View a markdown version of this page

Preparation guide for CMMC Level 2 on AWS - AWS Prescriptive Guidance

Preparation guide for CMMC Level 2 on AWS

June 2026 (Document history)

This guide provides engineers, security architects, chief information security officers (CISOs), compliance leads, and Certified Third-Party Assessment Organization (C3PAO) assessors with guidance for preparing for Cybersecurity Maturity Model Certification (CMMC) Level 2 on Amazon Web Services (AWS). It details a reference architecture for scoping your Controlled Unclassified Information (CUI) boundary, implementing all 110 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 security requirements, building automated evidence collection pipelines, and establishing continuous monitoring for sustained compliance. This guide covers deployment in both AWS GovCloud (US) and commercial AWS Regions (US East/West) using Federal Information Processing Standards (FIPS) validated endpoints, providing a foundational blueprint that you can tailor to your specific organizational and contract requirements. CMMC compliance is a critical undertaking for defense industrial base (DIB) organizations competing for Department of Defense (DoD) contracts involving CUI. With the Defense Federal Acquisition Regulation Supplement (DFARS) final rule (32 CFR Part 170) now in effect and Phase 2 requiring C3PAO certification assessments beginning November 2026, the time to prepare is now.

This guide describes how AWS security services, multi-account architectures, and compliance automation can help reduce the time and complexity of your CMMC Level 2 assessment preparation. The guide guides you through the implementation of a multi-account structure using AWS Organizations, aligned with a clearly defined CUI boundary for assessment scoping. The reference architecture provides a foundational blueprint that you can tailor to your specific organizational needs. For details and guidance on how to apply security best practices for the design, delivery, and maintenance of secure AWS workloads, see the AWS Well-Architected Security Pillar.

The guidance in this guide is designed to help you align with CMMC Level 2 requirements while benefiting from the agility and scalability of the cloud. If you already operate on AWS, you are well-positioned: many of the security services and architectural patterns required for CMMC are native to the platform, and the multi-account isolation model maps directly to CUI boundary scoping. Additional information on planning for and documenting the compliance of your AWS workloads can be found in the AWS CMMC Customer Package available through AWS Artifact.