The Cybersecurity Maturity Model Certification (CMMC) is not a compliance checklist you satisfy once and file away. It is an ongoing security posture that the Department of Defense requires of every contractor handling Controlled Unclassified Information (CUI). Rutagon's CMMC security architecture approach treats these controls as engineering requirements — implemented in infrastructure, enforced through automation, and auditable at any point in time.
CMMC Level 2 maps directly to the 110 security practices in NIST SP 800-171. Rutagon implements these practices across our internal infrastructure and builds them into the systems we deliver for defense clients. This article describes what we do — the architecture decisions, the tooling, and the operational processes — not a guide for others to follow.
Access Control: Zero Trust by Default
CMMC Domain AC (Access Control) requires limiting system access to authorized users, processes, and devices. Rutagon implements this through a zero-trust architecture where no identity — human or machine — is trusted by default.
Identity federation with OIDC. Rutagon operates with zero long-lived credentials across all AWS accounts. Human access uses SSO through AWS IAM Identity Center with MFA enforced. Machine access — CI/CD pipelines, automated processes — authenticates through OIDC federation with short-lived session tokens. No IAM access keys exist in our environment.
Least-privilege IAM policies. Every role is scoped to the minimum permissions required for its function. Deploy roles can only modify resources in their designated account. Read-only roles for monitoring cannot modify infrastructure. We audit IAM policies with automated tooling that flags overly permissive statements — any policy with "Action": "*" or "Resource": "*" is rejected.
Network segmentation. Multi-account AWS Organizations architecture isolates workloads at the account level. Within accounts, VPC security groups and network ACLs enforce east-west traffic controls. Shared services are accessed through Transit Gateway with explicit route tables — workload accounts cannot communicate with each other.
This is the same infrastructure pattern we use for House Escort's production environment and AK Home HQ, applied with the additional rigor that defense work demands. The architecture exists and runs today.
Audit and Accountability: Immutable Logging
CMMC Domain AU (Audit & Accountability) requires creating and retaining audit records to enable monitoring, analysis, investigation, and reporting. Rutagon's logging architecture makes audit records immutable, centralized, and queryable.
CloudTrail across all accounts. Every AWS API call in every account is logged to CloudTrail and forwarded to a centralized logging account. The trail bucket has object lock enabled — logs cannot be modified or deleted, even by administrators.
Application-level audit logging. Beyond infrastructure API calls, our applications log security-relevant events: authentication attempts (success and failure), authorization decisions, data access events, and configuration changes. These logs are structured JSON shipped to CloudWatch Logs with defined retention periods.
Centralized log aggregation. Logs from all sources flow to a security account where they are indexed and queryable. EventBridge rules trigger alerts for specific patterns: failed authentication spikes, unauthorized API calls, configuration changes outside maintenance windows.
Retention and protection. Audit logs are retained for a minimum of one year in online storage and archived to S3 Glacier for long-term retention. The logging account has SCPs that prevent any principal from modifying log data or reducing retention periods.
The key principle: if an event is security-relevant, it is logged, forwarded, immutable, and alertable. No gaps, no exceptions.
Configuration Management: Infrastructure as Code
CMMC Domain CM (Configuration Management) requires establishing and maintaining baseline configurations. When infrastructure is defined as code, configuration management is version-controlled, peer-reviewed, and reproducible.
Terraform-managed infrastructure. Every resource across every account is defined in Terraform. No console-click deployments. No manual configuration. The Terraform state is the authoritative record of what exists in each account, and drift detection runs daily to flag any resources that have been modified outside of Terraform.
Immutable deployments. Application deployments use container images tagged with commit SHAs. There is no SSH into production servers, no hot-patching running containers, no in-place updates. A new deployment means a new image, through the pipeline, with the full suite of security scans.
Change control. Every infrastructure change goes through a merge request in GitLab. The merge request triggers a terraform plan that shows exactly what will change. A second engineer reviews the plan. Only the main branch can apply changes to production. The pipeline, the approval, and the apply are all logged.
Baseline hardening. Container images start from minimal base images (distroless where possible). Operating system packages are pinned to specific versions. Security benchmarks (CIS) are validated in the image build pipeline.
This configuration management approach is described in more detail in our article on security compliance in CI/CD pipelines.
Incident Response: Prepared, Not Reactive
CMMC Domain IR (Incident Response) requires establishing operational incident-handling capabilities. Rutagon maintains an incident response capability that includes detection, containment, eradication, and recovery procedures.
Automated detection. GuardDuty findings, AWS Config rule violations, and application-level anomaly alerts feed into a centralized event bus. Critical findings trigger immediate notification through PagerDuty integration.
