Compliance Frameworks in Cloud

A practitioner's framework-by-framework guide to the standards that shape cloud security work in 2026 - SOC 2, ISO 27001, PCI DSS v4, HIPAA, FedRAMP, CMMC 2.0, NIST CSF, NIST 800-53/171, CIS Benchmarks, GDPR, SOX, NIS2, DORA, and the regional and sector-specific regulations behind them. Companion deep dive to the GRC overview: what each framework actually requires, how it maps to cloud, what AWS / Azure / GCP attest to, and where it usually goes wrong.

Detailed view of a hand writing a signature on an official document with a ballpoint pen
Photo by Tima Miroshnichenko on Pexels

· · Vendor-neutral · View source on GitHub

The 30-second version: Compliance frameworks are external requirements you map your internal control set to. They overlap heavily - SOC 2, ISO 27001, and most other security frameworks share 60-80% of the underlying controls - which means a second framework is far cheaper than the first if you build the mapping deliberately. Pick the framework with revenue or regulatory force attached, run it as your primary, and layer overlays for everything else.

This page is the framework-by-framework deep dive. For the meta-discipline of running a GRC program, see GRC for Cloud. For the live sensor that produces evidence, see CSPM vs CNAPP. Compliance is not security - the auditor's sign-off and the attacker's failure are independent events. Build for both.

On this page

  1. Which frameworks apply to you?
  2. The 60-80% overlap reality
  3. SOC 2
  4. ISO/IEC 27001 (and 27017, 27018, 27701)
  5. PCI DSS v4.0
  6. HIPAA / HITECH (and HITRUST)
  7. FedRAMP
  8. CMMC 2.0
  9. NIST CSF 2.0
  10. NIST SP 800-53 & 800-171
  11. CIS Benchmarks & CIS Controls v8
  12. GDPR, UK GDPR, CCPA/CPRA
  13. SOX (ITGCs)
  14. Regional: NIS2, DORA, APRA, PIPL, LGPD
  15. Sector-specific: FERPA, GLBA, CJIS, TISAX, ISO 13485
  16. Framework crosswalks & mapping tools
  17. AWS / Azure / GCP compliance programs
  18. Continuous compliance & evidence automation
  19. GRC platform landscape
  20. Common pitfalls
  21. Further reading
  22. FAQ

Which frameworks apply to you?

The meta-question every practitioner asks first. The answer is the intersection of three forces - what your customers require to buy, what regulators require to operate, and what contracts you've already signed. The decision tree below covers most cases:

The honest answer is that most companies eventually accumulate 3-5 frameworks. The order in which they arrive is almost always: first the framework that gates revenue (usually SOC 2 or PCI DSS), then the framework that gates a specific deal type (HIPAA, FedRAMP, ISO 27001), then the regulatory framework that becomes mandatory at a threshold (GDPR, SOX, CCPA), then the sector-specific overlay. Plan the sequence; don't pursue them ad hoc.

The 60-80% overlap reality

SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP, NIST CSF, CIS Controls, and most other security frameworks all require the same foundational controls - they just describe them differently. Multi-factor authentication on privileged accounts is the same engineering work whether SOC 2 calls it CC6.1, ISO 27001 calls it A.5.17, PCI DSS calls it Requirement 8.4, NIST 800-53 calls it IA-2(1), or HITRUST calls it 01.j. The auditor needs to see the control in the format their framework expects; the underlying control runs once.

This is the single highest-leverage insight in multi-framework programs: maintain one internal control set, map every external framework to it, and only add framework-specific overlays where genuinely required. Building one control set per framework is the most expensive mistake any GRC program can make.

The mapping work itself is mostly solved by industry-standard crosswalks. The most useful:

The remaining 20-40% is where frameworks diverge. PCI DSS has hard requirements for network segmentation, cardholder data flow diagrams, and quarterly ASV scans that other frameworks don't share. FedRAMP requires US-citizen-only personnel for some baselines. HIPAA requires Breach Notification Rule processes with specific timelines. GDPR requires data subject rights workflows. These are the overlays; build them once and don't pretend the underlying engineering work is different.

