AWS GovCloud Architecture for ITAR and CMMC Workloads

What This Session Covers

Defense and federal contractors face a compounding challenge: ITAR-controlled technical data and CMMC-scoped Controlled Unclassified Information (CUI) must live in environments that can survive an assessor's scrutiny, not just a security team's internal review. This two-day intensive with Carl B. Johnson, President and CISO of Cleared Systems, walks practitioners through the architectural decisions that separate a compliant AWS GovCloud deployment from one that creates findings.

Day One: Account Structure, Identity, and Boundary Control

• GovCloud account architecture: designing multi-account structures that enforce ITAR and CMMC data boundaries, including the relationship between a commercial payer account and GovCloud workload accounts
• IAM design for least-privilege: role hierarchies, permission boundaries, and identity federation patterns appropriate for ITAR-restricted personnel and CMMC access control requirements
• Service Control Policies (SCPs): writing and layering SCPs to prevent data egress to non-GovCloud regions, restrict services to those with FedRAMP High authorization, and enforce organizational guardrails that hold under an IL5 threat model
• AWS shared responsibility model in GovCloud: what AWS inherits, what you own, and how those lines shift when you move from standard commercial regions into the GovCloud partition

Day Two: Encryption, Logging, and Compliance Inheritance

• Encryption with AWS KMS: key policy design, customer-managed key (CMK) strategies, and envelope encryption patterns that satisfy ITAR and CMMC data-protection requirements; handling key access for U.S.-person controls
• Logging strategies: configuring CloudTrail, Config, and S3 access logging to produce audit trails that map to CMMC Level 2 audit and accountability practices and satisfy ITAR incident-response documentation needs
• FedRAMP High and DoD IL inheritance model: reading and applying an AWS Customer Responsibility Matrix, identifying which controls are inherited versus hybrid versus customer-owned, and documenting inheritance in a System Security Plan (SSP)
• IL5 workload considerations: additional configuration requirements beyond FedRAMP High baseline, including data sensitivity tagging, network segmentation, and service selection constraints specific to Impact Level 5 data
• Mapping architecture decisions to CMMC Level 2 practices: translating the configurations built in Days One and Two into the evidence artifacts an assessor expects to review

What You Will Leave With

This training is designed to produce usable outputs, not just conceptual awareness. Attendees will leave with:

• A reference account-structure diagram illustrating ITAR- and CMMC-scoped GovCloud architecture you can adapt for your environment
• SCP templates covering common GovCloud guardrail scenarios for ITAR data boundaries and FedRAMP-authorized service restriction
• A KMS key policy framework aligned to ITAR U.S.-person access controls and CMMC encryption requirements
• A logging configuration checklist mapping CloudTrail and Config settings to CMMC Level 2 audit practices
• Practical fluency in reading a Customer Responsibility Matrix and translating inherited controls into SSP language
• The ability to walk an assessor or auditor through your GovCloud architecture with confidence, explaining every boundary decision in compliance terms

Practitioners who support ongoing compliance programs may also find value in reviewing how Cleared Systems approaches CMMC, CUI, and DFARS compliance and ITAR and export controls compliance as a complement to the technical architecture skills developed here.

Who Should Attend

This session is built for the people doing the work. Cloud architects and engineers at defense contractors who are standing up or hardening GovCloud environments will get the most immediate technical return. Compliance and security practitioners responsible for CMMC scoping, SSP development, or ITAR technology controls will gain the architectural vocabulary to make their documentation accurate and defensible. IT managers and compliance program leads overseeing a team preparing for a CMMC Level 2 assessment or a FedRAMP authorization effort will find this training directly accelerates their readiness timeline.

If your organization handles export-controlled technical data, CUI, or DoD contract work in cloud environments, the practitioners you send to this training will return with skills they can apply in the week following the event — not concepts that require months of additional research to operationalize.

Continuing Your Compliance Architecture Work

Two days builds a strong foundation, but complex GovCloud environments often surface questions that extend beyond training. Cleared Systems offers hands-on support through its Regulatory vCISO Services for organizations that need ongoing expert guidance as they implement, document, and defend the architectures covered in this course.