Defined response procedures. Each category of incident — unauthorized access, data exposure, infrastructure compromise, availability degradation — has a documented response procedure with assigned roles, communication plans, and escalation paths.
Containment automation. For specific threat categories, automated containment actions execute without waiting for human intervention. A compromised IAM credential triggers automatic key deactivation. A security group opened to 0.0.0.0/0 triggers automatic reversion. These automations buy time while the incident response team assesses the situation.
Post-incident review. Every incident — including near-misses and false positives — gets a written post-incident review. The review documents what happened, what the detection and response timeline looked like, what worked, and what needs improvement. Findings feed back into detection rules and response procedures.
Media Protection and Data Handling
CUI requires protection at rest and in transit. Rutagon enforces encryption universally:
Encryption at rest. Every S3 bucket uses SSE-KMS with customer-managed keys. DynamoDB tables use AWS-managed encryption. EBS volumes are encrypted by default through account-level settings. KMS key policies restrict which roles can use each key.
Encryption in transit. TLS 1.2 is the minimum for all external communications. Internal service-to-service communication within VPCs uses TLS. CloudFront distributions enforce HTTPS-only with HSTS headers.
Data classification. Not all data requires the same protection level. Our data handling procedures classify information and apply controls proportional to sensitivity. CUI receives the full set of CMMC controls. Public marketing content does not need KMS encryption with audit logging on every access.
System and Communications Protection
Network boundaries are enforced at multiple layers:
WAF and DDoS protection. AWS WAF rules filter malicious traffic at the edge. AWS Shield provides DDoS protection. Rate limiting prevents abuse. These are the same protections we deploy for AK Home HQ and House Escort — production-tested, not theoretical.
VPC architecture. Private subnets for compute, public subnets only for load balancers and NAT gateways. No direct internet access from application instances. Egress traffic is routed through NAT gateways with flow logging enabled.
Endpoint policies. VPC endpoints for AWS services (S3, DynamoDB, STS) keep traffic on the AWS network and enforce endpoint policies that restrict which resources can be accessed through each endpoint.
Continuous Assessment
CMMC compliance is not a point-in-time assessment. Rutagon runs continuous compliance checks:
- AWS Config rules evaluate resource configurations against security baselines in real time
- IAM Access Analyzer identifies resources shared with external entities
- GuardDuty provides continuous threat detection
- Drift detection flags resources modified outside of Terraform
- Automated scanning in CI/CD catches vulnerabilities before deployment
The goal is that when a CMMC assessment occurs, we are not preparing for it — we are demonstrating what already runs every day.
For how these controls integrate with Kubernetes workloads, see Kubernetes in regulated environments.
Frequently Asked Questions
What is the difference between CMMC Level 1 and Level 2?
Level 1 covers 17 basic safeguarding practices for Federal Contract Information (FCI) — think antivirus, access control, and physical security basics. Level 2 maps to the full 110 practices in NIST SP 800-171 and applies to Controlled Unclassified Information (CUI). Level 2 requires significantly more rigorous controls including audit logging, incident response, and configuration management. Rutagon architects for Level 2.
Does Rutagon hold a CMMC certification?
CMMC assessments are conducted by Certified Third-Party Assessment Organizations (C3PAOs). Rutagon's security architecture implements CMMC Level 2 controls and is designed to satisfy C3PAO assessment requirements. As a small business pursuing defense contracts, we invest in security architecture that meets these standards now, positioning us for formal certification as contract requirements dictate.
How does zero long-lived credentials work in practice?
Every automated process authenticates through OIDC federation or IAM role assumption with temporary session tokens. GitLab CI/CD pipelines present a JWT to AWS STS, which validates the token against the OIDC provider and issues a session token with a 15-minute expiration. No IAM access keys are stored anywhere — not in CI/CD variables, not on developer machines, not in configuration files. If a token is intercepted, it expires within minutes.
How do you handle CMMC requirements for personnel security?
Personnel security controls include background checks for team members with CUI access, security awareness training, and access revocation procedures when team members depart. Access is tied to identity provider accounts — disabling a user's SSO account immediately revokes all AWS access across all accounts. No orphaned credentials to track down.
Can CMMC controls be applied retroactively to existing infrastructure?
They can, but it is significantly easier to build them in from the start. Retroactively adding immutable audit logging, encryption at rest with customer-managed keys, and zero-trust access controls to existing infrastructure often requires re-architecting components. Rutagon builds new projects with these controls from day one, which is why our commercial products like House Escort already operate at a security posture that meets or exceeds CMMC Level 2 requirements.
Discuss your project with Rutagon
Contact Us →