Compliance as Code FAQ: Shift-Left Compliance for IaC Teams

Everything you need to know about catching compliance issues in PRs, not production. 20 frameworks. 5,825 controls. SOC 2, HIPAA, PCI-DSS, NIST, CMMC, FedRAMP, and more.

Shift-Left Compliance Frameworks CMMC Assessment Process NIST 800-171 IaC as Evidence How Infraproof Helps Getting Started

Shift-Left Compliance

Why catching issues in PRs beats finding them in production

Shift-left compliance means catching compliance issues early in the development lifecycle - at the PR (Pull Request) stage - rather than after code is deployed to production.

Traditional compliance tools (like Drata and Vanta) scan your production environment and find issues after deployment. By then, you've already:

  • Exposed production systems to non-compliant configurations
  • Created emergency remediation work
  • Generated audit findings that require explanation
Shift-left approach: Scan IaC (Infrastructure as Code) in PRs → Block non-compliant merges → Deploy only compliant infrastructure → Zero production exposure

The fundamental difference is when we catch issues:

Aspect Infraproof (Shift-Left) Drata/Vanta (Runtime)
When issues found In PR, before merge After deployment
Production exposure Zero - blocked before deploy Hours to days of exposure
Evidence format Code (machine-verifiable) Screenshots, API snapshots
Integration point CI/CD pipeline Cloud provider APIs

Use both for defense in depth: Infraproof catches issues before production. Runtime scanners verify current state. Together, they provide complete coverage.

Compliance as Code treats compliance requirements like software - defined in code, version-controlled, and automatically enforced.

Instead of spreadsheets tracking who completed what checkbox, your compliance posture is:

  • Defined in IaC: Terraform, CloudFormation, CDK configurations
  • Enforced automatically: CI/CD blocks non-compliant merges
  • Version-controlled: Git history shows every change
  • Auditable: Code is evidence - assessors can verify

Learn more about our Compliance as Code approach

Supported Frameworks

20 compliance frameworks with 5,825 controls

Infraproof supports 20 compliance frameworks with 5,825 total controls:

Framework Controls Use Case
SOC 261SaaS companies, startups
HIPAA46Healthcare, health tech
PCI-DSS 4.0280Payment processing, retail
NIST 800-531,007Federal systems, FedRAMP
NIST 800-171110CUI handling, CMMC
CMMC 2.0109Defense contractors
FedRAMP421Government cloud
ISO 27001114International, enterprise
CIS 8.0153Security benchmarks
AWS WAF334AWS best practices

View all 20 frameworks

Yes. Many controls overlap across frameworks. For example, encryption at rest (SC-28 in NIST) maps to similar requirements in SOC 2, HIPAA, and PCI-DSS.

Infraproof identifies these overlaps so a single Terraform configuration can satisfy multiple frameworks simultaneously. This reduces compliance burden while maintaining coverage.

CMMC Basics

Understanding the Cybersecurity Maturity Model Certification

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's cybersecurity compliance framework. It requires defense contractors to prove they meet specific security standards before winning or keeping DoD contracts.

Think of it as a security certification for doing business with the military. Just like you need a driver's license to drive, you need CMMC certification to handle DoD data.

Key Point: CMMC is mandatory. Starting in 2025, contractors without certification will be ineligible for many DoD contracts.

CMMC 2.0 has three levels, each with increasing security requirements:

Level Controls Assessment Who Needs It
Level 1 17 practices Self-assessment Contractors handling FCI (Federal Contract Information) only
Level 2 110 controls (NIST 800-171) Third-party (C3PAO) Contractors handling CUI (Controlled Unclassified Information)
Level 3 110+ controls Government-led Critical programs, highest sensitivity data

Most contractors need Level 2, which requires passing a third-party assessment against all 110 NIST 800-171 controls.

You need CMMC certification if you:

  • Are a prime contractor or subcontractor to the Department of Defense
  • Handle Controlled Unclassified Information (CUI) in your work
  • Want to bid on DoD contracts that require CMMC
  • Are part of the Defense Industrial Base (DIB) supply chain

This includes approximately 80,000+ companies ranging from small machine shops to major aerospace manufacturers.

