Modernizing IT Infrastructure for Defense Contractors

For defense contractors, IT modernization is no longer a strategic option—it's a compliance prerequisite. The combination of CMMC 2.0 enforcement, the DoD's Zero Trust strategy, GCC High cloud requirements, and the eventual transition to NIST SP 800-171 Revision 3 is fundamentally reshaping what a compliant, competitive defense contractor IT environment looks like. Small and mid-size contractors who have relied on traditional on-premise infrastructure, commercial email and collaboration platforms, or legacy security tools are discovering that those environments cannot meet CMMC Level 2 requirements as-is. The good news: the path to a modern, CMMC-aligned infrastructure is well-defined. The key is understanding what the DoD actually requires—and what it doesn't—before committing to a modernization roadmap.

What Does the DoD Actually Require for Cloud Infrastructure?

The cloud requirement for DoD contractors is frequently misunderstood—but getting it wrong creates both compliance gaps and unnecessary costs. Here's what the regulations actually say:

DFARS clause 252.204-7012 requires that when contractors use external cloud services to store, process, or transmit Covered Defense Information (CDI/CUI), those services must meet security requirements equivalent to FedRAMP Moderate at minimum. This is often referred to as DFARS paragraphs (c) through (g) compliance. The implication:

• Standard commercial Microsoft 365 (M365 Commercial) does not satisfy DFARS 252.204-7012 for CUI. Microsoft's commercial cloud is not authorized to store or process data meeting DoD's CDI requirements.
• Microsoft 365 GCC (Government Community Cloud) also does not satisfy DFARS 7012 for CUI. While GCC is FedRAMP Moderate authorized, it doesn't restrict data access to U.S. persons, and doesn't meet the full scope of DFARS 7012 paragraphs (c)-(g).
• Microsoft 365 GCC High is the practical standard for DoD contractors handling CUI. GCC High operates on physically segregated Azure Government infrastructure constrained to the Continental United States (CONUS), staffed by U.S. persons, and authorized at FedRAMP High—supporting DoD Impact Level 4 (IL4) and IL5 equivalency. It is the only Microsoft 365 environment that satisfies all requirements under DFARS 7012, ITAR export controls, and CMMC Level 2 and Level 3 technical controls.

No regulation explicitly names GCC High as the mandatory platform—but the combination of FedRAMP High authorization, U.S. data residency, and U.S.-person access restrictions makes it the de facto standard for defense contractors who use Microsoft 365 as their productivity platform. Contractors using other cloud providers must verify that their chosen provider holds FedRAMP High authorization and can satisfy DFARS 7012 requirements with documentation.

What Is Zero Trust Architecture and Does the DoD Require It?

Zero Trust Architecture (ZTA) is a security model defined by NIST SP 800-207 that shifts the foundation of cybersecurity from perimeter-based trust ("everything inside our firewall is trusted") to resource-centric, continuous verification ("no user, device, or network location is trusted by default—every access request must be verified").

The DoD has been implementing its own Zero Trust Strategy since 2022 with a department-wide target for Zero Trust implementation. The DoD Zero Trust Strategy establishes two maturity levels: Target Level and Advanced Level, with 91 Target Level zero trust activities defined for federal agencies. In December 2025, the Pentagon published additional guidance specifically on implementing Zero Trust for Operational Technology (OT) environments.

For defense contractors specifically:

• Zero Trust is not yet explicitly mandated for DIB contractors in CMMC 2.0, which currently enforces NIST SP 800-171 Rev. 2. However, several NIST 800-171 controls directly align with Zero Trust principles—particularly in the Access Control (3.1.x), Identification and Authentication (3.5.x), and System and Communications Protection (3.13.x) control families.
• NIST SP 800-171 Rev. 3 (released May 2024) explicitly references Zero Trust concepts and introduces Organization-Defined Parameters (ODPs) that allow the DoD to specify stricter policy requirements. While CMMC currently enforces Rev. 2, the industry consensus is that the transition to Rev. 3 will begin no earlier than 2027, with full adoption around 2028.
• Contractors building new infrastructure today should design for Zero Trust principles—not because it's mandated now, but because it aligns with both current CMMC controls and the direction of future requirements. Building a Zero Trust architecture now avoids a costly rebuild later.

