wiz. Combined with the security features in AWS GovCloud (US), organizations can build a secure, scalable foundation for compliance without slowing down the mission.

AWS GovCloud (US) is an innovative compliant cloud solution that technology leaders trust to host sensitive and CUI data. It’s comprised of two physically and logically isolated US sovereign Regions, AWS GovCloud (US-East) and AWS GovCloud (US-West), operated by US citizens on US soil. Government customers, technology partners, and entities with highly regulated enterprise cloud requirements use AWS GovCloud (US) compliance programs and capabilities to secure their workloads and accelerate their ability to receive an authority to operate (ATO).

AWS GovCloud (US) is designed to address specific regulatory and compliance requirements of US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that run sensitive workloads in the cloud. Beyond the assurance programs applicable to all AWS Regions, the AWS GovCloud (US) Regions are designed so customers can adhere to US International Traffic in Arms Regulations (ITAR), Federal Risk and Authorization Management Program (FedRAMP), and DoD Cloud Computing Security Requirements Guide (SRG) Impact Levels 2, 4, and 5. Visit AWS Compliance for a complete list of US compliance standards supported by AWS GovCloud (US).

Approaching CMMC assessments with confidence

Here’s how AWS and Wiz work closely with organizations to streamline the CMMC auditing process while reducing time to production and facilitating innovation.

Understand CUI data flows

Wiz helps teams address a common challenge in understanding where CUI resides through its custom data classification rules within its Data Security Posture Management (DSPM). These rules can be used to search for CUI defined within defense contracts, statements of work, and performance work statements. By identifying where CUI exists within their cloud environments, it becomes easier for organizations to ensure the proper protections for these data are in place.

Organizations need to track whether the CUI is Basic or Specified, as defined in their defense contracts. This distinction is critical because CUI Specified often entails more stringent legal requirements, such as those mandated by ITAR, which necessitate enhanced safeguarding found in specialized environments such as AWS GovCloud (US) and Wiz for Gov.

The following screenshot shows the Data Findings dashboard.

 

An image displaying the Wiz CNAPP data findings dashboard overview displaying visual graphics for data type breakdown, geographic breakdown, and top resources with sensitive records. An additional section containing a list of data findings with severity, status, classification rule, number of records, resource, cloud subscription, project, and files is also visible

Figure 2: Wiz automates data findings through its integrated DSPM capabilities to help identify where data resides and prioritize remediation of detected security risks

By automating discovery of CUI and which systems and resources are interconnected, it’s easier for organizations to evaluate whether they’re meeting the elevated security demands and compliance for CUI Specified data.

Optimize your CMMC scope

Trying to certify your entire AWS Cloud environment isn’t merely expensive—it’s often unnecessary. With the right visibility, organizations can define a clear and defensible boundary that includes only what’s required for CMMC.

Right-sizing the boundary requires a partnership between engineering, compliance, and legal teams. This can seem overwhelming, but by automating discovery of where CUI resides, which resources and identities can connect, and how these systems are externally exposed, a boundary can be scoped.

Wiz provides the visibility to help accelerate this process. With context-rich insights across an organization’s AWS infrastructure, it’s possible to:

  • Properly define the scope of the CMMC environment
  • Clearly demonstrate which identities and resources have access to CUI
  • Avoid the time and cost of auditing nonrelevant resources

This balance—security with agility—is essential for government contractors and subcontractors working with tight budgets and timelines. The following Venn diagram illustrates the intersection between a tight scope with a minimal boundary and a full scope that puts a boundary around everything. The center area, showing the overlap between tight and full scopes, lists some advantages of placing the CMMC assessment boundary around CUI and related systems.

 

A venn diagram entitled “Right-Sizing the CMMC Boundary.” The left circle is entitled “Tight Scope,” and contains a list of associated advantages of a minimal boundary around only the CUI included in the CMMC assessment. The right circle is entitled “Full Scope,” and contains a list of associated advantages of having the entire cloud environment included in the CMMC assessment. Where the two circles overlap is a dark blue shaded region entitled “Right Scope,” and contains a list of associated advantages of focusing the CMMC assessment boundary around CUI and related systems.

Figure 3: Determining what should be in scope for a CMMC assessment can impact the cost and duration of an audit, as well the flexibility to expand scope and services

Gather comprehensive audit evidence

Auditors expect evidence. But pulling the right artifacts together—across vulnerabilities, configurations, access controls, and more—can be challenging.

Wiz automates this process by continuously monitoring the AWS environment and surfacing relevant findings. Wiz examines numerous AWS services, including Amazon Bedrock,  AWS Certificate Manager (ACM), AWS CloudTrail, AWS Key Management Service (AWS KMS), AWS Lambda, AWS Network Firewall, Amazon OpenSearch Service, AWS Secrets Manager, and many others. Wiz can generate customizable reports to quickly, and without the need for manual input, provide documentation to support audit requirements.

