Shared Responsibility in the Cloud: What CMMC Requires vs. What Cloud Providers Actually Cover
A practical breakdown for defense contractors on where provider responsibility ends and your CMMC obligations begin
One of the most persistent misconceptions in cloud-based CMMC compliance is that moving to a FedRAMP-authorized cloud environment solves the problem. It does not. Cloud providers secure the infrastructure on which your workloads run. They do not configure your environment, manage your users, write your policies, or produce the evidence an assessor will require.
Understanding exactly where provider responsibility ends and where yours begins is not a compliance detail. It is the foundation of your entire CMMC strategy. Get it wrong, and you may sail through a self-assessment only to fail a C3PAO evaluation because controls you assumed were covered were never actually configured.
This guide breaks down the shared responsibility model through a CMMC lens, with a full control-by-control comparison table and guidance on the gaps we see most often at Tego, a CMMC Registered Practitioner Organization (RPO) serving the defense industrial base.
How the Shared Responsibility Model Works
The shared responsibility model is a framework used by every major cloud provider to define which security controls the provider manages and which the customer must implement. The split depends on the type of service being consumed.
For Infrastructure as a Service (IaaS), providers manage physical security, the hypervisor, and network infrastructure. Customers manage everything above: operating systems, middleware, applications, data, and access control.
For Platform as a Service (PaaS) and Software as a Service (SaaS), the provider takes on more of the stack. But even in a fully managed SaaS environment, the customer still owns identity configuration, data handling, and compliance documentation.
FedRAMP authorization establishes that a cloud provider has implemented and documented a defined set of security controls in accordance with NIST SP 800-53. It does not mean the provider is CMMC-compliant on your behalf. FedRAMP covers provider-layer controls. CMMC requires you to demonstrate compliance with NIST SP 800-171 across your entire CUI boundary, including everything you configure and operate on top of that infrastructure.
A FedRAMP-authorized cloud is a compliant foundation. It is not a compliant environment. That distinction determines whether you pass or fail your assessment.
What Cloud Providers Actually Cover
When you use a FedRAMP High or Moderate-authorized cloud environment such as Microsoft Azure Government, AWS GovCloud, or Google Cloud for Government, the provider takes responsibility for the following:
Physical and Environmental Security
Data center physical access, surveillance, environmental controls, power redundancy, and hardware lifecycle management are entirely provider-managed. These map to the Physical Protection (PE) family in NIST SP 800-53 and provide inherited coverage for CMMC assessors reviewing your infrastructure layer.
Hypervisor and Virtualization Security
The provider manages and patches the hypervisor, ensures tenant isolation, and prevents cross-tenant data exposure at the infrastructure level. Your virtual machines run on top of this layer, but it is not your responsibility to secure or document it.
Core Network Infrastructure
Backbone routing, inter-datacenter connectivity, and platform-level distributed denial-of-service (DDoS) protection are provider-managed. The provider’s network infrastructure is covered under their FedRAMP package.
Managed Service Patching
For fully managed platform services such as managed databases, managed Kubernetes, or serverless functions, the provider patches and maintains the underlying platform. This does not extend to customer-deployed virtual machines, containers, or applications.
Everything the provider covers is documented in their FedRAMP System Security Plan. Request it. Read the customer responsibility matrix. That document tells you exactly what you own.
What Your Organization Must Still Manage
Even in the most managed cloud environment, a substantial portion of CMMC-relevant controls remains entirely your responsibility. These are not optional enhancements. They are requirements your C3PAO assessor will evaluate directly.
Identity and Access Management
The cloud platform provides IAM tooling. You must configure it. That means defining roles, enforcing MFA for all users, applying least privilege, auditing service accounts, and documenting your access control policy. An unconfigured IAM environment with default settings is not CMMC-compliant, regardless of the provider’s FedRAMP status.
Configuration and Hardening
Cloud resources do not deploy in a CMMC-ready state. Storage buckets, virtual machines, network security groups, and application services all require hardening against CMMC baselines. Configuration drift, where resources move out of their compliant baseline state over time, must be detected and corrected through an active configuration management program.
