For most organizations in the defense industrial base (DIB), Controlled Unclassified Information (CUI) doesn't live in a server room. It lives in email, in shared documents, in chat, and in the apps people use every day. In other words, it lives in the cloud.

That makes the cloud environment you choose, and how you configure it, one of the most consequential decisions you'll make on the path to CMMC certification.

It's also one of the most misunderstood. "CMMC cloud" gets treated as if there's a single product you buy to become compliant. There isn't. 

What a “CMMC cloud” can do (when you pick the right platform and license and configure it correctly to meet CMMC requirements) is reduce your scope and compliance burden dramatically by:

• Letting you inherit or share a large body of security controls from their environment, which reduces your customer responsibility
• Isolating CUI inside a clean boundary to avoid bringing your entire enterprise environment in scope

This guide covers how the cloud fits into CMMC and what choices can simplify your readiness and continuous compliance efforts, including enclave vs enterprise, Microsoft vs Google, and disparate solution vs all-in-one provisioning and management solution.

What are CMMC cloud requirements?

Under CMMC, a contractor can use an external cloud service provider (CSP) to handle CUI if that CSP is able to protect the confidentiality, integrity and availability of CUI once it’s in the cloud. This requires compliance with applicable requirements in DFARS 252.204-7012. More specifically, the contractor must require and ensure the CSP meets security requirements:

• that are or are equivalent to the FedRAMP Moderate baseline, and
• outlined in paragraphs (c) through (g) of the DFARS 7012 clause

Otherwise, that contractor cannot achieve CMMC Level 2 compliance. 

In short, CMMC doesn't require any specific cloud vendor, like Microsoft or Google; only that the cloud can clear the FedRAMP Moderate bar (and meet the other DFARS requirements related to cyber incident reporting, malicious software handling, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment).

What this means: A commercial productivity suite that isn’t authorized or equivalent to that baseline can't be used to demonstrate CMMC Level 2, no matter how well you configure it.

This is no longer a "someday" exercise now that CMMC rulemaking is complete. The 32 CFR Part 170 program rule has been in effect since December 2024, and the 48 CFR acquisition rule made CMMC a contractual obligation starting on November 10, 2025. With Phase 1 live, the requirement for Level 2 (C3PAO) certification assessments is already appearing in contracts and will roll out in more in Phase 2, starting on November 10, 2026.

In other words, the runway to stand up and validate a compliant cloud environment is shorter than most teams think.

Shared responsibility in the CMMC cloud: What you inherit, and what's still yours

The biggest advantage of a government cloud is inheritance. A FedRAMP Moderate Authorized or equivalent CSP has already implemented a wide range of controls and had them assessed, so you don't have to implement or prove them all over again yourself.

This is the shared responsibility model: some CMMC requirements are fully the provider's, some are fully yours, and many are shared.

While you won't inherit 100% of CMMC controls from any CSP, you’ll inherit some. And every requirement the CSP fully or partially satisfies means fewer requirements and assessment objectives you have to implement, document, and maintain on your own.

In practice, a government CSP typically covers a meaningful portion of the technical requirements related to infrastructure, including:

• Physical security
• Media protection
• Equipment maintenance and facility controls
• Patch and configuration management of the underlying platform
• Continuous auditing and logging infrastructure
• Software updates, API automation, and data backups

These make up a significant portion of the total CMMC requirements. In fact, according to Microsoft Chief Security Architect Richard Wakeman, a fully configured, cloud-native environment in GCC High gets you to roughly 86 of the 110 Level 2 controls. 

This number varies by provider, cloud offering, and configuration, but the exact number isn’t important. What’s important is that it’s not 110. 

Here's what to remember about any “CMMC cloud": Even if you turn every knob and dial a government cloud gives you, you won't get to 110.

At the Secureframe National Cybersecurity Summit, Microsoft Chief Security Architect Richard Wakeman explained that the remaining two dozen or so aren't technology problems. They're people-and-process problems, like:

• Security awareness training
• Incident response
• Monitoring operations
• Risk assessments
• Policies that govern who gets access and how CUI is handled

As Wakeman framed it, there's always a shared responsibility between you and the cloud provider that no amount of configuration closes on its own.

That gap is exactly why the cloud is a starting point, not a finish line.

To ensure you understand and actually meet all CMMC requirements, it’s essential to get this shared responsibility in writing from your CSP. This is the part teams skip and assessors don't. You need the provider's FedRAMP body of evidence, and specifically its Customer Responsibility Matrix (CRM).

