Azure GCC High CMMC Architecture

Reference Architecture for CUI Workloads in Microsoft Azure Government

Author: Leonard Esere, Senior Cloud Security Architect

Date: April 2026

Organization: Aeolitech

Abstract

Defense Industrial Base (DIB) contractors processing Controlled Unclassified Information (CUI) face a complex landscape of overlapping regulatory obligations: CMMC Level 2 or 3 certification, DFARS 252.204-7012 cloud security requirements, ITAR/EAR export control restrictions, and DoD Impact Level designations. Microsoft's government cloud portfolio—spanning Azure Commercial, Microsoft 365 GCC, GCC High, and the dedicated DoD environments—offers a tiered set of isolation guarantees that directly map to these obligations. This whitepaper presents a comprehensive reference architecture for deploying CUI workloads in Microsoft Azure Government with Microsoft 365 GCC High, including landing zone design, hub-spoke networking, identity governance via Microsoft Entra ID Government, device management through Intune, and threat detection via Microsoft Defender. The architecture is mapped to all 110 NIST SP 800-171 Rev 2 controls required for CMMC Level 2 certification.

Table of Contents

1. Understanding the Microsoft Government Cloud Tiers

2. Which Environment Is Required for CUI?

3. DFARS 7012, 7019, and 7020: What the Contract Clauses Demand

4. Reference Landing Zone Architecture

5. Hub-Spoke Network Design for CUI Enclaves

6. Microsoft 365 GCC High: Collaboration and Email

7. Identity and Access Governance with Entra ID Government

8. Device Management and Endpoint Security

9. Threat Detection and Security Operations

10. Licensing Considerations

11. Mapping to 110 NIST SP 800-171 Controls

12. About the Author

13. References

1. Understanding the Microsoft Government Cloud Tiers

Microsoft operates four distinct cloud environments for US government and defense workloads, each progressively more isolated from commercial infrastructure:

| Environment | Infrastructure | FedRAMP Level | DoD IL | CUI Support | ITAR/EAR |

|---|---|---|---|---|---|

| M365 Commercial / Azure Commercial | Shared multi-tenant | Not authorized | IL2 only | No | No |

| M365 GCC / Azure Government | Azure Gov (logically isolated) | Moderate | IL2, IL4 | Limited (basic CUI) | No |

| M365 GCC High / Azure Government | Azure Gov (physically isolated, US persons only) | High | IL4, IL5 | Yes (all CUI) | Yes |

| M365 DoD / Azure Gov DoD | Azure Gov DoD (DoD-exclusive) | High | IL5, IL6 | Yes | Yes |

| Azure Government Secret / Top Secret | Air-gapped, classified facilities | N/A | IL6 / Classified | Classified | N/A |

Azure Commercial runs on shared global infrastructure. While data residency options exist, administrative access is not restricted to US citizens, and the environment is not authorized for CUI under DFARS 7012 or any DoD Impact Level above IL2.

Microsoft 365 GCC is the first government boundary tier. It runs on Azure Government infrastructure, stores data in US datacenters, and holds a FedRAMP Moderate authorization. Support staff, however, may include non-US persons, and the environment does not contractually commit to ITAR, EAR, or DFARS 7012 paragraphs (c)-(g) requirements. GCC can support basic CUI for CMMC Level 2 in limited, specifically documented scenarios where ITAR/EAR data is absent and the prime contractor provides written approval.

Microsoft 365 GCC High is built on Azure Government infrastructure physically separate from Azure Commercial, operated exclusively by background-screened US citizens, and authorized at FedRAMP High and DISA IL4/IL5. This is the environment Microsoft contractually commits to for ITAR, EAR, DFARS 7012, and CMMC Level 2 and Level 3 requirements. Cross-tenant collaboration between GCC and GCC High is restricted by design—data cannot flow from a GCC High tenant to a GCC or commercial tenant without explicit federation configuration.

Office 365 DoD (IL5) is built on Azure Government DoD infrastructure, a dedicated zone restricted exclusively to DoD entities and specifically approved contractors. Most defense contractors operate in GCC High rather than DoD unless mandated by their contracting officer.

Azure Government Secret and Top Secret environments are air-gapped facilities for classified workloads above IL5. These require specific DoD sponsorship and personnel clearances beyond standard CMMC scope.

