Broadside
Subscribe →

Watch hub·gcc-high · aws-govcloud · fedramp · fedramp-20x

Cloud for CMMC Watch

GCC High, AWS GovCloud, and the cloud-services choices that hinge on CMMC scope decisions.

Updated ·RSS ↗

Choice of cloud platform shapes a contractor's CMMC scope, audit cost, and risk posture. This hub tracks platform compliance announcements, FedRAMP authorizations relevant to CUI workloads, and the slow harmonization between FedRAMP, StateRAMP, and CMMC.

What changed in the last 30 days

  • stateramp/regulator

    GovRAMP Policy Papers Push OMB-Led Reciprocity for Cybersecurity Frameworks

    GovRAMP released two publications on April 16 calling for harmonization of overlapping federal and state cybersecurity frameworks built on NIST SP 800-53. The policy white paper identifies OMB-led reciprocity anchored in shared baselines as the highest-impact near-term action. State, local, tribal, and territorial governments are most affected by duplicated compliance efforts and delayed procurement. No rulemaking is proposed; the publications are recommendations intended to support coordinated execution under existing authority.

  • stateramp/regulator

    11 states adopt GovRAMP to cut redundant vendor security reviews

    Arizona, Indiana, Massachusetts, Minnesota, Nevada, New Hampshire, North Carolina, North Dakota, Oregon, Texas, and Utah are using GovRAMP to streamline vendor security assessments and reduce duplicative reviews in cloud procurement, according to an April 22 GovRAMP roundup. Nevada will require GovRAMP-based vendor security evaluations beginning July 1, 2026. The program gives state CIOs and CISOs a single, nationally aligned framework for third-party risk management, replacing state-specific assessment programs such as Arizona's AZRAMP.

  • stateramp/regulator

    GovRAMP working group maps StateRAMP controls to CMMC Levels 1 and 2

    GovRAMP's Framework Harmonization Working Group met April 13 to align GovRAMP requirements with CMMC Levels 1 and 2, identifying shared foundational controls and a new federal overlay for low, moderate, and high impact levels. Providers operating across federal, defense, and state/local markets would be affected by any resulting mutual-recognition pathways. GovRAMP said it will next examine how its authorization can satisfy the FedRAMP Equivalency provision for CMMC and plans to address FedRAMP 20x alignment at a future working group session.

  • stateramp/regulator

    GovRAMP membership required for cloud providers seeking public-sector entry

    GovRAMP membership is the mandatory entry point for cloud service providers, 3PAOs, and consultants that want to participate in the GovRAMP authorization program. According to GovRAMP program data cited in the blog, providers that remain engaged for at least four quarters see higher security outcomes and improve control performance by 40. 60% within the first year. Organizations that wait for a procurement to require GovRAMP risk delays; membership allows teams to access program guidance and structured pathways before formal assessments begin.

  • stateramp/regulator

    North Carolina adopts GovRAMP cloud security framework for state vendors

    North Carolina will align its cloud product security requirements with the GovRAMP framework, standardizing expectations for providers and reducing duplicative security reviews. The updated requirements take effect April 1, 2026, and apply to all vendors selling cloud services to state agencies. GovRAMP and North Carolina plan educational webinars for providers ahead of the effective date.

  • stateramp/regulator

    Nevada adopts GovRAMP as statewide cloud security standard

    Nevada announced it will adopt GovRAMP as the state's standard framework for cloud security verification across executive branch agencies. The new requirements take effect July 1, 2026, and apply to cloud service providers doing business with Nevada state agencies. Vendors will undergo independent assessment and continuous monitoring through GovRAMP rather than duplicative reviews by individual agencies. GovRAMP and Nevada plan to host webinars ahead of the effective date to walk vendors through the updated requirements.

Open questions

  • 01When will additional CUI-capable cloud platforms enter the market?
  • 02How does FedRAMP 20x affect contractors using Moderate platforms?
  • 03Which platforms have publicly attested to NIST 800-171 r3 readiness?

Sources we watch