FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

GovCloud Is Not Enough: Why CMMC Level 2 Requires More Than a Cloud Choice

By Basel IsmailMay 10, 2026

GovCloud Is Not Enough: Why CMMC Level 2 Requires More Than a Cloud Choice

I keep running into the same assumption in conversations with defense contractors preparing for CMMC Level 2 assessments. It goes something like this: "We moved to AWS GovCloud, so we should be good on the infrastructure side." And I get why people land there. GovCloud environments carry FedRAMP High authorization. They meet rigorous federal security baselines. They are genuinely excellent infrastructure choices for handling Controlled Unclassified Information (CUI). But choosing GovCloud is a starting point, not a finish line, and the gap between the two is where a lot of companies are going to fail their assessments.

What FedRAMP Actually Covers

FedRAMP authorization means a cloud service provider (CSP) has implemented and been assessed against NIST SP 800-53 controls at the Low, Moderate, or High baseline. AWS GovCloud, Azure Government, and Google Cloud's assured workloads carry FedRAMP High authorizations, which map to roughly 421 controls. These controls govern what the CSP does: how they manage their physical data centers, how they handle encryption at rest and in transit within their infrastructure, how they log access to their own systems, and how they vet their own personnel.

The critical concept here is the shared responsibility model. FedRAMP authorizes the cloud service provider's portion of the security stack. It does not authorize your configuration of that stack, your applications running on it, your access management policies, your incident response procedures, or your users' behavior. The CSP's System Security Plan (SSP) will explicitly delineate which controls are "CSP-responsible," which are "customer-responsible," and which are shared. If you have not read your CSP's customer responsibility matrix in detail, stop reading this and go do that first.

What CMMC Level 2 Actually Requires

CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Rev 2. The final CMMC rule (32 CFR Part 170) went into effect on December 16, 2024, and CMMC assessments by certified third-party assessment organizations (C3PAOs) are now a contractual reality. Level 2 applies to any contractor handling CUI, which covers a significant portion of the Defense Industrial Base (DIB).

Here is where the disconnect happens. NIST SP 800-171 is derived from NIST SP 800-53, so there is conceptual overlap with FedRAMP. But 800-171 applies to your organization's information system, not the CSP's. The 110 requirements span 14 control families:

Access Control (22 requirements)
Awareness and Training (3 requirements)
Audit and Accountability (9 requirements)
Configuration Management (9 requirements)
Identification and Authentication (11 requirements)
Incident Response (3 requirements)
Maintenance (6 requirements)
Media Protection (9 requirements)
Personnel Security (2 requirements)
Physical Protection (6 requirements)
Risk Assessment (3 requirements)
Security Assessment (4 requirements)
System and Communications Protection (16 requirements)
System and Information Integrity (7 requirements)

Your FedRAMP-authorized CSP might help you satisfy portions of System and Communications Protection (SC) and some Audit and Accountability (AU) requirements. But it does nothing for your Awareness and Training program, your Incident Response plan, your Personnel Security screening, your Physical Protection of on-premises endpoints, or your Risk Assessment processes. Those are entirely on you.

The Controls GovCloud Cannot Touch

Let me walk through some specific examples that trip people up.

Access Control (AC)

Requirement 3.1.1 demands you limit system access to authorized users. GovCloud gives you the tools (IAM policies, role-based access, MFA options), but you have to configure them correctly, review them periodically, and document your access control policy. Requirement 3.1.5 requires least privilege. Your CSP will not audit whether your junior analyst has admin rights to a CUI repository. Requirement 3.1.12 requires monitoring and control of remote access sessions. You need to implement, log, and review that yourself.

Awareness and Training (AT)

Requirement 3.2.1 requires security awareness training for all users. Requirement 3.2.2 requires role-based training for users with security responsibilities. No cloud environment provides this. You need a training program, documented completion records, and evidence of periodic refreshers. C3PAOs will ask for it.

Incident Response (IR)

Requirement 3.6.1 mandates an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response activities. Your CSP has their own incident response plan for their infrastructure. You need yours. And per DFARS 252.204-7012, you have 72 hours to report cyber incidents involving CUI to the DoD Cyber Crime Center (DC3). GovCloud does not file that report for you.

Configuration Management (CM)

Requirement 3.4.1 requires baseline configurations for your information systems. GovCloud provides default configurations and hardening guides, but establishing, documenting, and maintaining your specific baselines is your job. Requirement 3.4.6 requires employing the principle of least functionality, meaning you need to restrict unnecessary ports, protocols, and services. Your CSP gives you security groups and NACLs; you have to configure them and prove they align with your documented baseline.

Audit and Accountability (AU)

Requirement 3.3.1 requires creating and retaining system audit logs. AWS CloudTrail, Azure Monitor, and similar services generate logs, but you need to ensure they capture the right events, retain them for an appropriate period, protect them from tampering, and actually review them. Requirement 3.3.5 requires correlating audit review, analysis, and reporting processes. That means a SIEM or equivalent capability, staffed by people who know what they are looking at.

The SSP and POA&M Problem

CMMC Level 2 assessments require a System Security Plan (SSP) that describes how your organization meets each of the 110 requirements. You also need a Plan of Action and Milestones (POA&M) for any requirements not yet fully implemented, though the CMMC final rule limits the use of POA&Ms. Specifically, you cannot have POA&Ms for any of the 46 requirements weighted as "highest" in the CMMC assessment methodology, and all POA&M items must be closed within 180 days of a conditional assessment.

Your CSP's FedRAMP authorization documentation is a useful input to your SSP. You can reference the CSP's controls as partially satisfying certain requirements. But the SSP itself needs to describe your complete implementation, including the customer-responsible controls. A C3PAO assessor will not accept "we use GovCloud" as a response to how you meet 3.5.3 (multifactor authentication). They want to see your MFA policy, your implementation evidence, and your configuration documentation.

The Real Preparation Work

If you are a defense contractor preparing for a CMMC Level 2 assessment, the infrastructure decision (GovCloud vs. commercial cloud vs. on-premises) is maybe 15 to 20 percent of the compliance effort. The remaining work involves policy development, procedure documentation, evidence collection, gap remediation, training programs, continuous monitoring capabilities, and organizational change management. The DoD estimated in its regulatory impact analysis that CMMC compliance costs for a small business at Level 2 would run approximately $100,000 to $120,000 over three years, with assessment costs around $50,000. For mid-size contractors with complex environments, those numbers climb substantially.

Companies that treat the cloud migration as the hard part and the policy work as paperwork to be handled later are the ones that will find themselves scrambling when their prime contractor requires a CMMC Level 2 certification as a condition of subcontract award.

How FirmAdapt Addresses This

FirmAdapt is built to help organizations manage the full scope of compliance obligations, not just the infrastructure layer. For defense contractors working toward CMMC Level 2, FirmAdapt maps your existing controls against all 110 NIST SP 800-171 requirements, identifies gaps between what your CSP covers and what remains your responsibility, and tracks remediation through POA&M workflows with the 180-day closure deadlines built in.

Because FirmAdapt's architecture is compliance-first, it maintains the evidence trails and documentation structures that C3PAO assessors expect to see. SSP generation, policy version control, training completion tracking, and audit log correlation are handled within a platform designed for regulated environments. The goal is straightforward: make the 80 percent of CMMC work that has nothing to do with your cloud provider manageable and auditable.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free