AWS achieves U.S. Department of Defense’s CMMC Level 2 certification for Controlled Working Environment

Amazon Web Services (AWS) has achieved the U.S. Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Level 2 certification for the Controlled Working Environment (CWE). This certification enhances our DoD contract support capabilities and demonstrates our cybersecurity commitment.

Understanding CMMC

The U.S. Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) Program to combat increasing cyber threats to the Defense Industrial Base (DIB). This program assesses and enforces cybersecurity requirements, protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared during contract performance.

CMMC certification levels

The program consists of three progressive certification levels:

Level 1: Basic FCI Safeguarding

• Annual self-assessment required
• Annual compliance affirmation
• Implements 15 security requirements from FAR clause 52.204-21

Level 2: CUI Protection

• Assessment method determined by solicitation:
  • Self-assessment OR
  • Third-Party Assessment Organization (C3PAO) evaluation
• Three-year certification validity
• Annual compliance affirmation
• Implements 110 security requirements from NIST SP 800-171 Revision 2

Level 3: Advanced CUI Protection

• Requires completed CMMC Level 2 certification
• DIBCAC assessment every three years
• Annual compliance affirmation
• Implements 24 additional requirements from NIST SP 800-172
• Designed to counter Advanced Persistent Threats

Organizations must maintain their certification status for three years, providing annual compliance attestations. CMMC certification directly impacts contract eligibility and plays a crucial role in protecting the DIB supply chain and national security.

About the CWE

AWS Worldwide Public Sector (WWPS) developed the CWE to support DoD and federal government operations. This infrastructure manages FCI, CUI, and International Traffic in Arms Regulations (ITAR) data in compliance with Defense Federal Acquisition Regulation Supplement (DFARS). The CWE meets National Institute of Standards and Technology (NIST) Special Publication 800-171 revision 2 and CMMC Level 2 requirements.

Key achievements

The key achievements of the CWE include:

• Federal Government Assessment Program (FGAP) team completed the assessment ahead of schedule with no findings
• AWS experts demonstrated security practices during C3PAO interviews
• Assessment covered 110 security controls across 14 domains
• CMMC Level 2 Certificate of Compliance issued (valid for three years)

Assessment details

Coalfire, a premier cybersecurity advisory firm, conducted the assessment as a certified CMMC Third-Party Assessment Organization (C3PAO) and Registered Provider Organization (RPO). Coalfire Federal’s assessment team awarded AWS a perfect 110 score.

Amy Williams, VP CMMC for Coalfire Federal, noted: “Coalfire Federal’s CMMC Assessment team thoroughly enjoyed working with the AWS Team. Their level of preparedness was matched by their professionalism, leading to a smooth and successful engagement.” 

Next steps

AWS continues to uphold CMMC Level 2 certification requirements through scheduled annual assessments. Concurrently, we are implementing additional security controls and processes to achieve CMMC Level 3 certification, which will further enhance our ability to protect advanced DoD programs.

For CMMC acceleration guidance with AWS, email us.