SOC 2

The de facto B2B SaaS attestation in North America. Authored by the AICPA and performed by licensed CPA firms. Not a certification - it's an attestation report describing the auditor's opinion on the design (Type I) or operating effectiveness (Type II) of your controls against the Trust Services Criteria.

Type I vs Type II

The five Trust Services Criteria (TSC)

Audit firm selection

The big four (Deloitte, PwC, EY, KPMG) audit large public companies expensively. Mid-market and cloud-native firms - Schellman, A-LIGN, Coalfire, Insight Assurance, Prescient Assurance, Sensiba, BARR Advisory, Johanson Group - dominate SaaS SOC 2 work and are usually a much better fit for the first audit. Pick the firm by the lead auditor's cloud literacy and prior engagements on your stack, not the brand on the report. Stable multi-year relationships drive cost down materially.

Typical cost and timeline

For a 20-50-person SaaS using a compliance-automation platform: $20k-$40k for a Type I, $40k-$80k for a Type II (Security only), $60k-$120k+ if you add Availability and Confidentiality. Add 6 months of observation period before the audit can be performed. Total elapsed from "we should do this" to a signed Type II report: 9-12 months realistic, 6 months aggressive. Large enterprises spend $200k+ on annual SOC 2s with broader TSC coverage and bigger control populations.

Cloud-specific gotchas

ISO/IEC 27001 (and 27017, 27018, 27701)

The international standard for an Information Security Management System (ISMS). Unlike SOC 2, ISO 27001 is a true certification - issued by an accredited registrar - and the standard prescribes the management system structure (risk-based, with management review, internal audit, continual improvement) in addition to the controls. ISO 27001 is more common than SOC 2 outside North America and increasingly co-required.

Structure

Related ISO standards

Certification cycle

Cost and timeline

Initial certification: $25k-$60k for the audit itself (3-year cycle), plus 6-12 months of internal work to stand up the ISMS, run an internal audit, and complete a management review. Surveillance audits typically run 40-60% of the initial cost. Pick an accredited registrar (BSI, DNV, BSI Group, TÜV, Schellman, A-LIGN, Coalfire ISO, Mastermind) - non-accredited certificates are not recognized.

Cloud-specific gotchas

PCI DSS v4.0

The Payment Card Industry Data Security Standard. Maintained by the PCI Security Standards Council on behalf of the major card brands (Visa, Mastercard, American Express, Discover, JCB). Required if you store, process, or transmit cardholder data, or if you can impact the security of cardholder data. v4.0.1 is current; v3.2.1 was fully retired in March 2024.

The 12 Requirements (grouped into 6 control objectives)

  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.
  3. Protect stored account data.
  4. Protect cardholder data with strong cryptography during transmission over open public networks.
  5. Protect all systems and networks from malicious software.
  6. Develop and maintain secure systems and software.
  7. Restrict access to system components and cardholder data by business need to know.
  8. Identify users and authenticate access.
  9. Restrict physical access to cardholder data.
  10. Log and monitor all access to system components and cardholder data.
  11. Test security of systems and networks regularly.
  12. Support information security with organizational policies and programs.

v4.0 changes that matter

Scope reduction is the highest-leverage move

The Cardholder Data Environment (CDE) is the in-scope set of systems that store, process, transmit, or could impact cardholder data security. Anything you can remove from the CDE saves audit work for the life of the program. The standard mechanisms:

Cloud-specific guidance

The PCI Cloud Computing SIG guidance (Information Supplement) covers shared-responsibility mapping for cloud workloads. AWS, Azure, and GCP each publish PCI DSS responsibility matrices that explicitly delineate which requirements they cover, which you cover, and which are shared. Use the matrix from your provider; do not let your QSA assume.

