Cyber Defense Advisors

CMMC in the Cloud: Commercial Service Providers Are in Scope

CMMC in the Cloud: Commercial Service Providers Are in Scope

Why cloud providers can’t afford to ignore DoD compliance.

“I don’t have a DoD contract — so I’m safe from CMMC, right?”

Not so fast.

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) isn’t just about manufacturers building fighter jet parts or software developers coding for the Pentagon.

It’s about the data behind those contracts — and where that data lives.

And if you’re a public cloud service provider (CSP), that means you could be in scope even if you’ve never signed a federal contract in your life.

Here’s the catch:
If a defense contractor uses your cloud to store, process, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), your system becomes part of their compliance boundary.
Which means their CMMC obligations flow directly down to you.

And if you can’t meet them?
Your customer may have to move their workloads elsewhere.

How CMMC Scope Works for CSPs

Think of CMMC like a chain: every link matters.
Here’s where CSPs fit in:

  • Prime contractors (direct DoD contract holders)
  • Subcontractors (supporting the primes)
  • Service providers (including CSPs) whose environments touch CUI or FCI

If your customer is in the defense supply chain, and they use your platform for sensitive workloads, their compliance becomes your compliance.

The Quick Decision Tree

So how do you know if you’re in scope? Ask yourself:

  1. Do your customers use your services for DoD work?
    • No → Out of scope.
    • Yes → Go to #2.
  2. What type of data is in your environment?
    • FCI only → Level 1 (17 basic safeguards).
    • Any CUI → Level 2 (110 NIST SP 800-171 controls).
    • High-value or critical CUI → Level 3 (enhanced protections under NIST SP 800-172).
  3. Is your environment multitenant?
    • Yes → You’ll need logical isolation, strong access control, and clear shared-responsibility docs.
    • No → Segmentation still required, but easier to validate.
  4. Do you already have FedRAMP Moderate or High?
    • Yes → Map existing controls to CMMC, fill documentation gaps.
    • No → Implement controls directly.
  5. Can you prove compliance today?
    • Yes → Maintain evidence and stay audit-ready.
    • No → Start remediation now.

Storage Protections by Level

Here’s how storage requirements scale with each CMMC level:

Level 1 — FCI

  • Limit physical/logical access.
  • Authentication and ACLs.
  • Restrict copying/removal of media.
  • Encryption at rest not required (but recommended).

Level 2 — CUI

  • FIPS 140-3 encryption at rest.
  • Separate encryption keys from data.
  • Audit logging on all storage access.
  • Protect backups with identical controls.

Level 3 — High-Value CUI

  • All Level 2 controls, plus:
  • Continuous monitoring.
  • Advanced key management (HSM, split key).
  • Active defense and anomaly detection.
  • Zero-trust segmentation.

Why FedRAMP Alone Isn’t Enough

Here’s the trap:
FedRAMP does cover many of the same controls (encryption, access control, etc.).

But:

  • CMMC distinguishes between FCI and CUI, which changes the scope.
  • CMMC assessments use different evidence requirements.
  • Shared responsibilities between CSP and customer must be formally documented.

Translation: FedRAMP is a good foundation, but it won’t check the CMMC box by itself.

Why Waiting Is Risky

The final CMMC rule is almost here. Once it lands, most DoD-related customers will need proof of compliance up front.

If you aren’t ready:

  • Customers may migrate workloads.
  • Assessment firms (C3PAOs) will be overwhelmed.
  • Your competitive edge in federal markets will vanish.

What CSPs Should Do Right Now

  1. Identify the data — Does your platform hold FCI or CUI?
  2. Determine your level — Use the decision tree above.
  3. Map your storage controls — Make sure encryption, access, and isolation match your level.
  4. Document responsibilities — Be crystal clear with customers.
  5. Start assessment prep — Especially if Level 2 or 3 applies.

Bottom Line

CMMC isn’t just for contractors.
If you’re a CSP serving the defense ecosystem, the compliance spotlight is already on you — whether you realize it or not.

The sooner you prepare, the stronger your position with customers who can’t afford to wait.

Get Help With CMMC

Preparing for CMMC isn’t optional — it’s the cost of staying in the game. Cloud service providers that wait until customers demand proof will find themselves scrambling, losing ground to competitors who already took action.

At Cyber Defense Advisors, we specialize in guiding organizations through the complexities of CMMC, FedRAMP, and NIST requirements. We make compliance clear, achievable, and aligned with your business goals. Don’t risk being left behind — contact us today to start building your path to compliance and customer trust.

Related Post

Introducing Our CMMC Navigator

Introducing Our CMMC Navigator A Clear, Evidence-Driven Path to CMMC Level 1 and Level 2 Readiness CMMC readiness is won

Cyber Thoughts

CMMC Phase One: The Soft Opening That Finally

CMMC Phase One: The Soft Opening That Finally Ends “Trust Me, Bro” Compliance Why Phase One marks the moment CMMC

Cyber Thoughts

Recap of HOU.SEC.CON 2025

Recap of HOU.SEC.CON 2025 A Great Success for Cyber Defense Advisors Last month, Cyber Defense Advisors (CDA) had the privilege

Cyber Thoughts

The Great Cybersecurity Illusion

The Great Cybersecurity Illusion Why Most Companies Will Fail the Next Big Test Behind the dashboards and buzzwords, a storm

Cyber Thoughts