A phased approach to CMMC Level 2 readiness

Scope your CUI boundary on AWS using multi-account architecture

Implement all 110 NIST SP 800-171 Rev. 2 security requirements using AWS services

Build automated evidence collection pipelines for C3PAO assessment

Establish continuous monitoring for sustained compliance

Understand SPRS scoring, POA&M eligibility, and remediation prioritization

Prepare personnel and documentation for C3PAO assessment phases

Identify all contracts that involve CUI and determine your required CMMC level

Choose your deployment Region: AWS GovCloud (US) for International Traffic in Arms Regulations (ITAR)/Security Requirements Guide (SRG) Impact Level 4 (IL4)+ workloads, or commercial US East/West with FIPS endpoints for CUI workloads without those overlays

Design your multi-account structure - Management Account, CUI Workload Account(s), Shared Services Account, and Security and Log Archive Account

Classify all assets using the five CMMC scoping categories - CUI Assets, Security Protection Assets, Contractor Risk Managed Assets (CRMAs), Specialized Assets, Out-of-Scope

Map your CUI data flows and define your assessment boundary using AWS Organizations and Amazon Virtual Private Cloud (Amazon VPC)

Inventory all external service providers (ESPs) and cloud service providers (CSPs), determine Federal Risk and Authorization Management Program (FedRAMP) status, and begin Customer Responsibility Matrix (CRM) documentation

Enable foundational services: AWS Config, AWS CloudTrail (organization trail), AWS Security Hub CSPM, Amazon GuardDuty and Amazon Inspector

Conduct an initial gap assessment against NIST SP 800-171 Rev. 2 requirements and calculate your Supplier Performance Risk System (SPRS) score

Prioritize remediation - Plan of Action and Milestones (POA&M)-ineligible requirements first, then 5-point Basic requirements, then 1-point Derived requirements

Deploy the CMMC 2.0 Level 2 conformance pack in AWS Config for continuous compliance evaluation

Configure FIPS-validated endpoints for all AWS service calls within your CUI boundary

Implement access control, encryption, and boundary protection controls using AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and AWS Network Firewall

Address the 10 customer-only controls that require organizational policies or non-AWS technology

Build continuous vulnerability scanning and patch management workflows with Amazon Inspector and AWS Systems Manager

Set up your security protection data (SPD) evidence pipeline: AWS Security Hub CSPM findings, AWS Config evaluations, CloudTrail logs, and Amazon Inspector reports flowing into the evidence repository

Document your System Security Plan (SSP) (addressing all assessment objectives per control), POA&Ms, and network diagrams

Complete CRM documentation for all ESPs and confirm ESP personnel availability for assessment interviews

Run a mock assessment against all 110 controls and 320 assessment objectives using your automated evidence

Conduct mock interviews with personnel who will be interviewed by the C3PAO

Close any remaining POA&M items (POA&Ms must be closed within 180 days)

Verify your SPRS score meets the 88-point threshold for Conditional status (or 110 for Final status)

Engage your C3PAO and provide access to your evidence repository and compliance dashboards

Establish ongoing continuous monitoring processes and annual affirmation procedures to maintain certification between assessments