Solution: CMMC Level 2 Cloud Compliance

Eliminate CMMC Cloud Prep with Continuous Readiness and Evidence

Third-party CMMC Level 2 certification becomes mandatory for DoD contract awards on November 10, 2026. imPAC Labs replaces thousands of hours of manual evidence collection by continuously capturing the cloud configuration controls behind your assessment, with the only continuous historical evidence engine on the market.

Book a Demo See How It Works

Built for GRC leads, security teams, and cloud ops at defense contractors pursuing Level 2.

Time Machine / evidence‑history

14:11:29 UTC

Export evidence

SC.L2‑3.13.11 KMS key rotation enforced

PASS

Mar 15 · PASS · captured 09:42 UTC

Jan 01 Feb 01 Mar 15 May 01 Today

Passing Drift

160 snapshots

Jan 01 00:00 Baseline captured — rotation enabled on all CUI keys scan

Feb 18 14:02 Drift detected — rotation disabled on alias/cui-data ci-deploy

Mar 02 09:15 Restored — rotation re-enabled, evidence updated jdoe

Read-only: and agentless
Self-hosted: deploys inside your environment
3 clouds: AWS GovCloud, Azure, and GCP
0 egress: nothing leaves your boundary

CMMC Level 2 requires proof your cloud controls held continuously. Most contractors can't.

CMMC turned NIST 800-171 into a certification, but a large share of the proof still lives in your cloud configuration. That evidence has to be current, complete, and reconstructable for any date an assessor asks about. Most teams meet that bar with dozens of analysts, manual screenshots, and audit packages that go stale the day they are captured.

Roughly 30 of 110 controls live in your cloud

About 30 of the 110 NIST 800-171 controls live in cloud configuration and must be re-proven every assessment cycle. There is no continuous link between the control and the configuration that actually proves it.

ACAUCMIASC

30 /110

27% in cloud

live in cloud configuration

Evidence goes stale the moment config changes

A passing check today does not help when a configuration drifts tomorrow. CMMC requires proof across the full period and at annual affirmation, not a one-time snapshot, and you usually do not find the gap until the next cycle.

PASS · captured

config change

Drift · undetected

Manual collection does not scale

Dozens of people spend thousands of hours reconciling screenshots and spreadsheets across accounts. Native GovCloud tooling stays rigid and flags false positives on controls that do not even apply to your environment.

40 +

people involved

3,000

hours / cycle

Screenshots

03/14 09:42

1,284 captured

Spreadsheets

47 files · 9 accounts

False positives

S3-AES-07 pass

EC2-IMD-2 false positive

N/A control flagged

Rigid rules, no context

From control to evidence in four steps

Map, discover, validate, and prove, without the manual evidence collection.

We have already mapped the cloud-relevant CMMC Level 2 controls to concrete configuration checks. Adjust any check in no-code to match how your assessor interprets a control, so the mapping stays defensible to your C3PAO.

imPAC continuously inventories the cloud infrastructure holding your CUI across AWS GovCloud, Azure, and GCP, including the IAM, KMS, logging, and storage layers. Scope it to a single account, region, or VPC so the picture matches your CUI boundary exactly.

Codified controls run continuously against your live configuration. Drift is flagged the moment it happens, and checks are scoped so your team is not chasing false positives on out-of-scope or dead assets.

Time Machine keeps complete configuration history for every change, actor, and timestamp. Show any control's exact state on any date, and export the config and timestamp in the package format your C3PAO requires.

How we map to CMMC Level 2

Control family on the left, imPAC coverage on the right.

Control family

imPAC coverage

Status

AC Access Control

Maps every identity, role, and policy across all accounts, flagging public exposure, wildcard permissions, and over-privileged access.

Continuous

AU Audit & Accountability

Confirms audit logging is enabled across regions and retained; Time Machine records every change, actor, and timestamp.

Continuous

CM Configuration Management

Continuous baseline checks with full config history, proving specific controls held over any time period.

Continuous

SC System & Communications Protection

Encryption at rest, key rotation, TLS enforcement, and network boundary protection, checked continuously.

Continuous

imPAC owns the cloud-configuration controls within CMMC Level 2, roughly 30 of the 110. Your team keeps ownership of the rest of the program.

“The hardest part of our assessment was not meeting the controls, it was capturing all the evidence and proving they held six months ago. imPAC captures our cloud configuration on every scan, so we can automatically show evidence to an assessor of the exact state on any date instead of rebuilding it by hand.”

-CISO, publicly traded defense contractor

Book a Demo

What CMMC readiness in imPAC means for your team

Detailed historical proof

Retrieve any control's exact state with a full change history over time. The question “was this in place on March 15” takes seconds, not a forensic dig through logs.

Always current

Continuous rescans and live config pulls mean your evidence reflects the latest state, so a passing posture stays provable between audits and at annual affirmation.

Self-hosted and GovCloud-ready

Deploy entirely inside your environment, reading metadata only. Nothing leaves your boundary, which is what a defense contractor's assessment demands. GovCloud today, GCC High next.

Configurable by design

Scope checks to the services and accounts that matter, and build or edit controls in no-code so the mapping matches your assessor's interpretation rather than a one-size-fits-all default.

Multi-framework, single inventory

ISO 27001, SOC 2, and NIST map to the same underlying cloud asset inventory. A new framework means new controls inside the platform you already run, not a new platform.

Audit-ready export

Self-evidencing logs export with config and timestamp in the format your C3PAO expects, so audit prep stops being a fire drill.

Frequently Asked Questions

Does imPAC get us CMMC certified?

No. imPAC owns the cloud-configuration portion of your assessment, roughly 30 of the 110 controls. You still run the rest of your program and engage a C3PAO. imPAC makes the cloud evidence continuous and self-serve so that portion stops consuming your team.

What about the controls that are not cloud-related?

Those stay with your team and your GRC tooling. imPAC focuses only on the controls that require cloud configuration evidence, which is where the manual effort concentrates.

Can we export evidence for our C3PAO?

Yes. Evidence exports with the underlying config and timestamp, so you can package it the way your assessor requires rather than only viewing it in the tool.

Where does imPAC run, and is our data safe?

imPAC deploys self-hosted inside your environment, including AWS GovCloud. Access is read-only and agentless, and it reads metadata only. Nothing leaves your boundary.

Does it support GovCloud and GCC High?

The self-hosted GovCloud version is available now, with GCC High next on the roadmap. You can run commercial and government environments from one platform, with different frameworks applied to each.

See your CMMC cloud posture in one session

No prep and no commitment. We will show you which of your cloud configuration controls are already in good shape, where the gaps are, and how the evidence exports for your assessor.

Book a Demo