2. Which Environment Is Required for CUI?

The answer depends on contract clauses and data sensitivity, not on CMMC as a framework. CMMC 2.0 defines security controls—it does not mandate specific cloud platforms. However, contract clauses effectively make the decision:

DFARS 252.204-7012 requires that any cloud service used to process, store, or transmit Covered Defense Information (CDI/CUI) meets FedRAMP Moderate at minimum. A December 2023 DoD CIO memorandum further clarified that "FedRAMP equivalent" means either a formal FedRAMP authorization or a 3PAO-verified assessment—informal vendor claims no longer satisfy paragraph (b)(2)(ii)(D).

ITAR/EAR applicability is the clearest forcing function toward GCC High. If your contracts involve technical data, manufacturing drawings, source code, or defense articles controlled under ITAR Category I-XXI or the EAR Commerce Control List (CCL), GCC High is the only Microsoft environment that meets those requirements without additional compensating controls.

US-person-only access requirements under DFARS 7012 paragraphs (f) and (g) demand that cloud providers support DoD forensic access by US persons. GCC High's staffing model—US citizens only, background-screened—satisfies this requirement contractually. GCC does not provide this commitment.

Prime contractor flow-down frequently mandates GCC High regardless of data type. If your prime is operating in a GCC High tenant and mandates cross-tenant collaboration, GCC and Commercial environments cannot establish direct federation with GCC High.

Decision framework:

`

Contract includes DFARS 252.204-7012?

├── Yes → Cloud service must meet FedRAMP Moderate minimum

│ ├── CUI is ITAR/EAR controlled? → GCC High required

│ ├── US-person-only support required? → GCC High required

│ ├── Prime mandates GCC High? → GCC High required

│ └── None of above + written prime approval → GCC may suffice

└── No → Commercial may work for FCI-only CMMC Level 1

`

3. DFARS 7012, 7019, and 7020: What the Contract Clauses Demand

Three DFARS clauses govern cloud security for defense contractors:

DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting: The foundational clause requiring NIST SP 800-171 implementation, FedRAMP Moderate cloud services, 72-hour cyber incident reporting to the DoD Cyber Crime Center (DC3), 90-day preservation of images from compromised systems, and cooperation with DoD forensic analysis. GCC High meets all paragraphs contractually.

DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements: Requires contractors to have a current NIST SP 800-171 assessment score in the Supplier Performance Risk System (SPRS) before contract award. The assessment must be no more than three years old and conducted using the NIST SP 800-171A assessment methodology.

DFARS 252.204-7020 — NIST SP 800-171 DoD Assessments: Extends 7019 by allowing DoD to conduct its own assessments of contractor compliance and requiring contractors to provide access to facilities, systems, and personnel. This clause has significant implications for how you document and evidence your System Security Plan (SSP).

Together, these clauses create the operational security baseline for CUI. GCC High, properly configured, provides inherited controls that reduce contractor burden across multiple NIST 800-171 domains.

4. Reference Landing Zone Architecture

A GCC High landing zone for CUI workloads uses Azure landing zones for government—an adapted version of Microsoft's Cloud Adoption Framework (CAF) for regulated environments. The landing zone architecture segments workloads into Management Groups with enforced Azure Policy at each level.

Management Group Hierarchy:

`

Tenant Root Group (Entra ID Government)

├── Platform

│ ├── Management (Log Analytics, Sentinel, Azure Monitor)

│ ├── Identity (Entra ID Domain Services, if needed)

│ └── Connectivity (Hub VNet, Azure Firewall, ExpressRoute)

└── Landing Zones

├── CUI-Production (CUI-bearing workloads, IL5 policy set)

├── CUI-DevTest (Lower environment, still GCC High boundary)

└── Corp (Non-CUI business workloads)

`

Subscription Design: Each major CUI application or program office receives a dedicated Azure subscription within the CUI-Production management group. This subscription boundary provides the logical isolation unit for CMMC scoping. Azure Policy assignments at the management group level enforce:

• Allowed locations restricted to USGov Virginia, USGov Texas, USGov Arizona
• Deny creation of public IP addresses on CUI subnets
• Require encryption at rest for all storage accounts (FIPS 140-2 validated)
• Audit network security group flow logs enabled
• Require Defender for Cloud Standard tier enabled on all subscriptions

Tagging Strategy: All resources must carry DataClassification: CUI, CMSCLevel: 2, ContractNumber: , and ProgramOffice: tags. Azure Policy deny effects enforce tag presence before resource creation.