Cost

SAQ A is essentially free (engineering effort only). SAQ D self-assessed: $25k-$75k in tooling and consultant time. Level 1 ROC with QSA: $100k-$500k+ depending on scope, plus ongoing quarterly ASV scans, annual penetration testing, and continuous monitoring overhead.

HIPAA / HITECH (and HITRUST)

The Health Insurance Portability and Accountability Act (1996) and the HITECH Act (2009) together form the US federal framework for protecting health information. Applies to covered entities (providers, payers, clearinghouses) and their business associates (BAs) - including any cloud or SaaS that handles Protected Health Information (PHI) on a covered entity's behalf.

Three rules

Security Rule safeguards

Note: HIPAA distinguishes "required" from "addressable" implementation specifications. Addressable does not mean optional; it means you implement, or document a justification for an equivalent alternative. This is a common misread.

BAAs with cloud providers

You must have a signed Business Associate Agreement with any subprocessor that handles PHI. Critically, the BAA does not automatically cover every service the provider offers - you must use a HIPAA-eligible service from the provider's list. Putting PHI in a non-eligible service is a violation regardless of the BAA being in place.

HITRUST CSF

The HITRUST Common Security Framework is the de facto unified control framework healthcare customers ask for. It harmonizes HIPAA, NIST 800-53, ISO 27001, PCI DSS, COBIT, and more into one assessable control set. Three assessment types:

HITRUST r2 is expensive - $100k-$500k+ - but a single r2 satisfies most healthcare customer security reviews and crosswalks to many other frameworks.

FedRAMP

The Federal Risk and Authorization Management Program - the standardized authorization process for cloud services used by US federal agencies. Drawn from NIST SP 800-53 Rev 5, with FedRAMP-specific overlay (the FedRAMP Baselines).

Baselines

Authorization paths

FedRAMP 20x

FedRAMP 20x is the program's 2025 modernization initiative - automated continuous monitoring with key security indicators (KSIs), OSCAL-native authorization packages, reduced documentation overhead, and a more contemporary control-mapping approach. Early-adopter vendors are seeing materially faster authorizations; if you are starting FedRAMP now, evaluate the 20x path before defaulting to the legacy process.

3PAO assessment

A FedRAMP-accredited Third-Party Assessment Organization performs the security assessment. The 3PAO writes a Security Assessment Report (SAR) and Security Assessment Plan (SAP); the package includes a System Security Plan (SSP), continuous-monitoring strategy, and POA&M (Plan of Action and Milestones) for residual findings. Major 3PAOs: Coalfire, Kratos, A-LIGN, Schellman, BARR Advisory, Fortreum.

Cloud boundaries

Cost and timeline

FedRAMP Moderate: 12-18+ months from kickoff to ATO; $500k-$2M+ in first-year cost (3PAO fees, technical control implementation, consulting, internal headcount). Annual continuous monitoring adds ~$300k-$600k. Only pursue FedRAMP with named federal revenue. "Maybe federal someday" is a recipe for sunk cost.

CMMC 2.0

Cybersecurity Maturity Model Certification 2.0 - the US Department of Defense's framework for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Final rule effective December 2024; phased contract incorporation begins 2025 and continues over a 3-year rollout.

Levels

DFARS 252.204-7012 and friends

The contractual lever that put 800-171 in place; CMMC layers an assessment regime on top. The full clause set: 252.204-7012 (safeguarding covered defense information), 252.204-7019 (NIST 800-171 self-assessment), 252.204-7020 (supplier compliance), 252.204-7021 (CMMC requirements). SPRS score (Supplier Performance Risk System) reporting is the precursor most primes already require.

Cloud-specific implementation

CUI in cloud workloads must use a CSP that meets FedRAMP Moderate (or DoD IL4 for some scenarios) and implements 800-171 controls in the customer-managed portion of the stack. Common patterns:

NIST CSF 2.0

The NIST Cybersecurity Framework, first published 2014, updated to 2.0 in February 2024. Voluntary framework, not an attestation, but the most-cited common-language reference in security programs worldwide. CSF 2.0 organizes work into six Functions:

CSF 2.0 underneath uses 22 Categories and ~106 Subcategories - the actual outcomes you implement. Each Subcategory maps to controls in 800-53, ISO 27001, COBIT, ISA/IEC 62443, and others via the Informative References.

