Cloud Migration Assessment Checklist for US Enterprises

A cloud migration assessment establishes whether an enterprise's workloads, infrastructure, data, and compliance obligations are ready to move to cloud environments — and identifies what must change before migration begins. This page covers the definition of a migration assessment, the structured phases that compose it, the scenarios where different assessment approaches apply, and the decision criteria that determine migration readiness. For US enterprises operating under federal and industry-specific regulations, the assessment stage is not optional overhead; it is the mechanism that prevents costly failures, compliance violations, and architectural debt.

Definition and scope

A cloud migration assessment is a formal pre-migration analysis that inventories an organization's current-state IT environment, maps workloads to cloud-compatible architectures, evaluates regulatory constraints, and produces a prioritized migration plan. The scope spans applications, databases, network topology, identity management, storage systems, and security controls.

NIST SP 800-145 defines cloud computing across five essential characteristics, three service models (IaaS, PaaS, SaaS), and four deployment models (public, private, community, hybrid). An assessment must map existing assets against these categories before any migration path is selected. Enterprises that skip this mapping routinely encounter incompatible licensing models, latency-sensitive workloads unsuited for public cloud, and data residency conflicts that require expensive remediation after migration has begun.

Scope boundaries matter. A narrow assessment covering only application servers misses dependent components: storage tiers, legacy middleware, batch processing jobs, and third-party integrations. A cloud readiness assessment with full coverage also addresses identity federation, egress cost modeling, and disaster recovery continuity — areas that surface blocking issues only when examined before migration begins, not during it.

For enterprises operating under regulatory frameworks such as HIPAA, PCI-DSS, or FedRAMP, the assessment must include a compliance mapping layer. The FedRAMP Program Management Office requires agencies to confirm that cloud service offerings hold active authorizations before federal data is moved to those environments — a constraint that shapes which providers are eligible and which workloads can migrate at all.

How it works

A structured cloud migration assessment proceeds through five discrete phases:

  1. Discovery and inventory — Automated discovery tools catalog all servers, virtual machines, containers, databases, and network dependencies. The output is a complete asset register with utilization metrics, software versions, and interdependency maps. NIST's SP 800-37 Rev. 2 risk management framework specifies asset categorization as a foundational step before any authorization or migration decision.

  2. Workload classification — Each asset is classified by migration compatibility: straightforward candidates for lift-and-shift migration, candidates for replatforming or refactoring, workloads that must remain on-premises, and assets scheduled for retirement. This classification directly determines migration sequencing and cost.

  3. Regulatory and compliance mapping — Each workload is evaluated against applicable regulatory frameworks. A healthcare enterprise maps electronic protected health information (ePHI) workloads to HIPAA Security Rule requirements under 45 CFR Part 164. A payment processor maps cardholder data environments to PCI-DSS v4.0 requirements. Federal agencies confirm FedRAMP authorization status for target cloud service offerings.

  4. Cost and performance baselining — Current infrastructure costs are documented against projected cloud costs using provider pricing calculators and egress estimates. This feeds directly into cloud migration cost estimation and informs which workloads deliver positive ROI versus which impose net cost increases.

  5. Risk and gap analysis — Security controls, identity management gaps, network architecture changes, and data transfer volumes are documented. Output is a prioritized remediation backlog that must be resolved before wave planning begins.

The Cloud Migration Security Considerations that surface during phase five frequently require architectural changes — such as implementing zero-trust network access or re-keying encryption — that add 4 to 12 weeks to pre-migration timelines depending on environment complexity.

Common scenarios

Regulated enterprise with mixed workload types — A hospital system operating under HIPAA maps 200+ applications across clinical, administrative, and research categories. ePHI workloads require HIPAA-compliant cloud migration paths with Business Associate Agreements in place with the cloud provider. Non-clinical administrative workloads may qualify for standard public cloud deployment without elevated controls, allowing the assessment to segment migration streams by risk tier rather than treating all workloads identically.

Federal agency migration under FedRAMP — An agency inventories 80 applications and finds that 23 require Moderate baseline FedRAMP-authorized services and 4 require High baseline authorization under FIPS 199 impact classification. The assessment phase determines which of the provider's offerings on the FedRAMP Marketplace meet those baselines, reducing the eligible provider set before any procurement or architecture decision is made.

Legacy system with mainframe dependencies — An enterprise running COBOL-based batch processing on IBM Z-series hardware finds during discovery that 14 downstream applications depend on the mainframe's job scheduling output. The assessment identifies this dependency chain, classifying the mainframe as a migration blocker requiring either legacy system cloud migration through modernization or a hybrid architecture that retains on-premises mainframe processing while migrating dependent applications.

Multi-cloud diversification — An enterprise with existing AWS infrastructure initiates an assessment to evaluate adding a second provider for specific workload types. The assessment scope expands to cover identity federation across providers, consistent governance tooling, and network topology — areas covered in depth by a multi-cloud migration strategy.

Decision boundaries

The assessment produces binary and graduated decisions at three levels:

Migrate vs. retain on-premises — Workloads with sub-10ms latency requirements to on-premises hardware, regulatory mandates for physical data sovereignty, or hardware-specific dependencies that cannot be virtualized are classified as on-premises retained. Workloads without these constraints are migration candidates.

Migration approach selection — Among migration candidates, the assessment distinguishes between lift-and-shift (no code changes, fastest timeline, lowest immediate cost, highest long-term cloud inefficiency) and replatforming or refactoring (code or architecture changes required, longer timeline, better long-term economics). The Cloud Migration Governance Frameworks referenced by NIST and the Cloud Security Alliance provide scoring rubrics for this classification.

Wave sequencing — The assessment output feeds cloud migration wave planning, where workloads are grouped into migration waves by dependency, risk, and business criticality. Wave 1 typically contains low-dependency, low-risk workloads used to validate the migration pattern before higher-criticality systems move.

Go/no-go readiness gates — A formal assessment concludes with a readiness determination. Enterprises that cannot resolve identified compliance gaps, security control deficiencies, or data residency conflicts within the project timeline receive a conditional no-go that specifies the remediation conditions required before migration proceeds. Skipping this gate is the primary cause of mid-migration compliance failures identified in post-incident analyses referenced by the Cloud Security Alliance's Cloud Controls Matrix.

References

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Cloud Hosting Cost Estimator