Skip to main content
INS // Insights

CMMC Level 2 Cloud Infrastructure: Our Approach

Updated March 2026 · 7 min read

CMMC Level 2 covers the 110 security requirements from NIST SP 800-171 Rev 2, and it's the threshold requirement for most defense industrial base (DIB) contractors handling Controlled Unclassified Information (CUI). With C3PAO (third-party assessor organization) assessments now required for many contracts, passing on the first attempt matters — remediation delays mean lost contract opportunities.

The difference between programs that pass and those that don't almost always comes down to whether security was built into the infrastructure from the start, or bolted on afterward.

Here's how Rutagon architects CMMC Level 2-compliant cloud environments — and what makes the engineering approach different from a compliance checkbox exercise.

What CMMC Level 2 Actually Requires

CMMC 2.0 Level 2 aligns directly with the 110 security requirements in NIST SP 800-171 Rev 2, organized across 14 domains:

  • Access Control (22 requirements)
  • Audit and Accountability (9 requirements)
  • Configuration Management (9 requirements)
  • Identification and Authentication (11 requirements)
  • Incident Response (3 requirements)
  • Maintenance (6 requirements)
  • Media Protection (9 requirements)
  • Personnel Security (2 requirements)
  • Physical Protection (6 requirements)
  • Risk Assessment (3 requirements)
  • Security Assessment (4 requirements)
  • System and Communications Protection (16 requirements)
  • System and Information Integrity (11 requirements)

The cloud infrastructure must address the technical controls across these domains — not just document them. An assessor from a C3PAO will be testing whether controls are actually implemented, not just described in the SSP.

The Architecture Approach: Control Mapping From Day One

Every CMMC Level 2 control that has a cloud infrastructure expression gets implemented in Terraform. This means the compliance posture is verifiable, reproducible, and auditable from a single source of truth.

Access Control (AC domain)

The 22 AC requirements drive the identity and access architecture. The key building blocks:

Least privilege enforcement — IAM roles are scoped to the minimum permissions required for each workload. No IAM users with console access in production. All human access via federated identity (SSO) with just-in-time privilege elevation for administrative functions.

# AC-2, AC-3, AC-6: Role-based access with least privilege
resource "aws_iam_role" "application_role" {
  name               = "${var.environment}-app-role"
  assume_role_policy = data.aws_iam_policy_document.app_assume_role.json

  tags = {
    Environment      = var.environment
    ComplianceControl = "AC-2, AC-3, AC-6"
  }
}

MFA enforcement — AWS IAM Identity Center (formerly SSO) enforces MFA for all human access. MFA is not optional, and the enforcement is architectural — there is no path to console or API access that bypasses it.

Session management (AC-11, AC-12) — Session timeouts and re-authentication requirements are enforced at the identity provider level, not on individual applications.

Audit and Accountability (AU domain)

The 9 AU requirements demand comprehensive logging. The standard Rutagon implementation:

  • CloudTrail: Organization-level trail capturing all API calls across all accounts and regions
  • VPC Flow Logs: Network traffic logging for all VPCs in scope
  • Application logging: Structured JSON logs from all application components, shipped to a centralized, tamper-evident log archive
  • Log retention: Minimum 3 years retained (90 days immediately accessible, balance in cold storage)
  • Log integrity: CloudTrail log file validation enabled; log archive in a separate, write-once account

The log archive account has no cross-account delete permissions from the application accounts — ensuring logs cannot be tampered with even in a compromise scenario.

Configuration Management (CM domain)

The 9 CM requirements are addressed through the IaC pipeline:

  • Baseline configuration (CM-2): Terraform represents the authoritative baseline configuration. Drift from this baseline is detected and alerted within 4 hours via AWS Config.
  • Configuration change control (CM-3): All changes flow through the GitLab pipeline with mandatory peer review and automated security scanning before merge
  • Least functionality (CM-7): Security groups allow only the specific ports required for functionality. All other traffic is denied. Inbound 0.0.0.0/0 is prohibited in production.

Identification and Authentication (IA domain)

The 11 IA requirements map to the identity infrastructure:

  • Authenticator management (IA-5): No static credentials anywhere in the system. Service-to-service authentication via OIDC-federated IAM roles. Human authentication via AWS IAM Identity Center with MFA enforcement.
  • Password management: Organizational passwords managed in a secrets management system, never stored in code repositories
  • Multi-factor authentication (IA-3): Enforced universally across all privileged access paths

See our detailed breakdown of OIDC and eliminating secrets in AWS for the technical implementation.

