General

CMMC Enclaves: What They Are and When You Need One

Master CMMC enclave compliance with key insights and strategies for defense contractors.

Alex Fuerst

Alex Fuerst

4 min read
4 Key Insights for Mastering CMMC Enclave Compliance

Word count: ~1,020 Specificity markers: (2) Cost estimate — $50K–$150K for a small enclave; (3) Tool names — Microsoft 365 GCC High, Azure Government; (4) Common mistake — building an enclave but leaving data pathways open; (5) Decision point — enclave vs. enterprise approach

---

An enclave is a walled-off portion of your IT environment that exists specifically to handle Controlled Unclassified Information (CUI). Everything outside the enclave runs on your regular corporate network. Everything inside the enclave meets the full set of CMMC (Cybersecurity Maturity Model Certification) Level 2 requirements.

The appeal is obvious: instead of spending the time and money to bring your entire organization up to CMMC standards, you build a smaller, tightly controlled environment for the work that actually touches CUI. Your general business operations — HR systems, marketing tools, accounting software — stay outside the enclave and outside the CMMC assessment scope.

Whether an enclave makes sense for you depends on how your organization actually works. It's a legitimate approach, widely used, but it's not the right answer for everyone.

What an Enclave Actually Looks Like

An enclave is defined by a boundary. Everything inside that boundary is in scope for your CMMC assessment. Everything outside is not.

The boundary can be:

Physical — dedicated hardware, separate network switches, isolated workstations that never connect to the corporate network. This approach offers the cleanest separation but the highest cost and operational friction.

Virtual (network segmentation) — a VLAN (virtual local area network) or software-defined network segment that isolates CUI traffic from general corporate traffic. Less expensive than physical separation, but the controls around the boundary need to be airtight. Firewalls, access controls, and traffic monitoring all sit at the enclave boundary.

Cloud-based — a separate cloud tenant configured for CUI handling. Microsoft 365 GCC High and Azure Government are the most common choices for defense contractors. These environments are pre-configured to meet many federal security requirements, and your CMMC scope becomes the tenant rather than your physical infrastructure.

Inside the enclave, every system that stores, processes, or transmits CUI must meet all 110 CMMC Level 2 practices: access controls, multi-factor authentication (MFA), encrypted data at rest and in transit, centralized audit logging, vulnerability scanning, incident response capability, and more.

The enclave boundary itself is governed by NIST 800-171 practice SC.L2-3.13.1: monitor, control, and protect communications at the external boundaries and key internal boundaries of the system. In practice, this means a managed firewall at the enclave perimeter with logging of all inbound and outbound traffic.

When an Enclave Makes Sense

An enclave is worth the investment when:

  • Only a subset of your staff handles CUI. If 8 out of 60 employees actually work with CUI documents, bringing all 60 workstations and all your corporate systems into CMMC scope is wasteful. An enclave keeps the scope to those 8 people and their systems.
  • CUI workflows can be isolated without major disruption. Some organizations pass CUI back and forth across the entire company — engineers in one department, reviewers in another, contracts in a third. If your CUI workflow is contained within one team or one project, enclave architecture fits naturally.
  • You want to minimize assessment cost. CMMC Level 2 assessment fees from a C3PAO (Third-Party Assessment Organization, the authorized companies that conduct CMMC assessments) are typically calculated based on assessment scope. A smaller scope means less assessor time and lower assessment costs. For some organizations, scoping down via an enclave reduces assessment cost by 40–60%.

An enclave makes less sense when:

  • CUI moves through many systems across the organization. If CUI lives in your ERP system, your document management platform, your email, and your engineering tools — all used by most of your staff — the enclave boundary becomes impossible to maintain cleanly.
  • The operational friction is too high. Maintaining two parallel environments — one for CUI, one for everything else — requires ongoing discipline. Employees who work with CUI have to context-switch between environments. Files can't flow freely. If your culture or workflow can't sustain that separation, the enclave will leak.

The Common Mistake

The single most common enclave mistake is building the wall but forgetting the gates.

You can architect a beautiful enclave with proper boundary controls, FIPS-validated encryption, and a hardened Microsoft 365 GCC High tenant. Then a user saves a CUI document to their personal OneDrive account to "make it easier to access." Or email routes through your corporate Office 365 tenant before being forwarded into the GCC High environment. Or someone shares a file from the enclave to a corporate SharePoint site.

Every one of those data pathways punches a hole in your enclave and potentially expands your CMMC scope to systems you weren't prepared to defend. Assessors look specifically for these gaps. They'll ask about your data flows — how CUI enters the environment, where it's stored, who can access it, and how it leaves. If any of those paths touch systems outside your documented enclave, those systems are now in scope.

Data loss prevention (DLP) controls, clear user training, and documented CUI handling procedures aren't optional enclave add-ons. They're what makes the enclave work.

What It Costs

A cloud-based enclave using Microsoft 365 GCC High for a team of 10–15 users typically runs $50,000–$150,000 to implement properly, including licensing, configuration, security tool integration, and consulting. Ongoing annual costs (licensing plus maintenance plus monitoring) often run $20,000–$50,000 depending on complexity.

That sounds like a lot. But compare it to the alternative: bringing a 100-person company's entire IT environment up to CMMC Level 2 standards, which commonly runs $200,000–$600,000 in implementation costs. For many small defense subcontractors, the enclave is the economically rational path.

The Decision

If fewer than 20 people in your organization handle CUI, and those workflows are reasonably separable from the rest of your operations, an enclave is probably your best approach. If CUI is woven throughout your organization or the operational separation would break how you work, an enterprise-wide approach will serve you better.

If you're not sure which applies to your situation, the next step is a scoping conversation — mapping every system and user that touches CUI and seeing whether a clean boundary is achievable. Our article on CMMC scoping walks through that process in detail, or you can ask the assistant below to help you think through your specific environment.


Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com

Read more