This post highlights important compliance terminology. As an AWS Certified Solutions Architect – Professional, I consider secure and compliant workload deployment a core part of my professional responsibilities.
Basic Terminology
- CRM – Customer Responsibility Matrices
- CUI – Controlled Unclassified Information
- OSA – Organization Under Assessment
- OSC – Organization Seeking Certification
- MSP – Managed Service Providers
- CSP – Cloud Serice Provider
- SSP – System Security Plan
- SPA – Security Protection Asset
- C3PAO – Certified 3rd party Assesment Organization
- CUI Asset- S3, RDS, ElasticSearch, SQS
CMMC Domains
- AC – Access Controls
- AT- Awareness & Training
- AU- Audit & Accountability
- CM – Configuration Management
- IA – Identification & Authentication
- IR – Incident Response
- MA – Maintenance
- MP – Media Protection
- PS – Personnel Security
- PE – Physical Protection
- RA – Risk Assessment
- SA – Security Assessment
- SC – System and Communications Protection
- SI – System and Information Integrity
GovCloud
AWS GovCloud (US) account access and registration are restricted to eligible U.S. entities and U.S. Persons, but that does not automatically mean every application user must be a U.S. Person. Application-level access is controlled separately by the customer’s authentication and authorization model. However, if the workload processes ITAR, export-controlled data, CUI, or other regulated data, the customer must ensure that access by non-U.S. persons does not violate the applicable compliance or export-control requirements.
GovCloud eligibility controls who can own/manage the AWS GovCloud environment. It does not automatically enforce who can use your application. You must design application access based on the data classification and legal/compliance requirements.
AWS usually says “U.S. Persons,” not only “U.S. Citizens.”
Operational Practices
Do this right after you got GovCloud access:
- Create administration IAM user with “.
- Enable MFA
- Delete root user keys right after crating these admins.
SDLC
The software development lifecycle has advanced significantly in recent years. Modern development practices emphasize secure design, protection of data both in transit and at rest, reproducible builds and deployments, auditability, and clear accountability throughout the delivery process.
It all starts with the code repository. Although popular source-code hosting providers offer private repositories and controls for managing access, not every offering is appropriate for regulated workloads. For example, a standard GitHub account should not be treated as FedRAMP-authorized, while GitHub Enterprise Cloud is a separate offering that can meet FedRAMP authorization requirements.
AWS CodeCommit
In July 2024, AWS stopped making CodeCommit available to new customers, while allowing existing customers to continue using the service. After customer feedback, AWS reopened CodeCommit to new customers in November 2025.
The advantage of CodeCommit is that it is an AWS-native managed Git service and is included in AWS’s FedRAMP compliance scope. AWS GovCloud regions support FedRAMP High workloads, while AWS commercial regions such as us-east-1 and us-east-2 are commonly used for FedRAMP Moderate workloads. This makes CodeCommit a potentially strong option for organizations that want their source-code repository, IAM controls, CI/CD pipeline, logging, and audit evidence to remain within the AWS compliance boundary.
Terraform
Terraform generates instructions for cloud providers and is considered an Infrastructure as Code (IaC) tool. Use checkov from Palo Alto Networks to scan Terraform templates before deployment. The results of this scan should be reviewed and used to harden the deployment before infrastructure changes are applied. Sample cli screen from checkov:

To control cost consider using infracost. Sample infracts results:
