What Auditors Actually Find When They Look at Your Cloud Environment
Cloud adoption has accelerated across the defense industrial base, federal agencies, and regulated industries over the past several years. But faster adoption has not translated into stronger compliance posture. In my experience leading audits and assessments for defense contractors and federal organizations, the same cloud security compliance failures appear again and again — regardless of company size, industry, or how long the organization has been using cloud services.
This post documents the most common gaps we find during cloud security audits, why they matter under frameworks like CMMC, NIST SP 800-171, and FedRAMP, and what compliance managers and executives should do right now to address them. If your organization handles Controlled Unclassified Information (CUI), operates under a DoD contract, or is preparing for a CMMC assessment, these findings apply directly to you.
Gap 1: Using a Non-Compliant Cloud Environment for CUI
This is the single most consequential gap we encounter. Organizations are storing, processing, or transmitting CUI in commercial cloud environments — standard Microsoft 365, Google Workspace, or commercial AWS — that do not meet the sovereignty and access control requirements of DFARS 252.204-7012 or CMMC.
Defense contractors handling CUI are required to use cloud services that meet FedRAMP Moderate equivalency at minimum. For ITAR-controlled data, that bar is even higher. Microsoft 365 GCC High exists specifically to address this requirement, providing a US-person-only, sovereign cloud environment that supports ITAR, DFARS, and CMMC compliance. Our blog post on what GCC High is and why it matters for ITAR and CMMC 2.0 explains this distinction in detail.
How to fix it: Conduct a CUI boundary assessment to identify where CUI resides, flows, and is processed. If your current cloud platform is not FedRAMP authorized at the required impact level, begin evaluating migration to GCC High or an equivalent compliant environment. Our team provides CMMC, CUI, and DFARS compliance services that include cloud environment selection and configuration support.
Gap 2: Misconfigured Conditional Access and Multi-Factor Authentication
Multi-factor authentication (MFA) is a baseline control under NIST SP 800-171 and CMMC Level 1 and Level 2. Yet we routinely find organizations that have MFA enabled in name only — legacy authentication protocols remain active, conditional access policies have gaps, or privileged accounts are exempted for convenience.
In GCC High environments specifically, misconfigured conditional access policies frequently allow unmanaged devices or non-compliant endpoints to access CUI-bearing systems. This directly undermines the access control protections the environment was deployed to provide.
How to fix it:
- Disable legacy authentication protocols across all Microsoft 365 or Azure services
- Enforce MFA for all users, including service accounts and administrative accounts
- Configure conditional access policies to require compliant or hybrid-joined devices
- Review named locations and ensure no unintended exclusions exist
- Test policies in report-only mode before enforcement, then move to enforcement with monitoring
Gap 3: Absence of Data Loss Prevention Policies for CUI
Organizations frequently lack any Data Loss Prevention (DLP) configuration in their cloud environment, or they have DLP policies that were deployed at initial setup and never updated to reflect how the organization actually handles CUI today. Auditors look for evidence that DLP policies are active, scoped to cover CUI categories, and generating actionable alerts.
Without DLP, CUI can be emailed to personal accounts, shared externally via SharePoint or OneDrive links, or extracted through collaboration tools — all without any detection or prevention. Our post on understanding Data Loss Prevention covers the foundational concepts compliance managers need to understand before configuring these policies.
How to fix it: Deploy Microsoft Purview DLP policies tailored to CUI and ITAR categories. Define policies for email, Teams, SharePoint, and OneDrive. Establish alert thresholds, assign policy owners, and document policy review cycles. DLP configuration should align with your System Security Plan (SSP).
Gap 4: No Documented System Security Plan Covering Cloud Assets
A System Security Plan (SSP) is required under NIST SP 800-171 and is a cornerstone document for any CMMC assessment. What we find in practice is that many organizations have an SSP — but it was written to describe an on-premises environment and has never been updated to reflect the organization's cloud architecture.
When auditors ask for documentation showing how NIST 800-171 controls are satisfied within the cloud environment, compliance teams frequently cannot produce it. This creates significant audit risk even when the technical controls are actually in place. Our post on SSP and POA&M as critical components of a strong security program outlines what these documents must contain.
How to fix it: Update your SSP to accurately reflect your current cloud architecture, including all cloud service providers, inherited controls, and customer-responsible controls. Map every NIST SP 800-171 requirement to its implementation status and document how cloud platforms satisfy — or require supplemental controls to satisfy — each requirement.