5. Hub-Spoke Network Design for CUI Enclaves

The hub-spoke model is the reference topology for isolating CUI workloads in Azure Government:

Architecture Description:

`

┌─────────────────────────────────────────────┐

│ Hub VNet (Connectivity Sub) │

│ ┌──────────────┐ ┌──────────────────────┐ │

│ │ Azure Firewall│ │ ExpressRoute/VPN GW │ │

│ │ (Premium SKU) │ │ (DISA DISN / EDS) │ │

│ └──────┬───────┘ └─────────┬────────────┘ │

│ │ VNet Peering │ │

└─────────┼─────────────────────┼─────────────┘

│ │

┌────────▼─────────┐ ┌────────▼──────────┐

│ CUI Spoke VNet │ │ Mgmt Spoke VNet │

│ ┌─────────────┐ │ │ ┌──────────────┐ │

│ │ App Subnet │ │ │ │ Bastion Host │ │

│ │ Data Subnet │ │ │ │ Log Archive │ │

│ │ Mgmt Subnet │ │ │ └──────────────┘ │

│ └─────────────┘ │ └────────────────────┘

└──────────────────┘

`

Azure Firewall Premium is required (not Standard) for IL5 workloads. It provides TLS inspection, IDPS (Intrusion Detection and Prevention System), URL filtering, and web category filtering. All spoke-to-spoke and spoke-to-internet traffic transits the Azure Firewall in the hub. User-Defined Routes (UDRs) on all CUI subnets force 0.0.0.0/0 to the hub firewall's private IP.

Network Security Groups (NSGs): Every subnet carries an NSG. NSG flow logs are enabled and sent to the central Log Analytics workspace in the Management subscription. NSG rules follow a default-deny posture: only explicitly allowed traffic is permitted.

Azure Bastion (Standard SKU with shareable links disabled) provides browser-based RDP/SSH access to VMs without exposing public IPs. Jump server access is logged to the central workspace. No direct internet-facing management ports (3389, 22) are permitted by NSG or Azure Firewall policy.

Private Endpoints are required for all PaaS services (Azure Storage, Azure SQL, Azure Key Vault, Azure App Service). Public endpoint access is disabled. Private DNS zones in the hub resolve .privatelink.* records for all services.

ExpressRoute connectivity to on-premises, DISA DISN, or other DoD networks uses an ExpressRoute circuit terminated in the hub. Microsoft Peering is not used; only Private Peering to avoid routing CUI data through shared BGP paths.

6. Microsoft 365 GCC High: Collaboration and Email

The M365 GCC High tenant forms the collaboration layer alongside the Azure Government infrastructure layer. These two environments share the same Entra ID Government tenant, providing unified identity across Exchange Online, SharePoint Online, Teams, and Azure workloads.

GCC High tenant characteristics:

• Data at rest and in transit stored exclusively in Azure Government datacenters (USGov Virginia, USGov Texas, USGov Arizona)
• All Microsoft operations and support staff are US persons, background-screened
• Cross-tenant access from GCC or Commercial tenants is blocked by default
• FIPS 140-2 validated encryption for all data at rest and in transit
• DLP policies enforced at the Microsoft layer for egress of sensitive data

Exchange Online GCC High: Email is stored in sovereign datacenters with DKIM/DMARC/SPF enforced. Exchange Online Protection (EOP) and Defender for Office 365 Plan 2 provide anti-phishing, safe links, safe attachments, and attack simulation training. External recipients outside GCC High receive email normally; however, Microsoft Information Protection (MIP) sensitivity labels can enforce Rights Management encryption on outbound messages containing CUI markings.

SharePoint Online and Teams: SharePoint serves as the document management system for CUI. Teams channels can be associated with SharePoint libraries protected by sensitivity labels. Guest access is disabled at the tenant level; external collaboration requires B2B federation with other GCC High or government tenants only.

