Skip Navigation

Case Studies:Simplifying the Migration from Azure Commercial to Azure Government for CMMC Level 2 Compliance

The Challenge

The core challenge was to extend a solution initially deployed in Azure Commercial to Azure Government, ensuring scalability and compliance with Cybersecurity Maturity Model Certification (CMMC) standards at Levels 1 and 2. The main goal was to achieve compliance in two distinct scenarios: Azure Commercial for CMMC Level 1 and Azure Government for CMMC Level 2, meeting stringent government data handling and CMMC regulations.

The Solution

AIS supported the customer in migrating the application to Azure Gov, enabling dual deployment for Azure Commercial (CMMC Level 1) and Azure Gov (CMMC Level 2). This included creating a clear path to achieving full CMMC Level 2 compliance in Azure Gov. The team also enhanced the application's CI/CD codebase as part of this project.

The Results

The customer now has a comprehensive security roadmap, clarifying CMMC compliance in different scenarios and aligning with business needs. AIS successfully migrated the application to Azure Gov with dual deployment and created a roadmap for the customer to achieve full CMMC Level 2 compliance in Azure Gov. With the application's enhanced CI/CD codebase, the customer has fostered a stronger and more continuous DevSecOps development process.

Initially, the application was crafted to adhere to CMMC Level 1 standards within the commercial Azure framework. As customer requirements evolved, there arose a need for a parallel deployment on Azure Gov, aligning with the stringent government mandates for handling Controlled Unclassified Information (CUI) and Controlled Technical Information (CTI) at CMMC Level 2.

CMMC Model 2.0

The pivotal challenge was to ensure a swift and seamless migration while maintaining consistency across both Azure platforms. Our strategy was geared towards two primary objectives: fulfilling the product owner’s and business requirements in each environment, and managing two distinct versions of the application, each customized to meet the unique security and data requirements of its respective environment.

  1. Assessment and Planning: We began by crafting a comprehensive migration plan tailored to meet Azure Gov’s services and CMMC Level 2 requirements.
  2. Environment Setup in Azure Gov:
    • Our initial step was to establish a secure and compliant environment within Azure Gov.
    • The application was then adapted and deployed in this new setting to ensure it functioned optimally.
    • A key focus was on ensuring smooth operations across both the commercial and government cloud platforms.
    • Documentation at every stage was crucial to maintain consistency across the environments.
    • Comprehensive testing and the adoption of consistent naming conventions were implemented to ensure clarity and precision.
  3. CMMC Compliance:
    • Our team worked to document services and their compliance mappings for both CMMC Levels, achieving compliance and parity in both the commercial and government environments.
    • A self-assessment was conducted to identify technical security control gaps, leading to the creation of a roadmap consisting of Plans of Actions and Milestones (POA&Ms) for meeting the remaining requirements of CMMC Level 2 and NIST 800-171.
    • This approach effectively empowered the product owner to oversee a cohesive technical solution, enhancing security measures for governmental requisites and facilitating a streamlined progression towards CMMC Level 2 compliance in Azure Gov.


The successful migration to a government cloud environment is a testament to our balanced approach in upgrading security and ensuring compliance with CMMC Levels 1 and 2. We maintained operational consistency across both commercial and government platforms, implementing additional security measures tailored to stricter government requirements. Central to our approach was the clarification of security and compliance requirements across diverse government contexts, empowering the business to progress rapidly and with confidence, secure in the knowledge that they were fully compliant with all regulatory requirements.

Learn More

For those interested in discovering how AIS can support CMMC-ready environments that align with your business goals in both private and public sectors, please feel free to contact us to learn more about our security and AI services.

For Microsoft customers utilizing more than 500 licenses on Azure or M365, eligibility for complimentary cybersecurity services through a Microsoft Security Partner may be available. As a certified Security Partner with Microsoft, AIS stands ready to provide these security services to qualifying organizations. These engagements are designed to assist security teams in assessing challenges, including risk assessment within Microsoft cloud environments and the implementation of advanced security controls and services.Fill out this brief funding formto start the process and see if you qualify.

Seeking similar outcomes?

Learn how AIS can help you implement technology solutions that deliver real business results.

Contact Us to Get Started