Gap 5: Inadequate Audit Logging and Log Retention
Audit logging is required under NIST SP 800-171 (3.3.1 and 3.3.2) and CMMC. In cloud environments, logging is available — but it is rarely configured correctly or reviewed consistently. Common failures include:
- Unified Audit Log not enabled in Microsoft 365 GCC High
- Log retention periods set below the required threshold
- Logs stored in the same environment as the systems they monitor, creating integrity concerns
- No documented log review process or assigned responsibility for review
- Alert policies not configured to flag high-risk events
How to fix it: Enable and verify the Unified Audit Log in your Microsoft 365 environment. Set retention periods in accordance with your contractual and regulatory requirements — typically a minimum of 90 days active with longer-term archival. Export logs to an immutable storage location. Document who reviews logs, how often, and what actions are taken on alerts.
Gap 6: Unmanaged External Sharing and Guest Access
SharePoint Online and Microsoft Teams in GCC High environments support external sharing and guest access — but these features must be deliberately restricted for organizations handling CUI. We consistently find environments where guest access has been enabled for a legitimate business purpose and never removed, or where external sharing settings allow CUI to flow outside the authorized boundary.
This gap often surfaces during CUI data protection assessments for cloud environments, where the authorized processing boundary does not match the actual flow of data.
How to fix it: Conduct a full review of SharePoint site-level and tenant-level sharing settings. Disable external sharing for sites containing CUI. Review and remove stale guest accounts. Establish a formal process for requesting, approving, documenting, and periodically reviewing any guest access that is operationally necessary.
Gap 7: No Endpoint Compliance Enforcement for Devices Accessing CUI Systems
Organizations deploy GCC High or other compliant cloud environments but fail to enforce device compliance at the endpoint level. Users access CUI-bearing systems from personal laptops, unmanaged mobile devices, or endpoints that are not enrolled in Microsoft Intune or an equivalent Mobile Device Management (MDM) solution.
This gap effectively bypasses the access controls at the cloud layer by allowing non-compliant hardware to serve as the point of access. For a deeper look at endpoint security fundamentals, see our post on endpoint security basics for regulated organizations.
How to fix it: Require Intune enrollment for all devices accessing CUI systems. Configure compliance policies that enforce OS version requirements, disk encryption, antivirus status, and screen lock settings. Use conditional access to block non-compliant devices. Document your endpoint compliance baseline in your SSP.
Gap 8: Failure to Validate Inherited Controls from Cloud Service Providers
Cloud compliance is a shared responsibility model. Microsoft, AWS GovCloud, and other compliant cloud providers inherit certain controls on behalf of their customers — but those inherited controls do not cover everything. Organizations frequently assume they are compliant simply because they are using a FedRAMP-authorized platform.
Auditors expect organizations to document which controls are inherited, which are customer-managed, and which are shared. Gaps in this documentation, or misunderstanding of the shared responsibility model, is one of the most common causes of failed or delayed assessments. Organizations pursuing federal and SLED risk assessments need this documentation clearly articulated before the assessment begins.
How to fix it: Obtain the cloud provider's Customer Responsibility Matrix (CRM) or shared responsibility documentation. Map inherited controls to your SSP. For every control that is customer-managed, document the specific implementation. Never mark a control as fully satisfied without verifying both the inherited and customer-implemented portions.
A Note on Ongoing Compliance vs. Point-in-Time Fixes
The gaps described above are not one-time remediation items. Cloud environments change constantly — new applications are deployed, access policies drift, users are added and removed, and configurations are updated. Sustained cloud security compliance requires a governance program that includes periodic reviews, change management processes, and documented evidence of continuous monitoring.
Organizations that treat compliance as a project rather than a program will find themselves rebuilding the same remediation effort before every audit cycle. Our post on the GCC High compliance checklist provides a practical starting point for organizations establishing ongoing verification processes.
Where to Start If You Are Behind
If your organization has not conducted a formal cloud security compliance assessment, start there. A structured gap assessment will identify which of these issues apply to your environment, prioritize remediation based on audit risk, and produce the documentation trail that supports your SSP and POA&M. Organizations with active DoD contracts or pending CMMC assessments should treat this as urgent — not aspirational.
For organizations that need ongoing compliance leadership but do not have a full-time CISO, our regulatory vCISO services provide embedded compliance expertise across CMMC, NIST SP 800-171, DFARS, and cloud security frameworks. This model is particularly effective for mid-size defense contractors managing cloud migration alongside CMMC preparation.
If your organization is ready to close these gaps and establish a defensible cloud security compliance posture, I encourage you to request a quote or review our engagement models to find the right level of support. The gaps documented here are fixable — but they require deliberate action, not assumptions about what your cloud provider handles on your behalf.