Important: Even if you're a small subcontractor, if CUI flows through your systems, you need certification. There's no exemption based on company size.

CUI is sensitive information that requires protection but isn't classified. Examples include:

  • Technical drawings and specifications
  • Export-controlled data (ITAR, EAR)
  • Personally identifiable information (PII)
  • Proprietary business information
  • Contract performance data
  • Critical infrastructure information

If your DoD contract includes a DFARS 252.204-7012 clause, you're handling CUI and need CMMC Level 2.

CMMC is being phased in from 2025 through 2028:

  • 2025: CMMC requirements start appearing in select contracts
  • 2026: Broader rollout across DoD contracts
  • 2027-2028: Full implementation, most contracts require CMMC

However, don't wait. Assessment backlogs are already forming, and getting certified takes 6-12 months from start to finish. Companies starting now will have a competitive advantage.

The Assessment Process

What to expect when getting CMMC certified

C3PAO stands for CMMC Third Party Assessment Organization. These are companies authorized by the Cyber AB (the CMMC accreditation body) to conduct official CMMC assessments.

Think of C3PAOs like certified auditors. You can't self-certify for Level 2; you must hire an authorized C3PAO to assess your security controls and issue your certification.

As of late 2024, there are approximately 50+ authorized C3PAOs, with more being certified.

CMMC Level 2 assessment costs typically range from $30,000 to $100,000+ depending on:

  • Company size: More employees and systems = more to assess
  • Scope complexity: Number of locations, cloud environments, networks
  • Assessment duration: Typically 3-5 days on-site
  • C3PAO rates: Vary by assessor and demand
The Real Cost: A failed assessment means paying again. If you fail your first assessment, expect to pay the full cost again after remediation. That's why pre-assessment verification is critical.

A typical CMMC Level 2 assessment follows this process:

  1. Pre-assessment (1-2 weeks before): Submit your SSP, policies, and evidence package. The C3PAO reviews documentation.
  2. On-site assessment (3-5 days): Assessors interview staff, review systems, examine evidence for each of the 110 controls.
  3. Evidence gathering: For each control, you must provide proof of implementation. This includes policies, configurations, logs, screenshots, and attestations.
  4. Findings review: Assessors identify any gaps or deficiencies.
  5. Final report: You receive a PASS, CONDITIONAL PASS (with POA&M), or FAIL.

The entire process from scheduling to certification typically takes 2-4 months.

The System Security Plan (SSP) is the master document describing how your organization implements each NIST 800-171 control. It's the primary evidence package assessors review.

A typical SSP includes:

  • System boundaries: What systems, networks, and data are in scope
  • Control implementations: How you satisfy each of the 110 controls
  • Responsible parties: Who owns each control
  • Evidence references: Links to supporting documentation

SSPs are typically 100-300+ pages and take months to create properly.

POA&M (Plan of Action and Milestones) documents known security gaps and your plan to fix them.

If you have minor deficiencies during assessment, you may receive a Conditional Certification with a POA&M listing what must be fixed within a specified timeframe (typically 180 days).

However, you cannot POA&M your way to certification. Critical controls must be fully implemented before assessment.

CMMC certification is valid for 3 years.

During this period, you must:

  • Maintain all implemented controls
  • Submit annual affirmations that controls remain in place
  • Address any new vulnerabilities or threats
  • Keep documentation updated

At the end of 3 years, you must undergo a full reassessment to maintain certification.

NIST 800-171 Controls

Understanding the 110 security controls

NIST SP 800-171 is a publication from the National Institute of Standards and Technology that specifies security requirements for protecting CUI in non-federal systems.

CMMC Level 2 is essentially NIST 800-171 with mandatory third-party verification. The 110 controls in CMMC Level 2 come directly from NIST 800-171.

If you've been complying with DFARS 7012 requirements, you've already been working toward NIST 800-171. CMMC just adds the verification requirement.