Use CSF as the meta-framework for executive reporting and program structure, layered above whichever attestation frameworks you target. Boards and CISOs find the Function/Category vocabulary far more legible than SOC 2 Trust Services Criteria or ISO 27001 Annex A. Many regulators (NYDFS, FTC) reference CSF in expected practice.

NIST SP 800-53 & 800-171

NIST SP 800-53 Rev 5

The comprehensive US federal control catalog - ~1,000 controls organized into 20 families (Access Control, Audit and Accountability, Identification and Authentication, System and Communications Protection, etc.). The basis for FedRAMP baselines and many other federal frameworks. Rev 5 introduced privacy controls inline with security controls and added supply-chain risk management (SR family).

You will rarely implement 800-53 directly as a private-sector entity unless you are pursuing FedRAMP. But 800-53 is the largest control vocabulary; crosswalks to almost everything else flow through it.

NIST SP 800-171 Rev 2 (Rev 3 transitioning)

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. 110 controls in 14 families, derived as a subset of 800-53 tuned for non-federal contexts. The technical baseline behind DFARS 252.204-7012 and CMMC 2.0 Level 2.

Rev 3, published in May 2024, restructured the families and updated some controls. Rev 2 remains the legally-cited baseline in DFARS as of early 2026; expect a transition timeline once the FAR / DFARS catches up.

NIST SP 800-172

Enhanced security requirements layered on top of 800-171 for environments holding particularly high-value CUI. ~35 enhanced controls focused on adversary-targeted attacks (advanced persistent threats, supply chain). The CMMC Level 3 control set draws from 800-172.

CIS Benchmarks & CIS Controls v8

The Center for Internet Security publishes two distinct things often confused: Benchmarks (per-platform configuration baselines) and Controls (a prioritized control framework).

CIS Benchmarks

Specific, configuration-level baselines per platform - CIS AWS Foundations, CIS Azure Foundations, CIS GCP Foundations, CIS Kubernetes Benchmark, CIS Docker, CIS Ubuntu / Windows / RHEL, plus dozens of application and database benchmarks. Not attestations; they are the implementation-layer baseline every modern CSPM scores against by default.

Aligning with the CIS AWS / Azure / GCP Foundations Benchmark produces evidence that crosswalks cleanly to SOC 2 CC controls, ISO 27001 Annex A technical controls, PCI DSS Requirements 1, 2, 7, 8, 10, and HIPAA Security Rule technical safeguards. For most cloud-native programs, "comply with CIS Foundations Benchmark" is the highest-leverage single starting goal.

CIS Controls v8

18 prioritized security controls with ~153 safeguards. Stratified into three Implementation Groups by organization profile:

CIS Controls v8 is a useful prioritization layer above your framework-of-record - it tells you which controls to implement first based on adversary realism, not just compliance order. Many regulators (FTC, state AGs in data-breach cases) reference CIS Controls as expected practice.

GDPR, UK GDPR, CCPA/CPRA

GDPR

The General Data Protection Regulation applies to processing of personal data of EU/EEA residents, regardless of where the controller or processor is located. Extraterritorial scope means most cloud services with EU users are in scope.

Cross-border transfers

The hard part for cloud workloads. Personal data leaving the EEA requires a lawful transfer mechanism:

Schrems II implications still apply. The CJEU ruling invalidated Privacy Shield in 2020 over US surveillance concerns; the DPF is the response, and it is itself the target of ongoing legal challenge (Schrems III is anticipated). Mature programs use the DPF where applicable but maintain SCCs and TIAs as the defensible fallback.

UK GDPR and the IDTA

Post-Brexit, the UK has its own GDPR (substantially identical) and its own transfer regime. The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs are the two mechanisms. UK adequacy for the EU is granted but periodically reviewed.

