CMMC Changed the FSO Role.
Understand where industrial security ends, cybersecurity begins, and how FSOs fit into CMMC readiness.
EXECUTIVE BRIEF
Choosing a cloud environment is no longer an IT preference. It is a compliance and contract eligibility decision.
Dig deeper below to learn:
- What “CUI-safe cloud” actually means for Department of Defense (DoD) (also known as the Department of War) contractors
- Which cloud environments are commonly used when Controlled Unclassified Information (CUI) is in scope
- Why scope definition matters more than the platform name
- How to avoid expanding your Cybersecurity Maturity Model Certification (CMMC) assessment boundary unnecessarily
The real question: where does CUI live?
Most cloud mistakes start with the wrong framing.
The question is not: “Which cloud is best?”
The real question is: “Where does CUI live, and how do we contain it?”
If your organization processes, stores, or transmits CUI, your cloud environment must support:
- Enforced access controls
- Centralized logging and monitoring
- Evidence collection for assessments
- Clear system boundaries tied to your System Security Plan (SSP)
Anything else increases risk.
Why “CUI-safe” matters
DoD evaluates cloud services using the Cloud Computing Security Requirements Guide (CC SRG) and associated Impact Levels (ILs).
You do not need to memorize Impact Levels to make a good decision, but you do need to understand this:
Not all cloud environments are appropriate for CUI.
Commercial tenants designed for general business use frequently fail because:
- Identity and access controls are loosely enforced
- Audit logging is incomplete or not retained
- CUI spreads into email, chat, and file shares without controls
Once CUI enters an unsafe environment, your entire tenant may fall into scope.
Cloud environments commonly used for CUI
We generally see contractors choose from three defensible paths when CUI is involved.
1) Government Community Cloud High (GCC High)
GCC High is widely used when Microsoft 365 is the primary collaboration platform for CUI.
Why teams choose it:
- Built to support government workloads
- Aligns better with DoD expectations for sensitive data
- Commonly accepted by prime contractors
Important reality check:
GCC High does not make you compliant by default. You are still responsible for configuration, policy enforcement, monitoring, and evidence.
2) Amazon Web Services (AWS) GovCloud
AWS GovCloud is often used for hosting applications, infrastructure, and enclaves that support CUI workflows.
Strong fit when:
- You need infrastructure-level control
- You are hosting applications that process CUI
- You want to isolate CUI from collaboration tools
Like any platform, compliance depends on how controls are implemented and maintained.
3) A dedicated CUI enclave
A CUI enclave is a scoped environment designed specifically to contain CUI and limit assessment scope.
Why enclaves work:
- Smaller assessment boundary
- Reduced operational disruption
- Easier evidence management during CMMC Level 2 assessments
- Potentially lower compliance costs by limiting CUI-related controls, tooling, and assessment effort to a defined subset of users and systems
Common mistake: Building an enclave but allowing CUI to leak back into non-enclave tools through email, file sharing, or unmanaged devices.
Purpose-built secure collaboration platforms (limited CUI scope)
Some contractors use purpose-built secure collaboration platforms to contain CUI when exposure is limited to messaging and file sharing.
Platforms such as Prevail are typically used to:
- Keep CUI out of commercial email and chat tools
- Support encrypted messaging and file exchange for specific programs
- Reduce CUI sprawl across broader cloud tenants
These platforms are not full cloud environments and do not replace GCC High, AWS GovCloud, or a dedicated CUI enclave for systems, applications, or infrastructure. They are most effective when CUI workflows are narrow, well-defined, and supported by strong identity, device, and governance controls as part of a broader CMMC strategy.
FedRAMP is required, but it is not the finish line
Federal Risk and Authorization Management Program (FedRAMP) authorization, or a documented equivalency, is contractually required under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 when CUI is stored, processed, or transmitted in a cloud service provider’s system.
For contractors handling CUI, priority should be given to FedRAMP Moderate–authorized cloud service providers at a minimum. FedRAMP Moderate aligns with the baseline security expectations commonly associated with CUI and is frequently referenced in DoD contracting and guidance.
That said, FedRAMP authorization does not equal full compliance.
FedRAMP:
- Assesses the cloud service provider’s controls
- Does not configure your tenant
- Does not implement your policies
- Does not generate assessment evidence for you
Your organization remains responsible for control implementation, enforcement, monitoring, and documentation required for CMMC assessments.
A quick decision checklist
Before committing to a cloud environment, ask:
CUI scope
- Do we know exactly which users, systems, and workflows touch CUI?
- Can we keep CUI out of general-purpose collaboration tools?
Assessment impact
- Are we comfortable defending this boundary to an assessor or prime?
- Does this environment simplify or expand evidence collection?
Operational reality
- Do we have the resources to manage identity, logging, and monitoring continuously?
- Can we enforce controls without slowing mission-critical work?
Where contractors get burned
We most often see issues when organizations:
- Assume GCC High or GovCloud equals automatic compliance
- Migrate before defining scope
- Let CUI sprawl across tools and devices
- Discover too late that their assessment boundary is far larger than expected
FAQ
Is GCC High required for CMMC Level 2?
No. CMMC does not mandate a specific cloud provider. However, GCC High is commonly selected when Microsoft 365 collaboration tools are in scope for CUI, because it aligns more closely with government workload expectations.
Can we use commercial cloud if we only “occasionally” handle CUI?
That is risky. Even limited CUI exposure can pull an entire environment into scope. If CUI can appear in email, chat, or file storage, a CUI-safe environment or enclave is usually the safer option.
Does FedRAMP authorization mean our cloud is compliant?
No. FedRAMP applies to the cloud service provider, not your implementation. You must still configure controls, enforce policies, and produce evidence during assessments.
Are enclaves only for small contractors?
No. Enclaves are used by organizations of all sizes. They are a scope management strategy, not a maturity indicator.
What is the most defensible first step?
Map CUI data flows first. Once you understand where CUI lives and how it moves, the right cloud environment usually becomes obvious.