Your assessor will expect you to document how you meet each requirement, whether inherited, shared, or yours as the customer. The CRM is the map for that.

Enclave or enterprise: What cloud environment do most contractors start with?

Once you've decided CUI is going into a government cloud, the next architectural decision is enclave vs. enterprise.

A CUI enclave is a carve-out of your enterprise environment that’s designated for storing, processing, and transmitting CUI and strictly controls who can access it and how. This defined, architecturally separated boundary isolates the systems, devices, and users with access to CUI from the rest of your environment.

The whole point is reducing CMMC scope. The fewer systems and people that handle CUI, the fewer systems and people fall inside your CMMC assessment boundary, which can significantly reduce the complexity, cost, and timeline of compliance. 

Most contractors start here. In a typical cloud-native enclave, users "swivel-seat" into the environment with a separate account and device (often a virtual desktop) to complete work related to a specific contract or program involving CUI and CMMC requirements. When done right, this keeps their everyday corporate environment and most on-prem infrastructure (such as laptops and local networks) out of scope.

The enterprise approach is the other end of the spectrum: instead of carving out a slice of your environment, you go “all in.” Meaning, you bring the whole organization into scope and make it CMMC-compliant. This may mean, for example, moving everyone in your organization into GCC High.

Wakeman noted that he often sees a maturity curve: DIB organizations start with a swivel-seat enclave and over time migrate more of the business in, until some go all-in and the enclave simply becomes the enterprise.

Which is right for you comes down to a few questions:

• Where do you want CUI to live? Everything else flows from that answer.
• How much of your business is defense work? If government work is a small subset, an enclave keeps your finance, HR, and other teams out of scope. If nearly every user touches CUI, the enterprise approach is usually cleaner.
• What's your timeline? Enclaves can usually be stood up, configured, and assessed more quickly than an entire enterprise environment. Often it’s the right call when a prime's deadline is driving you.
• Do you have specialized or on-prem assets? CNC machines, lab equipment, OT/ICS gear, and government-furnished equipment can pull physical facilities back into scope and may not fit a cloud-native enclave cleanly. That's a signal to think carefully about scope before committing to an enclave over an enterprise approach.
• Which makes it easier for people to do their job? An enclave only works if people actually use it. If your environment is certified and then everyone reverts to old workflows and tools outside your enclave, that not only affects your compliance status. It’s also data spillage that must be reported. During an assessment, C3PAOs look for evidence that the enclave is genuinely in use and maintained. The cloud architecture you choose is the foundation. Operating it is the ongoing obligation.

Choosing your CMMC cloud: Microsoft GCC High, GCC, or Google Workspace

For the cloud layer where most CUI actually lives and is handled (via email, documents, chat, file storage, and so on), most DIB organizations look to Microsoft and Google’s cloud offerings, particularly comparing GCC High, GCC, and Google Workspace.

None of them are technically required by CMMC. The right choice is driven by your organization’s needs, and specifically the categories of CUI you handle and must secure.

Microsoft 365 GCC High

GCC High is a most common choice for CMMC Level 2, and for good reason. It delivers the Microsoft 365 productivity suite (Exchange, SharePoint, Teams, OneDrive) on top of Azure Government infrastructure, which has FedRAMP High authorization and true data sovereignty. Meaning, the back end is operated and supported by U.S. persons in the continental U.S. That makes it eligible for handling CUI Specified, such as export-controlled information (ITAR/EAR), and not just CUI Basic.

Over years of customer engagements, Wakeman observed that 90% of contractors choose GCC High because at some point they expect to touch export-controlled data.

Microsoft 365 GCC

GCC aligns with the FedRAMP Moderate baseline referenced in DFARS 252.204-7012, and you can demonstrate CMMC Level 2 compliance in it but there’s a caveat.

The difference from GCC High is that it only offers data residency, not data sovereignty. GCC keeps data at rest in the U.S., but it sits within the Azure Commercial infrastructure. So its back end may be supported by non-U.S. persons, and some of its services may not meet the strict access controls required for export-controlled data. That makes GCC a reasonable fit for CUI Basic, but not for CUI Specified.

If there's any chance ITAR or EAR data enters your environment, GCC High is the safer bet.

Google Workspace

Google Workspace offers a comparable model to Microsoft: a tenant configured to isolate CUI, enforce the required controls, and segregate access. This is ideal for Google-first organizations since it avoids a partial or wholesale migration to the Microsoft ecosystem while still giving you a government-grade environment for CUI.