CCPA / CPRA and US state laws

The California Consumer Privacy Act (2020) as amended by the California Privacy Rights Act (CPRA, effective 2023) covers businesses meeting revenue or processing thresholds. Comparable but distinct privacy laws now exist in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware, Iowa, New Jersey, Tennessee, Montana, and others. Most converge on similar primitives: consumer rights (access, delete, opt-out of sale/sharing, correction), opt-out of targeted advertising, sensitive-data protections, privacy notices, vendor / service-provider contracts.

Operate one privacy program tuned to the strictest standard (typically CPRA or GDPR), and overlay state-specific requirements where genuinely required.

SOX (ITGCs)

The Sarbanes-Oxley Act (2002) governs US public companies. SOX Section 404 requires management to assess internal controls over financial reporting (ICFR) and the external auditor to attest. The cloud-security-relevant slice is IT General Controls (ITGCs) - controls over the IT environment supporting financial reporting systems.

The four ITGC domains

Cloud-specific SOX work: tying IaC commits to Jira tickets to peer-reviewed pull requests to production deployments produces almost all the program-change evidence. Quarterly access reviews against your IdP (Entra ID, Okta, Google Workspace, AWS IAM Identity Center) covers the access slice. Cloud audit logs (CloudTrail, Activity Log, Cloud Audit Logs) cover the audit-trail requirement. The auditor wants a clean evidence chain; build it once with automation, present it every quarter.

Regional: NIS2, DORA, APRA, PIPL, LGPD

NIS2 (EU)

Directive (EU) 2022/2555 on the security of network and information systems. Applies to essential and important entities across ~18 sectors (energy, transport, banking, health, digital infrastructure, ICT service management, public administration, food, manufacturing, postal, water, space, etc.). Member-state transposition required by October 2024 - uneven in practice but enforceable now in most member states. Imposes risk-management measures, incident-reporting timelines (24h early warning, 72h notification, 1-month final report), and management-body accountability with potential personal liability.

DORA (EU)

Digital Operational Resilience Act - Regulation (EU) 2022/2554, in force January 17, 2025. Applies to ~22,000 EU financial entities (banks, insurance, investment firms, crypto-asset service providers) and their ICT third-party service providers including critical CSPs. Five pillars: ICT risk management, incident reporting, digital operational resilience testing (including threat-led penetration testing - TLPT), ICT third-party risk, information sharing. Critical Third-Party Providers (CTPPs) - designation pending - face direct oversight from the ESAs.

APRA CPS 234 (Australia)

APRA Prudential Standard CPS 234 - information security obligations for Australian regulated financial entities. Plus CPS 230 (operational risk management) and CPS 231 (outsourcing) for the broader risk landscape. AWS, Azure, and GCP have all published APRA-specific guidance.

PIPL (China)

Personal Information Protection Law (2021) - comprehensive personal-data law analogous to GDPR. Cross-border transfer mechanisms (security assessment by CAC, certification, SCC) required. Data Security Law (DSL) and Cybersecurity Law (CSL) sit alongside. Operating in China generally requires a local entity or in-country partner.

LGPD (Brazil)

Lei Geral de Proteção de Dados (2020) - GDPR-aligned Brazilian privacy law enforced by the ANPD. Most GDPR-compliant programs map cleanly with localization for legal bases and breach notification specifics.

Sector-specific: FERPA, GLBA, CJIS, TISAX, ISO 13485

Framework crosswalks & mapping tools

The mapping work is mostly already done. Use these instead of reinventing the crosswalk:

AWS / Azure / GCP compliance programs

Every major cloud attests to dozens of frameworks at the provider layer. The native tooling, evidence portals, and assessment automation each provides differs meaningfully:

