While the fight regarding the JEDI cloud computing contract between Amazon Web Services (AWS) and the Pentagon drags on, AWS is partnering with the Department of Defense (DoD) in another capacity – the department’s cybersecurity standard for contractors.

The Cybersecurity Maturity Model Certification (CMMC) is the department’s vehicle for shoring up the cybersecurity of the roughly 300,000 contractors in the defense industrial base. And while the standard is still being clarified and established by the CMMC-Accreditation Body (CMMC-AB), AWS is looking to pick up the slack for small businesses who might struggle for a solution to implement the standard.

“You would expect to see that solution coming out of Amazon,” said Mark Fox, AWS’ senior manager of defense mission programs, during an online event Friday hosted by Billington Cybersecurity.

The department is planning on putting the CMMC requirement in select contracts this year, said Katie Arrington, CISO for Acquisition and Sustainment in the Department of Defense. Arrington has said that the CMMC will benefit small businesses, but AWS could also gain from the process.

“AWS is collaborating with the DoD and the CMMC-AB on the requirements and certification process,” says the company’s website on a page dedicated to the CMMC. “AWS intends to provide CMMC solutions for customers that will accelerate their CMMC certification and reduce their level of effort and risk.”

CDM Central is going virtual for the June 2020 Conference Learn More

The AWS webpage said this year the department is “planning for 10 Requests for Information (RFI) and 10 Requests for Proposal (RFP) to include CMMC requirements.”

DoD’s Arrington and CMMC-AB Chairman Ty Schieber emphasized their ties to small businesses during Friday’s online event alongside AWS’ Fox.


The department-supported Project Spectrum website, Arrington said, was “stood up to support small businesses.”  Schieber said about 75 percent of the CMMC-AB 15-member board is from small business.

And while Schieber said the requirements for the certified third-party assessment organizations (C3PAOs) are two or three weeks away from being posted and the assessors won’t be trained until “late June, early July,” AWS is arranging to help companies meet the new standard.

“AWS plans on offering CMMC solutions that include automated deployment capabilities, reference architectures, CMMC practices responsibility matrix, potential FedRAMP authorization inheritance (once defined by DoD), and supporting certification documentation for customers to leverage as they pursue their CMMC certification,” the AWS website says.

Certain controls will be shared between the businesses seeking CMMC support and Amazon Web Services, said Fox, adding “there is no easy button.”

Read More About
More Topics
Dwight Weingarten
Dwight Weingarten
Dwight Weingarten is a MeriTalk Staff Reporter covering the intersection of government and technology.