As organizations seek to meet the rigorous requirements of the CMMC 2.0 model, leveraging secure cloud environments can help make the compliance process faster and more cost-efficient.

AWS GovCloud, AWS Secret Cloud, Azure Gov Cloud, and Google Cloud offer secure, compliant cloud environments that help organizations meet CMMC requirements.

In this blog post, we’ll walk through the process of gaining access to these specialized cloud environments and how they can support your CMMC compliance efforts.

How a Government Cloud Provider can simplify CMMC compliance

If a DoD contractor uses an external cloud service provider to process, store, or transmit CUI, this provider must meet specialized security requirements. More specifically, as required by DFARS 252.204-7012 and the CMMC assessment process, the DoD contractor must ensure that the CSP has security measures in place that are equivalent to the FedRAMP Moderate Baseline. This requirement is designed to ensure the provider is able to protect the confidentiality, integrity and availability of CUI once it’s in the cloud.

That means the DoD contractor inherits a lot of security capabilities from a government cloud provider. For example, say the provider already implemented encryption. Then the DoD contractor does not have to spend time or money implementing that capability in the cloud. This is the concept of shared responsibility. 

In a shared responsibility model, some security controls and requirements must be fully satisfied by the CSP, others must be fully satisfied by the customer, and others have a shared responsibility between the CSP and customer. 

So while you won’t inherit 100% of the security from a CSP, they will fulfill some CMMC requirements for you. For example, a CSP typically offers a broad range of inheritable controls and processes, such as:

  • physical security media protection
  • equipment maintenance
  • domain protection
  • patch and configuration management
  • continuous auditing
  • prevention measures
  • API automation
  • software updates
  • data backups and storage

Each CSP will have a unique shared responsibility matrix and it’s important that your organization understands which controls and requirements are covered by the CSP and which are covered by your organization. CMMC advises that you obtain this customer responsibility matrix in writing from your provider.

By leveraging cloud services that are FedRAMP-authorized (or provide a similar body of evidence to what would have been created as part of the FedRAMP process), your organization can benefit from pre-built solutions designed to meet CMMC requirements. This is particularly beneficial if you’re a small to medium-sized business that lacks the knowledge and experience of resource-rich providers like Amazon and Microsoft.

If you’re looking to reduce the cost, time, and risk of being able to satisfy CMMC requirements, then you should evaluate AWS GovCloud, AWS Secret Cloud, Azure Government, and Google Cloud. Below are the steps to get access to these top government cloud service providers.

How to get access to AWS GovCloud

AWS GovCloud (US) is an isolated cloud region designed to host all types of CUI and unclassified data for verified US government agencies and entities. It’s compliant with numerous regulatory frameworks, including FedRAMP, CJIS, and International Traffic in Arms Regulations (ITAR).

You can follow the steps below to get access.

Step 1: Verify eligibility

AWS GovCloud is available to US government agencies and contractors. To qualify, your organization must be a US-based entity with US persons managing the environment.

Step 2: Request access

To begin the process, visit the AWS GovCloud (US) page and fill out the Contact Us form. An AWS business representative will review the form and get in touch. 

Qualified customers can also request access to AWS GovCloud (US) from the AWS Management Console of a standard AWS account. AWS will review your request and, if approved, guide you through the onboarding process.

Step 3: Sign a contract

To gain access, you must sign a customer agreement and an agreement specific to AWS GovCloud (US).

Step 4: Create an IAM User 

You cannot access AWS GovCloud (US) with standard AWS credentials. You must have AWS GovCloud (US) IAM user credentials. Only the account owner (also known as the root user) or an IAM administrator within the AWS GovCloud (US) account can create IAM users and provide the appropriate credentials. 

The steps for creating an IAM user vary based on whether you’re a solution provider or account owner. These can be found in the AWS GovCloud (US) User Guide.

How to get access to AWS Secret Cloud

AWS Secret Cloud is a highly secure and scalable cloud environment for workloads classified as secret by the US government. It’s tailored for the US Intelligence Community, Department of Defense, federal civilian agencies, defense industrial base and supporting organizations working with classified information. It meets DoD Cloud Computing Security Requirements Guide Impact Level 6 and Intelligence Community Directive (ICD) 503 requirements.

You can follow the steps below to get access.

Step 1: Understand the requirements

AWS Secret Cloud is only available to organizations with specific US government contracts that require a classified environment. Access is highly restricted and typically involves working closely with the government agency you’re contracting with.