Capability AWS Azure GCP
Total attestations 140+ 100+ 75+
SOC 1 / 2 / 3 Yes - semiannual reports in Artifact Yes - semiannual reports via STP Yes - semiannual reports via Reports Manager
ISO 27001 / 27017 / 27018 / 27701 All four All four All four
PCI DSS Level 1 Yes - ~120 services Yes - comparable scope Yes - comparable scope
HIPAA BAA-eligible services ~150 services Covered via Online Services Terms ~140 services
FedRAMP Moderate & High (commercial + GovCloud) Moderate & High (commercial + Government) Moderate & High (via Assured Workloads + Gov regions)
DoD Impact Levels IL2, IL4, IL5, IL6 (Secret Region) IL2, IL4, IL5, IL6 (Azure Government Secret) IL2, IL4, IL5 (via Assured Workloads)
CMMC support GovCloud customer-responsibility matrix Azure Government / GCC High guidance Assured Workloads for CUI
EU regulations (C5, ENS, NIS2/DORA support) BSI C5, ENS High, NIS2 / DORA collateral BSI C5, ENS High, NIS2 / DORA collateral BSI C5, ENS High, NIS2 / DORA collateral
APAC (IRAP, MAS, K-ISMS, MTCS) IRAP PROTECTED, MAS, MTCS L3, K-ISMS IRAP PROTECTED, MAS, MTCS L3, K-ISMS IRAP PROTECTED, MAS, MTCS L3, K-ISMS
Evidence / report portal AWS Artifact Service Trust Portal Compliance Reports Manager
BAA / DPA signing Click-through in Artifact Through Online Services Terms / EA Click-through in Cloud Console
Customer assessment tooling AWS Audit Manager Purview Compliance Manager Assured Workloads + SCC compliance posture
Regulated-workload boundary GovCloud (US), Secret Region, dedicated tenancy Azure Government, Sovereign Cloud, EU Data Boundary Assured Workloads (FedRAMP, IL4, CJIS, ITAR, sovereign EU), partner sovereign clouds

Three takeaways. One: attestation coverage at the provider level is roughly parity across all three; the differences that matter are at the customer-implementation layer and the regulated-boundary offerings. Two: the evidence portals - Artifact, STP, Reports Manager - are where you collect provider AOCs and SOC reports for your auditor. Bookmark all three early. Three: the customer-side assessment tools (Audit Manager, Purview Compliance Manager, Assured Workloads + SCC) are valuable but they don't replace a GRC platform - they instrument the cloud-native portion of evidence collection.

Continuous compliance & evidence automation

For the deep dive on this, see the GRC policy-as-code section and the continuous compliance with CSPM/CNAPP section - this page is about the frameworks themselves; the implementation pattern is the same regardless of which frameworks you target.

The short version: every modern framework now expects continuous monitoring evidence rather than point-in-time snapshots. PCI DSS v4.0, FedRAMP 20x, SOC 2 with revised TSC, and the trend across ISO 27001 audits all push toward "show me the rule, show me the evaluation log, show me the remediation workflow" instead of "send me a screenshot taken last Tuesday." Programs that have built compliance-as-code in CI/CD, CSPM/CNAPP rule packs aligned to their target frameworks, and a CSPM or GRC platform that pulls evidence on a schedule sail through audits; programs still on screenshot-driven evidence collection are about to face increasing auditor friction.

GRC platform landscape

The system-of-record layer that organizes evidence, framework mappings, exceptions, vendor risk, and audit readiness. Brief differentiation - see the GRC page for a deeper take:

The choice criterion that matters most: integration depth with your cloud(s), identity provider, and ticketing. The whole value proposition is automated evidence collection. A platform that pulls 80% of evidence automatically is worth 2-3× one that pulls 30%. Talk to your target auditor about which platforms they're efficient on before signing the contract - the same auditor on their preferred platform is a meaningfully cheaper engagement.

Common pitfalls

Further reading

Framework primary sources

Mapping tools

Cloud provider compliance portals

Related CSOH pages

FAQ

Which compliance framework should I start with?

