AWS Public Sector Blog

Building your Cybersecurity Maturity Model Certification (CMMC) strategy using cloud technologies

laptop closing

The U.S. Department of Defense (DoD) released an interim rule, the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041), which includes NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) assessment methodology and requirements. Organizations have been planning for CMMC, and with the release of this interim rule, are now beginning to prepare and build strategy for CMMC compliance.

As organizations embark on defining their CMMC strategy, they are faced with a number of questions and challenges that can impact the cost, schedule, level of effort, risk, and ultimately the success of the program. These questions include:

  1. What level of CMMC certification should the organization be pursuing and when?
  2. How do I define the environment boundary for certification?
  3. How do we address our different business units (commercial vs. U.S. Department of Defense) in the compliance strategy?
  4. Where do we store Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data and who should and should not have access?
  5. What investments do we need to make in technology and services?
  6. How do I control these costs
  7. Where do we start?

Using Amazon Web Services (AWS) can help defense industrial base (DIB) contractors reduce the time, effort, complexity, and risk when defining their CMMC strategy. The AWS Cloud provides the ability to quickly develop, deploy, test, and experiment with infrastructure configurations to make the changes required as you mature your CMMC strategy. With the cloud, customers only pay for what they use and can turn off resources when not in use to further reduce costs. The cloud provides the flexibility to change infrastructure definition without the risk of being locked in to large capital expenditures for on-premises infrastructure while in the definition, planning, and execution phases.

With the AWS Cloud and the Shared Responsibility Model, DIB contractors can inherit CMMC practices from AWS, which will reduce their effort to demonstrate practice compliance. Moving solutions to the cloud can also reduce the time and effort required to bring current and legacy solutions into CMMC practice and process compliance. With the AWS Cloud, contractors can establish a separate security enclave that isolates both DoD data and their employees serving DoD and federal customers from other commercial endeavors.

Shared Responsibility Model for CMMC

Security and compliance is a shared responsibility between AWS and the customer, extending to certifications such as CMMC. The Shared Responsibility Model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities where the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of any AWS security products like AWS Config, Amazon GuardDuty, and AWS WAF. Organizations should carefully consider the services they choose as their responsibilities vary depending on the AWS services used, the integration of those services into their IT environment, and published DoD CMMC guidance. The nature of this shared responsibility also provides the flexibility and control that permits the customer to leverage cloud capabilities and technologies to meet specific CMMC capability requirements.

Developing plans to address compliance gaps

Organizations don’t have to wait to begin their CMMC journey. They can begin by implementing the 110 security controls in NIST SP 800-171 Protecting Controlled Unclassified Information while continuing their progress for full CMMC Level 3 compliance with the associated 130 processes and capabilities. Another starting point is to understand the CMMC processes and practices, then identify your CMMC scope to determine the desired CMMC maturity level. The Carnegie Mellon Software Engineering Institute provides an approach to identifying scope for your CMMC assessment. Next, you can perform a pre-assessment based on the scope and target maturity level to identify any gaps that need to be addressed in preparation for the CMMC assessment.

CMMC technical practices to AWS solution offerings

Using AWS solutions can help DIB organizations meet CMMC challenges and control requirements. CMMC maps practices to compliance families. For example, the challenges related to configuration management can be daunting. However, if DIB contractors store and process FCI and CUI on AWS, they can solve the challenges of baseline configuration, configuration drift, reporting, and compliance using a set of API calls such as AWS Systems Manager, AWS CloudFormation, and AWS Config.

But what about more challenging issues, such as running security assessments to validate documented controls? AWS can also help by using services like Amazon Inspector and Amazon Detective along with continuous monitoring tools like AWS CloudTrail and Amazon CloudWatch.

Using services to help with continuous monitoring can reduce the strain of manual asset threat assessment, complex tool configuration, and scheduling scans. Amazon GuardDuty protects your AWS accounts, workloads, and data with intelligent threat detection and continuous monitoring. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon Simple Storage Service (Amazon S3)—a simple service to configure. In less than 10 steps, you can monitor and protect your AWS CMMC environment.

These are just some of the ways AWS services enable DIB organizations to meet their CMMC needs. Figure A shows a sample of service category mappings.

Figure A

Want to learn more about the motivation behind CMMC, the role industry plays, and the solutions AWS is developing to help customers reach that certification? Check out the panel discussion, “CMMC – Safeguarding the Defense Industrial Base” from the Billington CyberSecurity Summit, and the session “Accelerating DoD Cybersecurity Maturity Model Certification (CMMC) with AWS GovCloud (US)” from the AWS Public Sector Summit Online. For the latest on AWS CMMC compliance information, visit And contact us with any questions.

Samara Moore

Samara Moore

Samara Moore is a security assurance senior manager at Amazon Web Services (AWS). She leads the security and compliance program for regulated industries and public sector in the Americas region. Prior to joining AWS, Samara managed enterprise security programs for regulated and non-regulated environments for a major energy provider. She also managing security programs within the federal government for over 10 years, including as a former director of critical infrastructure cybersecurity for the White House National Security Council and senior cybersecurity advisor at the US Department of Energy.

Tyler Harding

Tyler Harding

Tyler Harding is the Department of Defense (DoD) compliance program manager within Amazon Web Services (AWS) security assurance. He has over 20 years of experience providing information security solutions to federal civilian, DoD, and intelligence agencies.