For CMMC Level 2 for all types of CUI, you must only use FedRAMP High authorized services, configured with Assured Controls Plus, to enable data storage exclusively within the United States.

Provisioning your CMMC cloud: Traditional approach vs Secureframe Defense 

Deciding which platform you need is only the first step. Building the enclave is the next, and where teams typically stall.

A traditional cloud-native enclave deployment takes 8–10 weeks on average, including architecture planning, identity configuration, logging setup, endpoint hardening, and validation. It typically requires significant internal IT resources or outside consultants for that time period, and doesn’t account for documentation or ongoing management.

Secureframe Defense compresses that timeline. Through Automated Cloud Provisioning, Secureframe Defense can stand up a CMMC-compliant enclave in either Microsoft GCC High or Google Workspace in as little as 30 minutes. This environment is pre-configured to meet CMMC requirements that drive the most assessment scrutiny already in place, such as:

• CUI segregation: A CUI-designated SharePoint site or Google Drive folder with the required role groups is created and continuously validated so CUI is isolated and access-controlled by default.
• Technical configurations: Required CMMC settings, including MFA, conditional access policies, audit logging, and sharing restrictions, are written directly into the tenant via API rather than configured by hand by the customer.
• Separation of duties: Role assignment rules are enforced in the Navigator workflow to prevent conflicts and support CMMC requirements around separation of duties. For example, a global or super admin can't also be assigned a CUI data-access role.
• CUI access: Secure access to the cloud environment with auto-provisioned virtual desktops or compliant physical devices using a FedRAMP Moderate Authorized device management solution.

Furthermore, every configuration Secureframe automatically provisions and enforces over time is captured as evidence in ongoing automated tests and documented in real time in your system security plan (SSP), with continuous monitoring to flag when a setting drifts out of compliance. Meaning, infrastructure deployment, documentation, and monitoring is automated in one place.

For the remaining CMMC controls, the Defense Navigator helps you close that people-and-process gap that an enclave can’t cover. Navigator translates all CMMC requirements into clear, actionable tasks you can complete following the step-by-step workflow, including inviting personnel, background checks, and training.

Completing it auto-generates an SSP, POA&M, CMMC-specific policies, and an SPRS score based on your specific environment and configuration. It also supports the risk assessments, vendor evaluations, policy assignments, and security awareness training that round out the full set of 110 requirements and 320 assessment objectives of CMMC Level 2.

Moving forward, after your cloud environment is auto-provisioned and the Navigator workflow is complete, CUI work happens inside the enclave, while governance, documentation, training, and non-CUI workflows happen in the Secureframe Comply platform alongside it.

How to pick, deploy, and maintain a CMMC cloud

Below are tips to help you pick the right platform, architecture, and deployment and management solution to not only get assessment-ready, but to stay that way.

• Match the cloud to your CUI. Data residency (GCC) is not data sovereignty (GCC High). Export-controlled and CUI Specified data require a cloud environment with the most rigorous security requirements in place. When in doubt, protect to the highest watermark your data could require, now or in the future.
• Consider what actually works for your users. Let your users, not cost, be the driving factor behind whether you set up a CUI enclave or go all-in and which licensing option you purchase. As an authorized Microsoft GCC High reseller, Secureframe can help you select and purchase the required licensing and stand up your cloud environment for CUI. 
• Get the shared-responsibility matrix in writing. Obtain the provider's CRM, confirm what you inherit versus what you must implement, and make sure your C3PAO can review it under NDA.
• Document the boundary. Your SSP should clearly document the enclave architecture, controls at each layer, data flows (in and out), and authorized personnel clear.
• Plan for the people-and-process controls early. A cloud enclave can close most of the technical gap. Training, incident response, and governance close the rest. Make sure to implement processes and tools required for both the technical and operational controls.
• Treat the assessment as a starting point, not the goal. Continuous monitoring, logging, and evidence of active use of your enclave are what keep you compliant from one certification to the next. Find a solution that helps with deployment as well as ongoing management and documentation to truly reduce the operational burden of compliance. 

No “CMMC cloud” makes you 100% compliant automatically. But the right cloud, configured correctly and enforced and monitored over time, gets you most of the way there far faster and cheaper than building or redesigning your entire enterprise environment to be CMMC compliant from scratch.

Secureframe Defense is designed to simplify not only the CUI environment, but the entire cybersecurity program required to achieve and maintain CMMC certification. Talk to an expert to learn more.