Start with the one your customers ask for. For most B2B SaaS in North America that's SOC 2 Type II. If you sell to EU enterprises, ISO 27001 is the more common ask and may be required co-equally. If you handle payment cards, PCI DSS is non-negotiable. If you handle PHI, HIPAA. If you sell to the US federal government, FedRAMP. Pick the one with revenue attached, run it as your primary, and map every other framework to it - they overlap 60-80% so a second framework is far cheaper than the first.

What is the difference between SOC 2 Type I and Type II?

Type I is a point-in-time assessment: the auditor evaluates whether your controls are designed appropriately on a specific date. It's faster (a few weeks of fieldwork) and cheaper, but enterprise buyers rarely accept it as the final answer. Type II covers an observation period - typically 6 or 12 months - and the auditor tests whether the controls actually operated effectively the whole time. Type II is what procurement teams want; Type I is a stepping stone or a stop-gap during the first observation window.

How do SOC 2, ISO 27001, and PCI DSS overlap?

They overlap by roughly 60-80% on the underlying technical controls - access management, encryption, logging, change management, incident response, vulnerability management, vendor risk. Where they diverge: SOC 2 emphasizes service-organization commitments and Trust Services Criteria; ISO 27001 requires a formal ISMS with management review and continual improvement; PCI DSS is highly prescriptive on network segmentation, cardholder data handling, and quarterly scanning. The pragmatic approach is to maintain one internal control set, map all frameworks to it, and add framework-specific overlays where needed. The Secure Controls Framework, the Unified Compliance Framework, and OSCAL exist specifically to make this mapping reusable.

Is FedRAMP worth pursuing for a commercial SaaS?

Only if you have an identified federal customer with budget. FedRAMP Moderate authorization typically takes 12-18 months and $500k-$2M+ in first-year cost, plus ongoing continuous-monitoring overhead. The path: choose a baseline (Low, Moderate, High, or LI-SaaS for the new lightweight track), build in a FedRAMP-aligned cloud (AWS GovCloud, Azure Government, GCP with Assured Workloads, or the commercial regions where the providers' attestation extends), engage a 3PAO, and pursue an Agency ATO or the legacy JAB P-ATO. FedRAMP 20x is the program's modernization effort and may shorten this materially for vendors who join early. "Maybe federal eventually" is not a business case.

Does using AWS, Azure, or GCP make my workload compliant?

No - it makes the provider's part of the stack compliant. Under the shared responsibility model, the cloud provider attests to the controls they own (physical security, hypervisor, managed-service internals); you attest to the controls you own (IAM configuration, data encryption decisions, application security, customer access). AWS Artifact, Azure Service Trust Portal, and Google Cloud Compliance Reports Manager give you the provider-side reports to share with your auditor; you still need to demonstrate your half. Inheriting a provider's FedRAMP authorization does not authorize your service - it just means the underlying platform is in scope of the authorization you'll pursue.

What is CMMC 2.0 and who needs it?

CMMC (Cybersecurity Maturity Model Certification) 2.0 is the US Department of Defense's framework for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Level 1 (Foundational) covers FCI and is self-assessed against 17 practices. Level 2 (Advanced) covers CUI and requires a C3PAO assessment against the 110 controls of NIST SP 800-171. Level 3 (Expert) is for the most sensitive CUI and is assessed by the government's DIBCAC against a subset of NIST SP 800-172. Phased rollout into DoD contracts is underway; any prime or subcontractor that touches CUI needs to be planning their level now.

What replaced Privacy Shield for EU-US data transfers?

The EU-US Data Privacy Framework (DPF), adopted in July 2023, replaced the Privacy Shield that Schrems II invalidated in 2020. US companies self-certify with the Department of Commerce. The DPF coexists with Standard Contractual Clauses (SCCs) and adequacy decisions as the lawful basis for personal-data transfers out of the EEA. The DPF is itself the target of ongoing legal challenge (Schrems III is anticipated), so most cloud-aware programs use the DPF where applicable but maintain SCCs and Transfer Impact Assessments (TIAs) as the defensible fallback. For UK transfers, the UK extension to the DPF and the UK International Data Transfer Agreement (IDTA) serve the same role.

Where next