Originally published 03/31/2025, updated content 10/30/2025.
How confident are you that your business meets the Cybersecurity Maturity Model Certification (CMMC)? A critical framework for businesses working with the Department of Defense (DoD), it’s essential to understand how cloud services fit into your CMMC compliance scope, ensuring that all sensitive government information is secure.
Businesses in Charlottesville, Richmond, and Fredericksburg may already be using cloud-based solutions for data storage, collaboration, and security. But do you know which of these services are subject to CMMC requirements? Identifying whether your cloud solutions process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is crucial to achieve compliance.
Determining Which Cloud Services Are Affected by CMMC
With a thorough assessment of your cloud services, you can determine what scope of security requirements you fall into under CMMC compliance. If a cloud platform processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), it must comply with CMMC security standards. However, different cloud services require varying levels of compliance, depending on their role in handling sensitive data.
Map Data Flow and Storage Locations
It’s important to understand where and how your data moves within your cloud environment. Begin by evaluating compliance requirements to:
- Identify which cloud platforms store or transmit FCI and CUI. This includes SaaS applications like Microsoft 365, Google Drive and Dropbox, and platforms such as AWS, Azure, and Google Cloud.
- Track data movement across cloud applications and integrations. E.g., a Microsoft OneDrive may store documents but transfer files via Teams or email.
- Evaluate backup and disaster recovery solutions to ensure all sensitive data is handled within CMMC security requirements, including encryption and controlled access.
- Check remote access configurations to ensure anyone who accesses FCI or CUI from secure and compliant devices.
Understand Your Security Responsibilities in the Cloud
Unlike a common misconception, using a cloud service doesn’t automatically ensure compliance. Most cloud service providers (CSPs) operate under a shared responsibility model. This means that your business is still responsible for configuring security settings, managing user access, and protecting data.
- SaaS (Software-as-a-Service): While the provider (like Microsoft 365, Dropbox, or Google Workspace) secures the infrastructure, you must manage user access, file sharing permissions, and security settings. CMMC compliance requires robust features like multi-factor authentication (MFA) and role-based access controls to limit who can access CUI.
- IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service): You are responsible for securing virtual machines, storage, networking configurations, and applications deployed on these platforms. This includes firewalls, encryption, logging, intrusion detection, and vulnerability scanning to meet CMMC security requirements. If hosting CUI on these platforms, ensure FedRAMP-authorized solutions are used to align with CMMC.
Check Cloud Provider Compliance Certifications
Not all cloud providers meet CMMC 2.0 security requirements, so verifying their compliance is crucial. As reported in this article, only 4% of respondents to a recent study said they are completely ready for CMMC certification. This highlights how many businesses working towards CMMC compliance struggle to confirm whether their third-party cloud vendors meet required security standards.
- A key benchmark for cloud security, ensure your CSP has FedRAMP Moderate or High authorization.
- Request security attestations and compliance documentation from your provider.
- Data at rest and in transit should be encrypted using FIPS 140-2 validated encryption.
Strengthen Access Controls and Data Protection
As a core requirement of CMMC, businesses must ensure they have proper access controls in place for FCI and CUI that is stored in cloud environments. Making sure your data always remains safe is crucial for every business, as highlighted in an affiliated IT company’s recent article. Techital detail the importance of secure backup, including best practices that help ensure compliance. To ensure CMMC compliance:
- Enforce Multi-Factor Authentication (MFA) for all accounts accessing CUI.
- Use Role-Based Access Control to grant employees permissions based on their job needs.
- Restrict public file sharing—disable external sharing for cloud storage platforms unless required for business operations.
- Ensure all cloud-stored CUI is encrypted, both at rest and in transit, using industry-standard protocols.
Ensuring CMMC Compliance with Infinity Technologies
Navigating CMMC compliance can be complex. But for businesses in Charlottesville, Richmond, and Fredericksburg, our comprehensive IT managed services ensure you seamlessly achieve compliance. Our expert team ensures your cloud infrastructure aligns with CMMC 2.0 standards by:
- Providing IT support in Charlottesville, Richmond, and Fredericksburg to assess and secure cloud environments.
- Reviewing cloud vendors to ensure they meet required cybersecurity standards.
- Implementing security controls, including encryption, access restrictions, and continuous monitoring.
- Offering managed IT services in Fredericksburg for ongoing compliance management and risk assessments.
CMMC Compliance Update: What’s New in October 2025
The Cybersecurity Maturity Model Certification (CMMC) has officially moved from planning to enforcement. The Department of Defense (DoD) published the final CMMC Acquisition Rule (48 CFR) on September 10, 2025, and CMMC requirements will begin appearing in contracts from November 10, 2025. From that point, certification at the required level will be mandatory to win new DoD contracts.
Key Timeline:
CMMC rollout will happen in four phases:
Phase 1 (Nov 2025–Nov 2026): Level 1 & 2 self-assessments required for contracts involving FCI and CUI.
Phase 2 (Nov 2026–Nov 2027): Third-party Level 2 (C3PAO) assessments for sensitive CUI.
Phase 3 (Nov 2027–Nov 2028): Level 3 assessments for prioritized CUI.
Phase 4 (Nov 2028+): Full implementation across all DoD contracts.
CMMC Levels:
Level 1 (FCI): 15 basic practices; annual self-assessment.
Level 2 (CUI): 110 practices aligned with NIST SP 800-171; mix of self- and third-party certification.
Level 3 (Prioritized CUI): Adds NIST SP 800-172 controls; DoD-led assessments.
What Businesses Should Do Now:
Identify your required CMMC level.
Conduct a gap analysis (especially for Level 2).
Update your System Security Plan (SSP) and POA&M.
Schedule your assessment or self-attestation.
Ensure your cloud provider meets FedRAMP Moderate or equivalent standards.
With fewer than 100 authorized assessors and thousands of contractors needing certification, preparation is critical. CMMC compliance isn’t just about eligibility – it’s about demonstrating cybersecurity maturity and trustworthiness in the defense supply chain.
Ready to Strengthen Your Cybersecurity?
Cloud services are a critical component of CMMC compliance—but without the right safeguards, they can become a security risk. Carefully evaluating which cloud solutions fall within your CMMC scope and implementing the right protection can secure sensitive data, maintain compliance, and protect your government contracts.
CMMC isn’t just about compliance—it’s about protecting your business. Strengthen your cybersecurity today with expert support.
