CMMC Level 2 readiness on AWS
We help defense contractors implement NIST 800-171 controls on AWS and pass their CMMC assessment the first time. Not just documentation. Working controls.
Most CMMC consultants stop at the spreadsheet
They can write an SSP and identify your gaps, but they cannot implement the technical controls in your AWS environment. You end up with a remediation list and no one to execute it.
We do both. We assess your environment against all 110 NIST 800-171 requirements, implement the technical controls directly in AWS, and produce the documentation your assessor needs. Gap analysis, remediation, and evidence. One team.
If your organization handles CUI on a DoD contract and you have not started preparing, the CMMC 2.0 final rule is in effect and requirements are appearing in contracts now. Most organizations need 6 to 18 months of preparation. The sooner you scope and assess, the more time you have to remediate.
OUR PROCESS
From gap analysis to assessment day
Assess
Full gap analysis against NIST 800-171 Rev 2, mapping all 110 requirements to your current AWS environment. You get a scored baseline and a prioritized remediation plan.
Remediate
We implement the technical controls in your AWS environment: IAM policies, encryption, logging, network segmentation, and monitoring. Every change is tracked and tied to a specific control.
Document
We produce your SSP, POA&M, and evidence packages mapped to each control family. When your C3PAO arrives, the documentation is ready and the controls are already running.
WHY AWS
NIST 800-171 controls, implemented on AWS
AWS provides native services that map directly to CMMC control families. We configure and harden these services so your controls are running, not just documented.
Access control (AC)
IAM Identity Center, SCPs, IAM Access Analyzer
Least-privilege IAM policies, MFA enforcement, session controls, and federated access through your identity provider.
Audit and accountability (AU)
CloudTrail, CloudWatch, Security Hub
Multi-region audit logging with integrity validation, automated log review, and centralized findings in Security Hub.
System and communications protection (SC)
KMS, VPC, PrivateLink, ACM
FIPS 140-2 validated encryption at rest and in transit, VPC segmentation, private subnets, and VPC endpoints for AWS services.
Risk assessment (RA)
GuardDuty, Inspector, Config
Continuous vulnerability scanning, threat detection across all regions, and drift detection with automated remediation.
Configuration management (CM)
Config, Systems Manager, Terraform
Infrastructure as code for baseline enforcement, automated patching, and continuous configuration compliance monitoring.
System and information integrity (SI)
GuardDuty, Macie, Inspector
Malicious code protection, CUI data discovery with Macie, and automated flaw remediation through patching pipelines.
WHAT WE FIND
Common gaps we see in every assessment
These are the issues that delay assessments and cost organizations months of rework. We fix them before your C3PAO arrives.
MFA not enforced everywhere
MFA is required for all remote access and all privileged accounts. Legacy systems and service accounts are often exceptions that assessors will flag.
FIPS encryption gaps
Standard TLS is not sufficient. CUI must be encrypted using FIPS 140-2 validated modules. AWS supports this, but it requires using FIPS endpoints and customer-managed KMS keys.
Audit logs collected but not reviewed
Collecting CloudTrail logs is not enough. You need documented evidence that logs are regularly reviewed for anomalies. Automated alerting plus periodic manual review.
CUI boundaries not defined
Every system that touches CUI is in scope. Without clear network segmentation and data flow mapping, your assessment scope expands to your entire environment.
Incident response never tested
An incident response plan on paper is not sufficient. Assessors will ask for evidence of tabletop exercises or simulated incidents. Most organizations skip this.
What you get
- Gap analysis report scored against all 110 NIST 800-171 requirements
- System Security Plan (SSP) mapped to your AWS environment
- Plan of Action and Milestones (POA&M) with owners and timelines
- Evidence packages organized by control family
- CUI boundary documentation and data flow diagrams
- Continuous monitoring configuration (Security Hub, Config, GuardDuty)
Want to learn more before reaching out? Read our practical guide to CMMC Level 2 readiness for scoping, evidence collection, and assessment preparation details.