Microsoft Purview (Information Protection): MIP sensitivity labels are deployed across the M365 environment. A CUI sensitivity label applies FIPS-encrypted Rights Management, prevents forwarding, disables screen capture on mobile, and limits printing. Purview DLP policies detect and block egress of CUI patterns (contract numbers, CAGE codes, export-controlled part numbers) via email, Teams, or SharePoint sharing.

7. Identity and Access Governance with Entra ID Government

Microsoft Entra ID (formerly Azure Active Directory) Government is the identity plane for both the M365 GCC High tenant and Azure Government subscriptions. It is physically and logically separated from the commercial Entra ID service.

Tenant Configuration Baselines:

• Security defaults disabled; replaced by explicit Conditional Access policies (CA provides more granular control)
• Legacy authentication protocols (Basic Auth, NTLM pass-through) disabled at the tenant level
• Password hash sync from on-premises Active Directory (if hybrid) enabled, with Entra ID Connect Health monitoring
• Combined MFA and SSPR registration campaign enforced for all users

Conditional Access Policy Stack (see Whitepaper 4 for full detail):

| Policy | Condition | Control |

|---|---|---|

| Require MFA - All Users | Any cloud app | MFA (phishing-resistant preferred) |

| Require Compliant Device - CUI Apps | M365 workloads, Azure Portal | Device compliance via Intune |

| Block Legacy Auth | All apps | Block |

| Block Non-Approved Countries | Any cloud app | Named Location filter → Block |

| Require PIM Elevation - Admin Roles | Azure Government Portal | PIM + MFA |

| Session Control - High Risk | Any app, Risky sign-in detected | Continuous Access Evaluation + Block |

Privileged Identity Management (PIM): All privileged roles—Global Administrator, Privileged Role Administrator, Security Administrator, Azure Subscription Owner—are configured as Eligible (not permanent Active) assignments in PIM. Activation requires:

• Justification (ticket number or reason)
• Entra ID Protection MFA re-challenge
• Optional manager approval for Global Admin activation
• Maximum activation duration of 8 hours
• Activation scope logging to Sentinel

Break-Glass Accounts: Two break-glass (emergency access) accounts are maintained per NIST guidance. These accounts:

• Are cloud-only (not synced from on-premises AD)
• Use FIDO2 hardware security keys for authentication (no software authenticator)
• Are excluded from all Conditional Access policies
• Credentials are stored in a physical safe with dual-control access
• Sign-in alerts are configured in Sentinel with immediate P1 notification

Entra ID Identity Protection: Sign-in risk and user risk policies are configured. High-risk sign-ins require immediate MFA re-challenge and session termination. High-risk users are blocked and require administrator-mediated remediation.

8. Device Management and Endpoint Security

Microsoft Intune (GCC High): All devices that access CUI in M365 GCC High or Azure Government must be enrolled in Intune and marked Compliant before the Conditional Access "Require Compliant Device" policy grants access. Compliance policies enforce:

• Windows: BitLocker enabled, Secure Boot on, UEFI firmware, Windows Defender Antivirus running with real-time protection, OS version minimum (Windows 11 22H2+), firewall enabled
• macOS: FileVault enabled, Gatekeeper enforced, OS version minimum
• Mobile (iOS/Android): Screen lock PIN ≥ 6 digits, device encryption, jailbreak/root detection, Defender for Endpoint mobile threat defense integration

Defender for Endpoint (Plan 2 GCC High): Provides endpoint detection and response (EDR), attack surface reduction (ASR) rules, tamper protection, and web content filtering. All telemetry routes to the GCC High Defender portal (security.microsoft.us), not the commercial portal. Integration with Sentinel enables automated incident creation from Defender alerts.

