Cybersecurity Maturity Model Certification (CMMC)

What's new in AWS CMMC Compliance?

AWS has launched the Landing Zone Accelerator (LZ Accelerator) on AWS solution to assist customers in AWS Commercial and AWS GovCloud (US) regions to quickly deploy a secure, resilient, scalable, and fully automated cloud foundation that accelerates your readiness for your cloud compliance program. LZ Accelerator is architected to align with AWS best practices and in conformance with multiple, global compliance frameworks such as Cybersecurity Maturity Model Certification (CMMC) and The Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) while reducing the level of technical effort, cost, and risk.

When used in coordination with other AWS services, LZ Accelerator provides a comprehensive no-code solution across 35+ AWS services. With this solution, customers with highly-regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. The Landing Zone Accelerator solution helps you establish platform readiness with security, compliance, and operational capabilities.

More information for the Landing Zone Accelerator on AWS can be found at: https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/

Overview

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD increased assurance that contractors and subcontractors are meeting these requirements.
 
The framework has three key features:
  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
  • What is CMMC 2.0?

    CMMC 2.0 is the next iteration of the DoD’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
  • What are the new levels in CMMC 2.0?

    On December 3, 2021, the DoD released the CMMC 2.0 Model Overview. The CMMC 2.0 model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) 52.204-21 and the security requirements for CUI in NIST SP 800-171r2 per Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.

    CMMC Level 1 (Foundational) for companies with FCI only; information requires protection, but is not critical to national security; requires 17 basic safeguarding practices; CMMC Level 1 Scoping Guidance

    CMMC Level 2 (Advanced) for companies with CUI; will require the 110 practices from NIST SP 800-171r2; may require third-party or self-assessments, depending on the type of information; CMMC Level 2 Scoping Guidance

    CMMC Level 3 (Expert) for the highest priority programs with CUI; will use a subset of NIST SP 800-172; will be assessed by government officials.

  • Why is CMMC 2.0 being implemented?

    Cybersecurity is a top priority for the Department of Defense.

    The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard information.
  • Who needs to be CMMC certified?

    Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
  • When is the DoD implementing the CMMC 2.0 requirement?

    The DoD has expressed that it does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.  The DoD’s estimate for the completion of that process is 9-24 months from November 2021.      

    Once CMMC 2.0 is implemented, the DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

  • Are there members of the DoD supply chain using AWS now?

    A wide range of organizations, programs, and contractors across the DoD supply chain use AWS to transform their business and operations. They leverage AWS to create secure cloud environments to process, maintain, and store U.S. Federal Government data in accordance with Defense Federal Acquisition Regulation Supplement (DFARS), DoD Cloud Computing Security Requirements Guide (SRG), Federal Risk and Authorization Management Program (FedRAMP), and other federal compliance programs.

    You can review case studies to learn how AWS is helping the DoD including the U.S. Defense Logistics Agency, U.S. Air Force, U.S. Navy, and U.S. Special Operations Command, as well as DoD contractors like Lockheed Martin, Raytheon, and GDIT. For more information on how AWS meets the high security requirements of the DoD, see the Cloud Computing for Defense webpage.

  • How does the new DoD “Interim Rule” affect my organization?

    The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The DoD has expressed that it does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process.

    Once CMMC 2.0 is codified through rulemaking, the DoD will require companies to adhere to the revised CMMC 2.0 framework.
  • Do cloud services need to be CMMC certified?

    No. CMMC measures a DIB contractor’s cybersecurity capabilities and processes compared to the requirements for a specific CMMC level.  

    As a Cloud Service Provider (CSP), AWS is authorized by FedRAMP at FedRAMP High and by the Defense Information Systems Agency (DISA) at SRG Impact Levels 2, 4, and 5.
  • Does AWS provide CMMC 2.0 reciprocity with other compliance programs?

    No. The DoD has not yet defined how other compliance programs such as FedRAMP or ISO 27001 Information Security Management will map to CMMC 2.0 levels.
  • Does AWS provide solutions and compliance documentation to help with CMMC 2.0 compliance?

    Yes.  Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

    AWS has released the NIST SP 800-171 Customer Responsibility Matrix (CRM) which aligns with the CMMC 2.0 Level 2 Advanced and provides a breakdown of the NIST SP 800-171 security controls that customers can inherit from AWS by using the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US).
     
    The AWS NIST SP 800-171 CRM package is available for customer download in AWS Artifact in both the AWS Standard and the AWS GovCloud (US) regions.

  • Does AWS Professional Services support customers in meeting their CMMC compliance requirements?

    Yes. AWS Professional Services consultants are trained on the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US), and are able to support customer implementations that address CMMC compliance challenges.

  • Which AWS Region(s) should I use to deploy our CMMC 2.0 cloud environment?

    AWS intends to provide customers the flexibility to deploy and certify AWS CMMC 2.0 solutions across standard and restricted regions (US East/West, AWS GovCloud (US), etc.) based on the requirements of their business and DoD programs and contracts.

If you have questions regarding CMMC or DoD compliance, please contact your AWS Account Manager or submit the AWS Compliance Contact Us Form to be connected with your account team.

compliance-contactus-icon
Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »