What Unreviewed Cloud Infrastructure Costs You in a CMMC Assessment
Cloud environments that have grown without systematic decommission planning create two categories of risk: financial waste that erodes contract margin, and configuration gaps that surface as findings in a CMMC Level 2 assessment. For GovCon contractors operating AWS GovCloud, Azure Government, or GCP Assured Workloads environments that touch Controlled Unclassified Information, both risks are compounding as the November 2026 C3PAO mandatory assessment deadline approaches. This article maps the specific infrastructure conditions that a Phase 1 cloud audit identifies to the NIST 800-171 Rev 3 control families they affect, and outlines
CM-8: System Component Inventory and the Orphaned Resource Problem
NIST 800-171 Rev 3 Control 3.4.1 (derived from CM-8) requires organizations to maintain an inventory of system components. The Rev 3 implementation of CM-8 includes Organization-Defined Parameters specifying the frequency of inventory reviews and the granularity of documentation required.
An unreviewed cloud environment contains resources with no active owner, no documented purpose, and no decommission decision on record. Unattached EBS volumes, idle load balancers, and orphaned static IP addresses are not just billing line items. They are system components that exist inside the authorization boundary with no SSP entry, no security controls actively applied to them, and no configuration baseline documentation.
A C3PAO assessor reviewing your environment will find these resources. They will ask for the inventory entry. If none exists, the finding goes in the assessment report. Understanding the read-only forensic audit methodology (opens in a new tab) used to identify and document these components, across EBS volumes, static IPs, and idle load balancers via platform-native APIs, is the foundation of a defensible inventory posture.
The Cloud Execution Ledger produced in a Phase 1 audit is CM-8 documentation. It is a timestamped inventory of every resource reviewed, every resource with no active operational purpose identified, and every remediation action taken. It demonstrates that the inventory review was conducted, when it was conducted, and what changed as a result.
AC-2 and AC-6: Access Control and the Principle of Least Privilege
NIST 800-171 Rev 3 Controls 3.1.1 (AC-2) and 3.1.2 (AC-6) require organizations to manage system accounts and enforce least privilege. The Rev 3 ODP values for AC-6 require contractors to define the specific privileged functions that have been identified and the frequency of privilege review.
IAM misconfigurations are the most common finding in GovCon cloud environments operating without a dedicated security review function. Wildcard IAM permissions ("Action": "*" or "Resource": "*") on non-root accounts violate AC-6 directly. IAM users with administrator-equivalent role bindings who are no longer active on the contract violate AC-2. Service accounts with Owner-level role assignments at the GCP project level are the same category of finding with different syntax.
Phase 1 does not remediate these findings, read-only access does not permit IAM policy changes. But Phase 1 documents them with specificity: which principal, which permission boundary violation, which control mapping applies. That documentation is the input the Phase 2 remediation sprint requires to execute IAM lockdown under CAB approval.
SC-28: Protection of Information at Rest
NIST 800-171 Rev 3 Control 3.13.16 (SC-28) requires protection of CUI at rest. The implementation requires encryption using FIPS 140-2 validated cryptographic modules, which in practice means server-side encryption enabled at the volume and bucket level for any storage resource inside the CUI authorization boundary.
Unencrypted EBS volumes, Azure managed disks without server-side encryption enabled, and GCP Persistent Disks without Customer-Managed Encryption Keys configured are SC-28 findings. These are identifiable under read-only access because encryption status is exposed in the resource metadata API, not just through write-level inspection.
Phase 1 surfaces these findings in the Infrastructure Health and Security Snapshot. SC-28 gaps are among the most common CMMC pre-assessment failures for GovCon cloud environments and among the fastest to remediate once identified.
AU-2 and AU-3: Audit Logging and Event Coverage
NIST 800-171 Rev 3 Controls 3.3.1 and 3.3.2 (AU-2 and AU-3) require organizations to create and retain audit records for events that are relevant to monitoring, analysis, investigation, and reporting. The Rev 3 ODP for AU-2 requires the organization to define the event types that are audited, with specific documentation of the rationale for each type.