Autopilot and Secure Configuration: Device enrollment uses Windows Autopilot with a hardware hash uploaded to Intune. STIG-compliant configuration baselines are applied via Intune Configuration Profiles:

• CIS Benchmark Level 2 for Windows 11
• DoD STIG for Windows 11
• Local Administrator Password Solution (LAPS) integration for unique local admin passwords

9. Threat Detection and Security Operations

Microsoft Defender for Cloud: Enabled on all Azure Government subscriptions at the Standard/Defender plan tier. Defender for Cloud provides:

• Secure Score with actionable recommendations against NIST 800-53 and Azure Security Benchmark
• Regulatory compliance dashboard mapped to NIST SP 800-171 and CMMC
• Defender for Servers (includes Defender for Endpoint agent deployment)
• Defender for Storage (detects anomalous data access, malware scanning in Blob storage)
• Defender for SQL (SQL injection detection, unusual access patterns)
• Defender for Key Vault (unusual access to secrets and keys)
• Defender for ARM (Azure Resource Manager anomaly detection)

Microsoft Sentinel (GCC High): The SIEM/SOAR solution for CUI environments runs in the Sentinel workspace within the Management subscription. Data connectors include:

• Entra ID sign-in and audit logs (via diagnostic settings)
• M365 GCC High: Exchange, SharePoint, Teams, DLP audit events
• Azure Activity logs from all subscriptions
• Defender for Endpoint alerts
• Azure Firewall and NSG flow logs

Retention: Sentinel workspace retention is set to 90 days hot (Azure Monitor), with an additional 2 years in Azure Storage (cold) to satisfy the DFARS 7012(e) 90-day image preservation requirement and standard audit log retention practices. Data is encrypted with customer-managed keys stored in Azure Key Vault (Premium SKU, FIPS 140-2 Level 3 validated HSM backing).

Incident Response: Sentinel Automation Rules trigger playbooks (Logic Apps in Azure Government) for common scenarios: high-risk sign-in → notify SOC, malware detected → isolate endpoint via Defender API, CUI exfiltration DLP alert → suspend user session and notify ISSO.

10. Licensing Considerations

GCC High licensing carries a premium over commercial M365:

| Product | Approx. Cost vs. Commercial | Notes |

|---|---|---|

| Microsoft 365 E3 GCC High | ~30-40% premium | Includes Intune, Entra ID P1, basic Defender |

| Microsoft 365 E5 GCC High | ~30-40% premium | Adds Defender Plan 2, Sentinel data ingest, Purview |

| Microsoft Entra ID P2 (add-on) | Required for PIM and Identity Protection | If not on E5 |

| Microsoft Sentinel | Per-GB ingestion pricing (Gov rate) | ~15% premium over commercial |

| Defender for Cloud | Per-resource pricing (Gov rate) | Defender for Servers ~$15/node/month |

| Azure Government compute/storage | ~10-20% premium over commercial | Varies by service and region |

Minimum licensing for CMMC compliance in GCC High:

• Microsoft 365 E3 GCC High (Intune, Entra ID P1, EOP)
• Entra ID P2 add-on or Microsoft 365 E5 GCC High (PIM, Identity Protection required for AC 3.1.5/3.1.6 and IA 3.5.x controls)
• Defender for Endpoint Plan 2 GCC High (EDR, ASR, SI 3.14.x controls)
• Defender for Office 365 Plan 2 GCC High (SI 3.14.2, anti-phishing)
• Microsoft Purview (included in E5 or as add-on) for DLP and information protection

Total cost estimate: A 200-user organization should budget $80–$120 per user per month for full GCC High E5-equivalent licensing, plus Azure Government infrastructure costs. Engage a Microsoft licensing specialist for accurate quotes, as LSPA (Large Scale Program Agreements) and EES (Enrollment for Education Solutions) vehicles provide different rates for different contractor categories.

11. Mapping to 110 NIST SP 800-171 Controls

GCC High provides inherited controls where Microsoft's compliance authorization satisfies the control at the platform layer. The contractor implements shared controls through configuration and customer-owned controls through their own policies and procedures.

| Control Domain | Total Controls | Inherited (GCC High Platform) | Shared (Config Required) | Customer-Owned |