Step 2: Request access

There is less public information about AWS Secret Cloud available than AWS GovCloud (US). You’ll have to visit the AWS Secret Cloud page and fill out the Contact Us form to learn more and request access. 

Step 3: Coordinate with the US Government

If your project requires the use of AWS Secret Cloud, you’ll need to work directly with your sponsoring government agency. They will guide you through the necessary steps, including security clearance requirements and access procedures.

How to get access to Azure Government

Azure Government is a cloud platform built to meet the rigorous security and compliance requirements of US government agencies. It provides compliance with various regulations, including FedRAMP High, DFARS Clause 252.204-7012, CJIS, and ITAR.

You can follow the steps below to get access.

Step 1: Verify eligibility

Azure Government is available to US government entities and their partners. Like AWS GovCloud, it is restricted to US-based entities managed by US persons.

Step 2: Submit a request for access

To gain access to Azure Government, visit the Azure Government page and fill out the form to initiate the process. Microsoft will review your eligibility and, if approved, proceed with the onboarding process.

You may also apply for a free trial to get started.

Step 3: Connect to Azure Government

There are multiple ways you can connect to Azure Government, including the Azure Government portal, Azure CLI, and Powershell. Microsoft provides detailed guides for each of these methods. 

Step 4: Use Azure Blueprints

Microsoft offers Azure Blueprints for CMMC, which are pre-configured templates that help you quickly set up a compliant environment. These blueprints simplify the process of meeting CMMC requirements by explaining how Azure Government services and features can be deployed to implement a subset of security controls that are the customer’s responsibility.

Similar to AWS, Microsoft also offers Azure Government Secret for classified data. The steps to get access are similar to the steps outlined above. 

How to get access to Google Cloud

Google Cloud is another cloud platform built to meet the U.S. government’s most stringent security standards. In addition to being authorized at FedRAMP High, Google has sought NIST SP 800-171 assessments, including a CMMC readiness assessment in October 2023, in order to prepare for an official CMMC Level 2 assessment once CMMC 2.0 is final.

Unlike AWS and Azure, Google does not offer isolated “government clouds.” Instead, Google Cloud has obtained Impact Level 5 authorization across a growing set of services in its commercial cloud and is committed to certifying its entire U.S. cloud infrastructure at IL 5. The goal is to enable all users, including those in the public sector, to benefit from Google Cloud’s reliability, scalability, and innovation. 

However, that means organizations pursuing CMMC compliance must use regions and data centers in the US only. The good news is Google Cloud offers the market’s most comprehensive cloud service portfolio for U.S. public sector clients, encompassing nine supported regions and 28 zones. 

Getting access to Google Cloud is simple. All you need to do is create a Google Cloud account and then you can start your platform setup

Key considerations when using government cloud service providers

When using a government cloud provider like AWS GovCloud, AWS Secret Cloud, Azure Government, or Google Cloud and trying to achieve and maintain CMMC compliance, consider the following:

  • Data sovereignty: Ensure that your data remains within the US and is managed by US persons to meet CMMC and other regulatory requirements.
  • Access control: Implement strict access controls to limit who can access sensitive information, in line with CMMC requirements.
  • Continuous monitoring: Use the monitoring tools provided by AWS and Azure to continuously assess and maintain compliance with CMMC standards.
  • Documentation: Maintain thorough documentation of your cloud environment’s configuration, security measures, and compliance status to streamline the CMMC assessment process.

FAQs

Can a cloud service provider meet some CMMC requirements for you?

Yes, some of the CMMC requirements can be satisfied by a cloud service provider (CSP). In the shared responsibility model, many baseline security controls (such as physical security, network infrastructure security, and some access controls) are typically handled by the CSP.

For example, CMMC requires certain safeguards for data storage and transmission. If you're using a CSP that complies with specific standards like FedRAMP or NIST SP 800-171, those standards might align with CMMC controls. The CSP may already meet certain CMMC requirements regarding infrastructure security, but the customer is still responsible for configuring and managing their systems in a secure manner to fulfill the rest of the CMMC obligations.

How do you know which CMMC requirements have been met by your CSP?

Each CSP will have a unique shared responsibility matrix and it’s important that your organization understands which controls and requirements are covered by the CSP and which are covered by your organization. CMMC advises that you obtain this customer responsibility matrix in writing from your provider.