Cost considerations

The cost of implementing CMMC Level 2 controls on AWS depends on factors such as the number of accounts in your CUI boundary, the volume of monitored resources, data processing and storage volumes, and whether you deploy in AWS GovCloud (US) or commercial Regions. The most effective way to control costs is to tightly scope your CUI boundary. Every account, Amazon VPC, and resource inside the boundary increases monitoring costs and assessment complexity. The multi-account architecture in this guide is designed specifically to help minimize your boundary while maintaining comprehensive security coverage.

Use the AWS Pricing Calculator to estimate costs for your specific workload profile. Each service page linked in this guide includes current pricing details. Beyond AWS service costs, plan for C3PAO assessment fees, dedicated security and compliance engineering personnel, and consulting support if you lack internal CMMC expertise. Prices are subject to change. Additionally, your costs may vary depending on your AWS Region, AWS service quotas, and other factors related to your cloud environment.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Continuous monitoring and validation

NIST SP 800-171 Rev 3 transition