NIST 800-171 organizes its 110 controls into 14 families:

Family ID Controls Focus Area
Access ControlAC22Who can access what
Awareness & TrainingAT3Security training
Audit & AccountabilityAU9Logging & monitoring
Configuration ManagementCM9System hardening
Identification & AuthenticationIA11User verification
Incident ResponseIR3Breach handling
MaintenanceMA6System upkeep
Media ProtectionMP9Data storage
Personnel SecurityPS2Employee screening
Physical ProtectionPE6Facility security
Risk AssessmentRA3Threat analysis
Security AssessmentCA4Testing controls
System & CommunicationsSC16Network security
System & Information IntegritySI7Malware & patching

Approximately 40-50% of NIST 800-171 controls can be directly evidenced through infrastructure-as-code configurations. Key examples:

  • SC-28 (Encryption at Rest): S3 bucket encryption, RDS encryption, EBS encryption settings in Terraform
  • SC-8 (Encryption in Transit): TLS configurations, HTTPS-only settings, SSL policies
  • AC-6 (Least Privilege): IAM policies, RBAC configurations, service account permissions
  • AU-2 (Audit Events): CloudTrail configurations, logging settings, audit policies
  • SC-7 (Boundary Protection): VPC configurations, security groups, network ACLs
  • CM-6 (Configuration Settings): Baseline configurations, hardening settings

The remaining controls require policies, procedures, or manual evidence (training records, physical security, personnel screening).

Why Companies Fail CMMC Assessments

Common pitfalls and how to avoid them

Based on NIST 800-171 self-assessments (the predecessor to CMMC), only 10-15% of companies that believed they were compliant actually passed rigorous review.

The most common reasons for this gap:

  • Overconfidence in existing controls
  • Documentation that doesn't match implementation
  • Incomplete evidence for controls
  • Scope creep (systems not included in SSP)
The 85% Failure Problem: Most companies fail because their documentation says one thing, but their infrastructure does another. Assessors verify both.

The most common CMMC assessment failures:

  1. Documentation/Implementation Mismatch (35%): SSP says encryption is enabled, but S3 buckets aren't actually encrypted. Policies claim MFA, but it's not enforced.
  2. Incomplete Evidence (25%): Control is implemented but you can't prove it. No logs, no screenshots, no configuration exports.
  3. Scope Definition Issues (20%): Systems handling CUI weren't included in assessment scope. Shadow IT discovered during assessment.
  4. Missing Controls (15%): Controls never implemented, or implemented incorrectly.
  5. Personnel/Process Gaps (5%): Technical controls in place, but staff can't demonstrate procedures. Training not completed.

If you fail a CMMC assessment:

  • No certification issued: You cannot claim CMMC compliance
  • Remediation period: Typically 90-180 days to fix issues
  • Reassessment required: Pay for another full assessment
  • Contract impact: May lose ability to bid on CMMC-required contracts
  • Total cost: $60K-200K+ (double assessment fees plus remediation)

This is why pre-assessment verification is critical. Finding gaps before the official assessment saves significant time and money.

Infrastructure-as-Code as Evidence

Why IaC is the strongest form of compliance evidence

Not all evidence is equal. Assessors weight evidence by verifiability:

Evidence Type Weight Why
IaC Configurations Highest Machine-readable, version-controlled, auditable
Cloud API State High Reflects current reality
Automated Test Results High Repeatable verification
Exported Logs Medium Point-in-time, can be selective
Screenshots Low Easily fabricated, no context
Self-Attestation Lowest Unverified claim

IaC configurations are the gold standard because they're machine-verifiable, version-controlled, and represent your actual implementation.

Infraproof parses all major infrastructure-as-code formats:

  • Terraform: .tf, .tfvars files
  • AWS CDK: TypeScript, Python synthesized templates
  • CloudFormation: YAML and JSON templates
  • Azure ARM/Bicep: ARM templates and Bicep files
  • GCP Deployment Manager: YAML configurations
  • Pulumi: Multi-language infrastructure definitions

We extract security-relevant configurations from each resource and map them to specific NIST 800-171 controls.

