Security protection data flows

As you implement CMMC controls, your security services generate a continuous stream of data about your environment's security posture. We refer to this as SPD - the findings, logs, compliance evaluations, and audit records that your security tools produce. SPD is distinct from CUI: it is data about your security controls, not the sensitive information those controls protect. Per the CMMC Scoping Guide, SPD (log files, configuration data, vulnerability data, and passwords granting access to the in-scope environment) is itself in scope.

Data type	Flow direction	Description
CUI data	Into and within CUI boundary	The sensitive information your controls protect. Enters through the network boundary layer and stays within CUI Workload Accounts. Protected by FIPS-validated encryption at rest and in transit.
Security protection data (SPD)	From CUI boundary to Security and Log Archive Account	Findings, logs, compliance evaluations, and audit records generated by your security tools. Stored with immutability via Amazon S3 Object Lock.
Key material	From Shared Services into CUI boundary	Customer-managed AWS KMS keys used for encrypting CUI at rest. Centralized in Shared Services for consistent key management and separation of duties.

SPD aggregation channels

SPD flows from the CUI boundary into the Security and Log Archive Account through two channels:

Channel	Sources	Destination	Purpose
Findings pipeline	GuardDuty, Amazon Inspector, IAM Access Analyzer, AWS Config (via Config Aggregator)	Security Hub CSPM (aggregated dashboard)	Current security posture: what is the state right now?
Raw log pipeline	CloudTrail (organization trail), Amazon VPC Flow Logs	Amazon S3 Log Archive with Object Lock	Immutable audit trail: prove what happened and when

Both channels feed into the evidence pipeline within the Security and Log Archive Account, where Athena queries across findings and raw logs to produce assessment-ready evidence. This gives your C3PAO two complementary views: findings show current state, and raw logs prove historical compliance.

This figure illustrates how SPD flows from source services in the CUI Workload Account(s) through the two pipeline channels and into the evidence pipeline that produces assessment-ready artifacts.

Figure 2: Security protection data flow architecture. Source services in the CUI Workload Account(s) feed into two parallel channels: the findings pipeline (aggregated in Security Hub CSPM) and the raw log pipeline (stored in Amazon S3 with Object Lock). Both channels feed into the evidence pipeline, which produces SSP artifacts, control-mapped evidence, POA&M tracking, and SPRS score calculations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Design a multi-account architecture for CMMC

How AWS services map to CMMC Level 2