The following image is a screenshot of the Wiz Cloud-Native Application Protection Platform (CNAPP) reports user interface showing findings, compliance, and inventory reports. Underneath each report category are options for report subcategories, including network exposure, vulnerabilities, data findings, compliance assessment, vulnerabilities for compliance, datastores, and cloud resources inventory.

An image displaying the Wiz CNAPP reports user interface. Several categories of reports are present, including findings, compliance, and inventory. Underneath each report category are a number of options for report subcategories, including network exposure, vulnerabilities, data findings, compliance assessment, vulnerabilities for compliance, datastores, and cloud resources inventory.

Figure 4: Wiz provides several out-of-the-box reports, with customizable options, to quickly export necessary information to support CMMC audits

 

The combination of continuous monitoring processes, quick identification of vulnerabilities and indicators of risk, adherence to best practices and technical benchmarks, and automating alerts when deviations from baselines are detected, all help organizations to quickly show compliance with NIST SP 800-171r2. The DoD CMMC final rule 32 CFR Part 170 specifies NIST SP 800-171r2 as the technical standard for assessing whether CUI data is sufficiently protected for CMMC Level 2 (Self and C3PAO) certification.

By way of example, Wiz comes with out-of-the-box automated assessments against a host of technical benchmarks. This includes Center for Internet Security (CIS) frameworks and Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). These automated assessments are designed to identify if systems meet hardening requirements to protect from cybersecurity threats. This quickly helps organizations meet many of the controls within the Configuration Management control family of NIST SP 800-171r2.

To meet and exceed the CMMC cloud service provider (CSP) requirements, AWS and Wiz both offer FedRAMP High authorized environments. Wiz for Government and AWS GovCloud (US) have been built to meet or exceed many regulatory frameworks including ITAR, FISMA, HIPAA, and FedRAMP. These FedRAMP High authorizations help simplify audits, including CMMC, by reducing or exempting these environments from additional documentation to prove their security.

To learn more about the CMMC and NIST SP 800-171r2 controls Wiz for Government can assist with, refer to the Wiz for CMMC Certification datasheet.

Achieving CMMC: Turning standards into security

Preparing for CMMC is no longer optional for many organizations contracting or subcontracting with the DoD. But it doesn’t have to be a long, challenging process either.

By combining the robust protection of AWS with the visibility of Wiz’s CNAPP, public sector teams can simplify scoping, accelerate discovery, and move into audit readiness with confidence.

Whether organizations are building in AWS GovCloud (US) or expanding their existing environment, Wiz helps identify where CUI lives, validate security controls, and support the compliance boundary with data, often eliminating the need for manually generated and maintained spreadsheets.

Read about how Wiz’s FedRAMP High authorization strengthens security for AWS customers.

Ready to accelerate your CMMC journey? Learn more about getting started with AWS Global Security & Compliance Acceleration (GSCA) and Wiz today.

TAGS: , , , , ,
Varun Jasti

Varun Jasti

Varun is a solutions architect at AWS, working with AWS Partners to design and scale artificial intelligence solutions for public sector use cases to meet compliance standards. With a background in computer science, his work covers broad range of ML use cases primarily focusing on LLM training/inferencing and computer vision. In his spare time, he loves playing tennis and swimming.

Bryan Rosensteel

Bryan Rosensteel

Bryan is the head of Public Sector Product Marketing at Wiz. He has over 20 years of public sector experience. He has advised the US federal government on many cybersecurity initiatives, including ICAM, worked on several NCCoE projects leading to NIST 1800 series special publications, helped form and run working groups at non-profit organizations such as ATARC, and assisted with the design and implementation of several government IT modernization projects.

Greg Carpenter

Greg Carpenter

Greg is a senior security partner strategist on the AWS Global Security & Compliance Acceleration Partner Team helping partners and customers meet their security and authorization needs—whether it be architecting, configuring, deploying, or integrating tools and controls. Throughout his career, Greg has excelled at partner and customer communication and security and compliance support. Prior to AWS, Greg spent 4 years at CIS helping members and non-members as they navigate through their own cybersecurity strategy with a focus on cloud cyber security products and strategy for the global community. Greg has also contributed on several CIS Benchmarks, the CIS Controls v8 Cloud Companion Guide along with the latest version of the CIS Critical Security Controls. When his head is not in the cloud, he enjoys time with his family, time on his Harley, ice hockey, fishing, and mountain biking.

Greg Hewitt

Greg Hewitt

Greg leads AWS GTM strategy for Wiz’s Global Public Sector business, where he focuses on helping government agencies and regulated industries securely accelerate their cloud adoption. With prior leadership roles at Splunk and Second Front Systems, Greg has been at the center of driving innovation in cloud security and defense modernization. He partners closely with AWS to deliver joint solutions that enable FedRAMP, CMMC, and ITAR compliance, and is passionate about advancing mission resilience by making the cloud both more secure and more accessible for government organizations.