Decision flow for deployment region identification Comparison of deployment options FIPS endpoints in GovCloud and commercial regions

Choosing your deployment Region

One of the first architectural decisions you will make is where to deploy your CUI workloads. CMMC Level 2 does not mandate a specific AWS Region. It requires that you implement NIST SP 800-171 controls and that any CSP you use meets the FedRAMP Moderate baseline equivalent, as required by DFARS 252.204-7012. Both AWS GovCloud (US) and the commercial US East/West Regions meet this requirement.

Decision flow for deployment region identification

Use the following decision logic to determine the right deployment target for each workload:

Does your contract involve International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) controlled data? If yes, deploy in AWS GovCloud (US). ITAR workloads require the jurisdictional isolation that AWS GovCloud (US) provides.
Does your contract require DoD Security Requirements Guide (SRG) Impact Level 4 or 5? If yes, deploy in AWS GovCloud (US). Commercial regions support Impact Level 2 (IL2) only.
Do your workloads involve CUI without ITAR/EAR restrictions and without IL4/5 requirements? You can deploy in commercial US East/West Regions using FIPS-validated endpoints and still meet CMMC Level 2 requirements.
Do you have mixed workloads with different regulatory overlays? Consider a hybrid approach: AWS GovCloud (US) for ITAR programs, commercial regions for standard CUI workloads. Use separate AWS Organizations to maintain clear boundaries.

Comparison of deployment options

Attribute	AWS GovCloud (US)	Commercial US East/West + FIPS
FedRAMP authorization	FedRAMP High	FedRAMP Moderate
FIPS 140-2/3 endpoints	Default for all services	Available via FIPS-specific endpoints
DoD SRG impact levels	IL2, IL4, IL5	IL2
Operator citizenship	U.S. persons only	No restriction
Service availability	Subset of commercial services	Broadest service catalog
CMMC Level 2 eligible	Yes	Yes
Best fit	ITAR, IL4/5, maximum isolation	Standard CUI, broader services, lower cost

The key takeaway: if your contract involves CUI without ITAR or EAR restrictions, and you do not require DoD SRG Impact Levels 4 or 5, you can deploy in commercial US East/West Regions using FIPS-validated endpoints and still meet CMMC Level 2 requirements. If your workloads carry ITAR obligations or require higher DoD SRG impact levels, AWS GovCloud (US) provides the additional isolation and regulatory coverage you need.

FIPS endpoints in GovCloud and commercial regions

When deploying in commercial or AWS GovCloud (US) regions, you activate FIPS-validated cryptography by directing application traffic to FIPS-specific service endpoints. For example, instead of calling kms.us-east-1.amazonaws.com, you use kms-fips.us-east-1.amazonaws.com. AWS publishes a complete list of FIPS endpoints for each service and Region. Your SDK configurations and service endpoint URLs must be updated to reference these endpoints throughout your CUI boundary in both partitions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

External service providers and CSPs

Design a multi-account architecture for CMMC