The CUI Boundary: Data Sovereignty in Cloud

CMMC Level 2 applies to systems that process, store, or transmit CUI. The cloud architecture must define and enforce the CUI boundary:

  • Data classification tagging: All S3 buckets, databases, and storage resources processing CUI are tagged with the appropriate classification label
  • Encryption at rest: AES-256 encryption using AWS KMS customer-managed keys for all CUI datastores
  • Encryption in transit: TLS 1.2 minimum enforced via security groups and load balancer policies; TLS 1.3 preferred
  • Data loss prevention: AWS Macie for automated CUI identification and protection monitoring in S3

For most defense contractor workloads, CMMC Level 2 work can run on AWS GovCloud (US) without IL4/IL5 requirements — GovCloud provides the physical separation, US-person access controls, and FedRAMP High authorization baseline that satisfies the CUI handling requirements.

What C3PAO Assessors Actually Check

In a C3PAO assessment for CMMC Level 2, assessors will:

  • Request evidence: Screenshots aren't sufficient. Assessors want API output, configuration exports, and automated report outputs that demonstrate control implementation
  • Test controls: Access control tests (attempting access without proper authorization), configuration validation (verifying hardened configurations match documented baselines)
  • Interview system owners: Asking how controls work, who manages them, and how exceptions are handled
  • Review the SSP: The System Security Plan must accurately describe the system boundary, data flows, and control implementation — and match what's actually deployed

The SSP that references Rutagon-built infrastructure is supported by Terraform state files, Config compliance reports, and CloudTrail evidence that assessors can directly validate. This is the difference between a compliant posture that can be demonstrated and a compliant posture that can only be described.

View Rutagon's government capabilities →

Also see our earlier work on CMMC security architecture approach and automated CMMC evidence collection.

Frequently Asked Questions

What is required for CMMC Level 2 certification?

CMMC Level 2 requires implementation of all 110 security requirements from NIST SP 800-171 Rev 2 across 14 practice domains. For most DoD contracts involving CUI, a third-party assessment by a DoD-approved C3PAO is required — self-attestation is not sufficient. Organizations must pass the C3PAO assessment to receive CMMC Level 2 certification. Certification is valid for 3 years, with annual affirmations required.

Can CMMC Level 2 workloads run on AWS commercial cloud?

CMMC Level 2 workloads can run on AWS commercial cloud if the implementation satisfies the 110 NIST 800-171 controls. AWS GovCloud (US) is generally preferred for CUI because it provides physical separation from non-US-government workloads, US-person-only access, and built-in FedRAMP High authorization. The choice between commercial and GovCloud depends on the specific CUI categories handled and any contract-specific requirements.

How long does it take to prepare for a CMMC Level 2 C3PAO assessment?

Preparation time varies significantly based on starting posture. Organizations with no existing compliance baseline may need 12–24 months to implement all 110 controls, document them in an SSP, and achieve evidence maturity. Organizations with FedRAMP Moderate or NIST 800-171 compliance already in place can often prepare for C3PAO assessment in 3–6 months. Building to CMMC from the start (rather than retrofitting) is substantially faster and cheaper.

What are the most commonly failed CMMC Level 2 controls?

The most commonly cited deficiencies in CMMC Level 2 assessments involve: IA-3 (multi-factor authentication not universally enforced), AC-2 (inadequate account management — stale accounts, excessive permissions), CM-3 (undocumented configuration changes), AU-9 (audit log integrity not protected), and SI-7 (software and firmware integrity verification). Controls that require architectural implementation (not just policy) are harder to retrofit — which is why building compliant architecture from the start is critical.

Does Rutagon provide CMMC Level 2 assessment support?

Rutagon builds the cloud infrastructure and DevSecOps pipelines that enable CMMC Level 2 compliance — we engineer systems designed to pass C3PAO assessment, not help organizations interpret what's required. Our deliverables include IaC-defined compliant infrastructure, automated evidence collection systems, and SSP documentation that accurately reflects the deployed system. Contact Rutagon to discuss your CMMC timeline and technical requirements.