CUI Data Handling
The cloud provider stores whatever you put in its environment. They do not classify your data, prevent CUI from being placed in the wrong location, or ensure your encryption keys are managed correctly. Data governance, CUI labeling, and storage boundary enforcement are your responsibility.
Monitoring, Logging, and Alerting
Cloud platforms generate extensive log data. Collecting it, configuring meaningful alerts, reviewing events, and retaining logs in accordance with CMMC requirements are your responsibility. A logging service that is turned on but never reviewed does not satisfy the monitoring requirements under NIST SP 800-171 3.3.1 and 3.3.2.
Incident Response
The provider may notify you of a platform-level incident. Your response to any security event affecting CUI in your environment is entirely your responsibility. You own the incident response plan, the evidence preservation, the DIBCAC notification procedures under DFARS 252.204-7012, and the after-action documentation.
All Compliance Documentation
No cloud provider will write your System Security Plan, manage your Plan of Action and Milestones, or produce your policy library. These are non-negotiable CMMC deliverables that your organization must author, maintain, and present to your assessor.
Shared Responsibility Comparison: Provider vs. Customer
The table below maps key control areas to provider and customer responsibility in a typical FedRAMP-authorized IaaS or PaaS environment. Use this as a starting point for your own customer responsibility review.
| Control Area | Cloud Provider Covers | Your Organization Must Cover |
| Physical Security | Full coverage. Cloud providers secure data centers, hardware, and physical access. | No action required for the physical layer. Verify FedRAMP authorization covers your data residency region. |
| Network Infrastructure | Underlying network fabric, core routing, and DDoS protection at the platform level. | Firewall rules, network segmentation, virtual network configuration, and boundary protection controls are your responsibility. |
| Hypervisor and Virtualization | Hypervisor patching and isolation between tenants is provider-managed. | VM-level OS hardening, patching, and configuration management are your team’s responsibility. |
| Identity and Access | Platform-level IAM tools are provided (e.g., Azure AD, AWS IAM). | You must configure roles, enforce MFA, apply least privilege, and manage all user accounts and service accounts. |
| Data Encryption | No action is required for the physical layer. Verify FedRAMP authorization covers your data residency region. | You must enable encryption, manage keys appropriately, and ensure CUI is never stored unencrypted. |
| Configuration Management | Platform defaults exist but are not CMMC-compliant out of the box. | All resource configurations must be hardened to CMMC baselines. Drift must be detected and remediated. |
| Monitoring and Logging | Raw log data is generated and accessible through platform tools. | You must configure log collection, set alert thresholds, retain logs per policy, and review events regularly. |
| Incident Response | Provider may notify of platform-level incidents. | You own the incident response plan, evidence preservation, DIBCAC reporting, and recovery procedures for your environment. |
| Vulnerability Management | Platform infrastructure is patched by the provider. | All customer-deployed systems, containers, and applications require your own scanning and patch management program. |
| Compliance Documentation | FedRAMP packages document provider-level controls. | SSP, POA&M, policies, and procedures covering your configuration and CUI handling are entirely your responsibility. |
Note: Responsibility split may vary for SaaS environments. Always review the provider’s Customer Responsibility Matrix from their FedRAMP package.
Where CMMC Requirements Apply to Your Cloud Environment
CMMC Level 2 requires compliance with all 110 practices across 14 domains from NIST SP 800-171. In a cloud environment, each of those practices applies to your configuration, users, and data. The provider’s FedRAMP package provides inherited coverage for a subset of controls at the infrastructure layer, but most practices require customer action.
Access Control (AC) – 22 Practices
The largest domain in NIST SP 800-171. Access control in a cloud environment requires active configuration of IAM roles, MFA policies, network access controls, and remote access protections. None of these are configured by default to CMMC standards.
Audit and Accountability (AU) – 9 Practices
Log generation is a provider capability. Log collection, retention, review, and alerting are customer responsibilities. Audit and accountability practices require you to demonstrate active monitoring, not just that logging is technically available.
Configuration Management (CM) – 9 Practices
Cloud infrastructure changes constantly. Configuration management under CMMC requires a documented baseline, change control procedures, and a process to detect and remediate drift. This applies to every virtual machine, container, database, and network resource in your CUI environment.