Here's an example of how Terraform configuration maps to NIST controls:

Your Terraform:

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.example.arn
    }
  }
}

Mapped to Controls:

  • SC-28: Protection of Information at Rest ✓
  • SC-28(1): Cryptographic Protection ✓
  • MP-4: Media Storage ✓

The evidence report includes the exact configuration, resource ARN, and encryption algorithm used.

How Infraproof Helps

What we do and how it helps you pass

Infraproof is a shift-left compliance platform that catches issues in PRs, not production:

  1. Parses your IaC: Upload Terraform, CDK, CloudFormation, etc. We extract all security-relevant configurations.
  2. Maps to 20 frameworks: Each resource is mapped to SOC 2, HIPAA, PCI-DSS, NIST, CMMC, FedRAMP, and more. 5,825 total controls.
  3. Generates evidence: Create audit-ready evidence reports with code snippets, resource ARNs, and configuration details.
  4. Blocks non-compliant merges: CI/CD integration prevents compliance issues from reaching production.
  5. Identifies gaps: See which controls have strong evidence, weak evidence, or no evidence at all.

The result: Zero production exposure. Every commit is compliant.

No. Infraproof is a pre-assessment tool, not a certification body.

You still need an authorized C3PAO to conduct your official CMMC assessment and issue certification. Infraproof helps you:

  • Prepare stronger evidence before the assessment
  • Identify gaps before the assessor does
  • Generate documentation that matches your implementation
  • Increase your probability of passing on the first try

Think of us as your pre-flight checklist before the FAA inspector arrives.

Traditional GRC (Governance, Risk, Compliance) platforms focus on documentation management. They help you organize policies, track tasks, and store evidence.

Infraproof focuses on evidence verification:

GRC Platforms Infraproof
Store your claims about compliance Verify your infrastructure actually implements claims
Manual evidence upload Automatic evidence extraction from IaC
Trust documentation Trust code (machine-verifiable)
Point-in-time snapshots Version-controlled, auditable history

We complement GRC platforms by providing higher-quality evidence that matches your actual infrastructure.

Getting Started

How to begin your CMMC journey with Infraproof

  1. Upload a sample IaC file: Start with a single Terraform or CloudFormation file to see the mapping in action.
  2. Review the evidence report: See which controls your IaC satisfies and which have gaps.
  3. Connect your repository: Link GitHub, GitLab, or Bitbucket for comprehensive scanning.
  4. Upload your SSP: We'll cross-reference your documentation against your infrastructure.
  5. Generate your evidence package: Get audit-ready reports for your C3PAO.

Request a free evidence report to see how it works with your actual infrastructure.

Yes. We handle CUI-adjacent data and take security seriously:

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access control: Role-based access, MFA enforced
  • Data residency: US-only infrastructure (AWS us-east-1)
  • Audit logging: Full audit trail of all access
  • No data retention: Delete your data anytime

We're also pursuing our own CMMC certification because we believe in eating our own cooking.

Infraproof pricing is designed to be a fraction of assessment costs:

  • Starter: $499/scan - Single repository, NIST 800-171 mapping, PDF evidence report
  • Professional: $1,999/month - Unlimited scans, multi-cloud, Git integration, SSP cross-reference
  • Enterprise: Custom pricing - Multi-tenant, API access, CI/CD integration, dedicated support

Compare this to $30-100K for an assessment and $60-200K for a failed assessment + remediation + reassessment.

See full pricing details

Yes. Request a free evidence report and we'll analyze a sample of your IaC.

You'll see:

  • Which controls your infrastructure satisfies
  • Gaps where evidence is missing or weak
  • Sample evidence report format

No credit card required. No commitment.

Ready to See Your Compliance Gaps?

Upload a sample Terraform file and get a real evidence report showing which NIST controls you satisfy.

Get Free Evidence Report View Pricing