|---|---|---|---|---|

| Access Control (AC) | 22 | 3 | 14 | 5 |

| Awareness and Training (AT) | 3 | 0 | 1 | 2 |

| Audit and Accountability (AU) | 9 | 4 | 4 | 1 |

| Configuration Management (CM) | 9 | 2 | 5 | 2 |

| Identification and Authentication (IA) | 11 | 2 | 6 | 3 |

| Incident Response (IR) | 3 | 1 | 1 | 1 |

| Maintenance (MA) | 6 | 2 | 3 | 1 |

| Media Protection (MP) | 9 | 5 | 3 | 1 |

| Personnel Security (PS) | 2 | 1 | 0 | 1 |

| Physical Protection (PE) | 6 | 6 | 0 | 0 |

| Risk Assessment (RA) | 3 | 0 | 2 | 1 |

| Security Assessment (CA) | 4 | 0 | 2 | 2 |

| System and Comm. Protection (SC) | 16 | 5 | 9 | 2 |

| System and Info. Integrity (SI) | 7 | 2 | 4 | 1 |

| Total | 110 | 33 | 54 | 23 |

Microsoft publishes a detailed Shared Responsibility Matrix for M365 GCC High showing inherited controls. However, the configuration work is substantial: 54 controls require active implementation in Conditional Access, Intune, Defender, Sentinel, and Azure Policy. The 23 customer-owned controls require documented policies, procedures, training programs, and physical security measures.

Selected control-to-service mappings:

• 3.1.1 (Authorized Access) → Entra ID, Conditional Access, Intune device compliance
• 3.1.2 (Transaction/Function Control) → Azure RBAC, Entra ID App Roles
• 3.1.3 (Information Flow) → Azure Firewall, NSG rules, Purview DLP
• 3.1.5 (Least Privilege) → PIM eligible roles, RBAC minimum permissions
• 3.1.6 (Non-Privileged Access) → Separate privileged and standard accounts in Entra ID
• 3.1.12 (Remote Access) → Conditional Access + Compliant Device + Azure Bastion
• 3.3.1–3.3.2 (Audit Logging) → Sentinel, Entra ID logs, Azure Monitor
• 3.5.3 (MFA) → Conditional Access MFA policy
• 3.13.8 (Encryption in Transit) → TLS 1.2+ enforced at Azure Firewall and App Gateway
• 3.14.1 (Malware Protection) → Defender for Endpoint ASR + real-time protection

About the Author

Leonard Esere is a Senior Cloud Security Architect at Aeolitech specializing in government cloud compliance, CMMC assessment preparation, and Zero Trust architecture for DIB contractors. He has supported accreditation activities for Los Alamos National Laboratory (LANL), contributed to MITRE ATT&CK-aligned threat modeling engagements, and holds active DoD clearance credentials supporting multiple defense program offices. Leonard holds certifications including CISSP, Microsoft Certified: Azure Solutions Architect Expert, and SC-400 (Microsoft Information Protection Administrator).

References

1. Microsoft. Microsoft 365 GCC High and DoD Service Descriptions. https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-for-us-government/gcc-high-and-dod

2. Microsoft. Azure Government Overview. https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-welcome

3. Microsoft. DoD Impact Level 5 on Azure Government. https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-overview-dod

4. NIST. Special Publication 800-171 Rev. 2: Protecting CUI in Nonfederal Systems. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

5. NIST. Special Publication 800-171 Rev. 3: Protecting CUI in Nonfederal Systems (2024). https://csrc.nist.gov/pubs/sp/800/171/r3/final

6. DoD. DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting. https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting

7. DoD CIO. Memorandum: Clarification of FedRAMP Equivalency Requirements for Cloud Services (December 2023). https://dodcio.defense.gov/

8. FedRAMP. FedRAMP Marketplace: Microsoft 365 GCC High. https://marketplace.fedramp.gov/

9. DISA. Cloud Computing Security Requirements Guide (SRG). https://public.cyber.mil/dccs/

10. Microsoft. Cloud Adoption Framework for Azure Government Landing Zones. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/

11. Microsoft. Entra Conditional Access Overview. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

12. Microsoft. Privileged Identity Management. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

Call to Action

Aeolitech provides end-to-end GCC High architecture, implementation, and CMMC assessment preparation services for DIB contractors. Our team has direct experience supporting LANL accreditation activities and DoD program office compliance initiatives. Contact us to schedule a Complimentary CUI Boundary Scoping Workshop and receive a tailored roadmap for your CMMC Level 2 or Level 3 certification journey.

© 2026 Aeolitech. All rights reserved. This document is provided for informational purposes. Organizations should consult with qualified CMMC Third-Party Assessment Organizations (C3PAOs) before relying on this reference architecture for certification purposes.