The core Zero Trust principles contractors should focus on are: verified identity (strong MFA, least privilege), device trust (endpoint health attestation), network micro-segmentation, continuous monitoring and analytics, and encryption of data in transit and at rest.

What Does NIST SP 800-171 Rev. 3 Change, and When Must Contractors Comply?

NIST SP 800-171 Revision 3 was finalized in May 2024—but the current CMMC program enforces Revision 2. Understanding the relationship between the two versions is important for long-term infrastructure planning:

• Rev. 3 reduced the control count from 110 to 97 by reorganizing and consolidating controls, but added three new control families and introduced Organization-Defined Parameters (ODPs) that allow the DoD to specify tailored policy requirements. In DoD's ODP definitions published after Rev. 3's release, specific parameters were defined—for example, high-severity vulnerabilities must be remediated within 30 days, moderate within 90 days, and low within 180 days.
• A May 2024 DoD DFARS Class Deviation requires contractors to continue complying with Rev. 2 while CMMC assessment guides, C3PAO procedures, and SPRS systems are updated to align with Rev. 3. This deviation was necessary because CMMC was designed around Rev. 2 before Rev. 3 was finalized.
• Rev. 2 vs. Rev. 3 transition timeline: Industry consensus places the start of the transition no earlier than 2027, with full adoption around 2028—the final year of the CMMC rollout. Contractors should not build compliance strategy around Rev. 3 timing; the priority is achieving Rev. 2 compliance now.
• Rev. 3 adds a new System and Services Acquisition control (03.16.03) that explicitly requires contractors to document and monitor shared responsibilities with external service providers, including IT MSPs and cloud providers. This formalized requirement to manage and document MSP and cloud provider shared responsibility matrices is important for infrastructure planning.

The practical implication: contractors who build their CMMC compliance around Rev. 2 will have a clear upgrade path to Rev. 3 when the transition occurs—especially if they've documented their environment accurately in an SSP and maintained current configuration baselines.

What Infrastructure Upgrades Are Most Commonly Required for CMMC Level 2 Compliance?

When defense contractors conduct a gap assessment against NIST SP 800-171 Rev. 2, the same infrastructure gaps appear repeatedly. Addressing these typically forms the core of a modernization roadmap:

• Identity and Access Management (IAM): NIST 800-171 controls 3.5.1 through 3.5.11 require comprehensive identity management—unique user IDs, MFA for all CUI-accessing accounts, password complexity and length requirements, and session timeout enforcement. Many contractors still rely on shared accounts, weak passwords, or SMS-based MFA that doesn't meet phishing-resistant standards. Deploying a modern IAM solution (Azure Active Directory / Entra ID in GCC High, for example) provides the foundation for meeting the full suite of identification and authentication controls.
• Endpoint Detection and Response (EDR): Legacy antivirus is insufficient for NIST 800-171's malware protection controls (3.14.2, 3.14.4, 3.14.5). Modern EDR with behavioral detection, automatic signature updates, and real-time scanning is the current standard. All endpoints in the CMMC scope—including servers, workstations, and laptops—must be covered.
• Centralized log management and SIEM: Controls 3.3.1 and 3.3.2 require comprehensive audit logging and regular review of audit records. Most small contractors lack a centralized logging infrastructure. Deploying a Security Information and Event Management (SIEM) system—or subscribing to a managed SIEM service—addresses both the logging and review requirements. Logs must cover authentication events, privileged access, system changes, and security-relevant events across all in-scope systems.
• Email and collaboration security: Migration from commercial Microsoft 365 or Google Workspace to GCC High (or another FedRAMP High-authorized platform) is a significant infrastructure project that many contractors underestimate in time and cost. It requires tenant migration, license procurement, re-enrollment of devices, and updating all integrations. Allow 3-6 months for planning and execution for most small-to-mid contractors.
• Network segmentation: Control 3.13.3 requires CUI systems to be architecturally separated from general-purpose networks. For many contractors with flat networks, this requires VLAN implementation, firewall rule redesign, and potentially re-cabling. Proper segmentation also supports incident containment—limiting the blast radius of a ransomware or intrusion event.
• Vulnerability management: Control 3.11.2 requires regular vulnerability scanning and timely remediation. With DoD ODP parameters applied, organizations must scan at least monthly (or after significant changes), and remediate high-severity CVEs within 30 days. A vulnerability management platform, integrated with CMMC scope documentation, is a foundational infrastructure requirement.