Identification and Authentication (IA) – 11 Practices
MFA, password complexity, session controls, and authenticator management are all customer-configured. Even if the provider offers these capabilities natively, enabling and enforcing them is your responsibility.
Incident Response (IR) – 3 Practices
Your incident response plan must cover cloud-specific scenarios, including compromised credentials, misconfigured storage exposing CUI, and unauthorized access to cloud management consoles. The plan must be tested and the results documented.
Risk Assessment (RA) – 5 Practices
You must conduct periodic risk assessments of your cloud environment and regularly scan for vulnerabilities. Provider security scores and compliance dashboards do not substitute for your own risk assessment documentation.
System and Communications Protection (SC) – 16 Practices
Network segmentation, encryption in transit, boundary protection, and denial-of-service protection at the application layer all require customer configuration, even in fully managed cloud environments.
Common Compliance Gaps We Find in Cloud Environments
After conducting CMMC readiness assessments across dozens of defense contractor environments, these are the gaps Tego encounters most consistently in cloud-hosted CUI environments:
Assuming FedRAMP Equals CMMC Compliance
The most common and consequential misunderstanding. FedRAMP authorization tells you the provider’s infrastructure is secure. It says nothing about whether your configuration on top of that infrastructure meets CMMC requirements. Contractors have failed assessments on controls that were available on the platform but were never enabled.
Default Encryption Settings Left in Place
Major cloud providers offer encryption at rest and in transit, but not all services enable it by default, and not all default configurations meet CMMC requirements for key management. CUI stored in unencrypted or improperly keyed storage is a direct finding.
Logging Without Review
Diagnostic settings are enabled. Logs are flowing to a storage account. Nobody is reviewing them, and no alerts are configured. This satisfies the technical availability requirement for logging, but does not satisfy NIST SP 800-171 3.3.2, which requires the review and reporting of audit logs.
Missing or Stale Documentation
The cloud environment was built by an IT team that understood the technical requirements. Nobody wrote the System Security Plan, documented the configuration baselines, or produced a CUI handling policy. An assessor cannot evaluate controls that are not documented.
Unmanaged Privileged Access
Cloud console access with permanent, standing administrator rights and no MFA is one of the highest-risk configurations in any CMMC environment. Privileged access must be inventoried, MFA-enforced, and logged separately from standard user activity.
Scope Creep Through Ungoverned Integrations
A collaboration tool is connected to a cloud storage container that holds CUI. A third-party integration pulls data from the CUI environment into an unprotected system. Every integration into your cloud environment that touches CUI expands your CMMC scope unless it is explicitly governed and controlled.
The most expensive compliance gaps are the ones nobody knew existed. A readiness assessment finds them before your C3PAO does.
How Tego Bridges the Gap
Tego is a CMMC Registered Practitioner Organization with deep experience in both cloud architecture and compliance. We work with defense contractors operating in cloud environments who need help understanding what they actually own and what needs to be fixed before an assessment.
Our cloud compliance engagements include:
- CMMC Readiness Assessments that include a review of your cloud configuration against all 110 NIST SP 800-171 practices
- Customer responsibility matrix review against your specific FedRAMP-authorized providers
- Cloud enclave design and deployment on Azure Government and AWS GovCloud with CMMC controls built in from the start
- IAM architecture, MFA enforcement, and privileged access management configuration
- SIEM integration and continuous monitoring setup with log review and alerting aligned to CMMC requirements
- SSP development, POA&M management, and full policy and procedure library
We also prepare clients for C3PAO assessments by walking through the evidence review process, identifying documentation gaps, and stress-testing controls before an assessor does.
Tego clients enter their C3PAO assessment knowing exactly what they own, what is covered, and where every piece of evidence resides.
Not Sure What Your Cloud Environment Actually Covers?
Tego’s CMMC Readiness Assessment includes a full cloud responsibility review. We map your provider’s inherited controls, identify what you still need to configure and document, and give you a clear remediation plan before your C3PAO engagement.
Start with a readiness assessment at www.tegodata.com/cmmc.