GovCon cloud environments without centralized, immutable logging configurations are AU-2 and AU-3 gaps by definition. The cloud spend visibility gap in federal environments (opens in a new tab), where agencies consistently underreport spending because they lack consistent collection processes, is the same structural problem that produces absent audit logging: no one assigned to look means no record of what changed. Environments where CloudTrail is not enabled in all active regions, where Azure Monitor Diagnostic Settings are not configured at the subscription level, or where GCP Cloud Audit Logs have admin activity logging disabled have no audit record for configuration changes made to the environment.
Phase 1 identifies absent or incomplete logging configurations as a security finding. Phase 2 remediates them. The Compliance Baseline Report produced at Phase 2 close documents the before-state (logging absent or incomplete), the remediation executed, the NIST control satisfied, and the UTC timestamp of the configuration change. That document is what a C3PAO pre-assessment coordinator reviews to determine whether the environment is ready for formal assessment scheduling.
SC-7: Boundary Protection and Open Inbound Rules
NIST 800-171 Rev 3 Control 3.13.1 (SC-7) requires organizations to monitor and control communications at the external boundary of the system. The Rev 3 ODP for SC-7 requires contractors to define the specific boundary points and the managed interfaces at each point.
EC2 security groups with inbound rules permitting 0.0.0.0/0 on port 22 (SSH) or port 3389 (RDP), Azure NSGs with equivalent unrestricted inbound rules, and GCP firewall rules with 0.0.0.0/0 source ranges on administrative ports are SC-7 findings. These are identifiable under Phase 1 read-only access. They are not theoretical risk — they are active, open paths into the production environment with no boundary control applied. For the financial structure of a corrective engagement, including the fee model and how savings are calculated against the remediation baseline, see the financial case for corrective cloud engagement (opens in a new tab) that frames this work for budget decision-makers.
The Documentation Posture Required Before a C3PAO Assessment
A C3PAO pre-assessment review does not evaluate your controls in isolation. It evaluates your documentation of those controls: what was the state before, what did you do, when did you do it, and how do you know it worked.
An organization that walks into a C3PAO pre-assessment with an unreviewed cloud environment has no answers to those questions. The findings will be documented in the assessment report, the remediation timeline will be set by the C3PAO's schedule, not yours, and the certification window will move out accordingly.
A Phase 1 GovCon Cloud Infrastructure Audit establishes the before-state documentation. A Phase 2 Cybersecurity Hardening Sprint produces the remediation evidence. Together, those two engagements produce the Compliance Baseline Report, a document with timestamped, control-mapped remediation evidence for every finding identified, that is what a C3PAO pre-assessment coordinator needs to confirm an organization is ready for formal assessment scheduling.
With mandatory C3PAO assessments required for CMMC Level 2 certification effective November 2026, the documentation timeline is not generous. A Phase 1 audit completes in 5 business days. Phase 2 remediation runs 14 calendar days. If your environment has not been reviewed and the findings have not been documented, that clock is running.
THE 2026 DELTA
The January 5, 2026 GSA CUI Guide formalized what many GovCon compliance teams had been treating as guidance: self-attestation is no longer sufficient for CUI-handling contractors. The Guide's nine showstopper controls include MFA enforcement, boundary protection, cryptographic integrity at rest, and audit logging, the exact control areas that unreviewed cloud environments most commonly fail.
The Guide states explicitly that third-party verification is now the expected standard for contractors handling CUI at scale. An Infrastructure Health and Security Snapshot that documents gaps in MFA coverage, boundary protection configurations, and logging completeness is the input to that third-party verification process. It does not replace C3PAO assessment, it establishes the remediation record that makes assessment scheduling viable.
NIST 800-171 Rev 3 ODP values give GovCon contractors a practical mechanism to demonstrate compliance specificity. Defining the inventory review frequency (CM-8 ODP), the privileged function scope (AC-6 ODP), and the auditable event types (AU-2 ODP) in writing, and then producing timestamped evidence that those parameters were actually applied, is the difference between an SSP that describes a compliant posture and documentation that proves one.
The Compliance Baseline Report produced at the close of a Phase 2 Cybersecurity Hardening Sprint is that documentation. It is built from the findings the Phase 1 audit surfaces. The Phase 1 GovCon Cloud Infrastructure Audit is where that chain of evidence starts.