Hey /NISTControls community. I'm diving into the complexities of setting up a NIST 800-171 compliant dev environment in our AWS GovCloud infrastructure. Need your expertise on do's and don'ts! Here's the situation:

Dev environment: My Company's managed AWS GovCloud account with GitHub, JFROG, SonarQube, Jira, Confluence (SaaS versions) US-citizen developers, but admin support is in India

We have contracted a "Production" environment managed by a 3rd party FedRAMP high certified hosting vendor

Use Case Summary: Developing apps for Federal/DoD clients based on CUI data. Currently we are having to generate and approve synthetic data (non-cui) to develop on, but this is not a sustainable path.

Challenge: Dev environment is currently treated as outside the boundary, restricting access to CUI data. Looking for insights to navigate this (or considerations/alternatives to enable compliance).