How Should Defense Contractors Sequence a Modernization Roadmap?

Given budget constraints typical of small and mid-size defense contractors, sequencing modernization investments correctly is as important as selecting the right technologies:

1. Foundation first – Identity and Access Management: MFA, unique accounts, and least privilege are non-negotiable CMMC controls that cannot be deferred via POA&M. Start here. Deploy MFA for all users, eliminate shared accounts, and implement privileged access controls. This investment also provides immediate security value against the most common attack vectors.
2. Protect the CUI boundary – Email and cloud platform migration: If you're storing or transmitting CUI through commercial Microsoft 365 or Google Workspace, migrate to GCC High or another compliant platform. This is a critical compliance gap—contracting officers and C3PAO assessors will identify it immediately.
3. Visibility – Logging and SIEM: You cannot demonstrate CMMC compliance—or detect incidents—without comprehensive logging. Implement centralized log management and ensure coverage across all in-scope systems. For many small contractors, a managed SIEM service is more cost-effective than building in-house capability.
4. Detection – EDR and vulnerability management: Deploy modern EDR across all in-scope endpoints and establish a vulnerability scanning and remediation cadence. Integrate your vulnerability management data with your SSP and POA&M documentation.
5. Architecture – Network segmentation: Once the above controls are in place, invest in network segmentation to isolate your CUI environment. This may be the most disruptive modernization project—plan it carefully, test it thoroughly, and document the resulting architecture in your SSP.
6. Documentation – SSP and policy framework: Throughout the modernization process, continuously update your System Security Plan to reflect what you've implemented. The SSP is not a one-time deliverable—it's a living document that must match your actual environment at the time of assessment.

See also our article on Risk Assessments for CMMC Compliance for guidance on how to prioritize gaps based on SPRS scoring impact and POA&M eligibility.

What Are the Key Decisions When Choosing an IT Partner for CMMC Modernization?

For most small and mid-size defense contractors, CMMC modernization is not a DIY project. The complexity of the technical requirements, the specificity of the compliance framework, and the time pressure of contract deadlines make an experienced IT partner essential. When evaluating IT managed service providers or CMMC consultants for modernization support, look for:

• CMMC ecosystem credentials: The partner should employ CMMC Registered Practitioners (CRPs) or Certified Professionals (CCPs), or have organizational credentials as a Registered Provider Organization (RPO) through the Cyber AB. These credentials indicate formal training in the CMMC framework.
• Defense sector experience: Modernizing for a defense contractor is different from a general IT project. The partner should understand DFARS clauses, ITAR implications, GCC High licensing and migration, and the specific documentation requirements (SSP, POA&M) that CMMC assessors evaluate.
• Managed Security Service Provider (MSSP) capability: CMMC compliance is not a one-time certification—it requires ongoing monitoring, log review, vulnerability management, and incident response readiness. A partner who can deliver both the modernization project and ongoing managed security services provides continuity and reduces vendor management overhead.
• Documented assessment experience: Has the partner supported contractors through C3PAO assessments? Do they understand what evidence C3PAO assessors require for each control domain? Assessment preparation experience is distinct from general security consulting.

NIST SP 800-171 Rev. 3 control 03.16.03 formalizes the requirement to document and monitor your MSP's shared security responsibilities. This means your IT partner relationship—including their access to CUI systems and their own security posture—needs to be reflected in your SSP and managed as part of your compliance program.

What Should Defense Contractors Do Next?

IT modernization for defense contractors isn't about chasing the latest technology—it's about building an infrastructure that satisfies CMMC requirements, protects CUI, and positions your company to win and maintain DoD contracts through the full 2025-2028 enforcement rollout. Contractors who start now have a significant advantage over those who wait until a contracting officer asks for their SPRS score before a contract award.

NorthStar Technology Group is an Inc. 5000 managed IT and security provider with deep expertise in defense contractor compliance. We help DIB companies scope their CUI environments, migrate to GCC High, implement the technical controls required for CMMC Level 2 certification, and maintain ongoing compliance with 24/7 managed security services. If you're ready to modernize your infrastructure with compliance built in from the ground up, contact our team at northstartechnologygroup.com/services/dod-cmmc.