CUI Enclave

When we work with defense contractors preparing for CMMC Level 2 certification, the first strategic conversation is almost always about scope. Applying all 110 NIST 800-171 controls across an entire corporate IT environment is technically possible but financially punishing and operationally disruptive. A CUI enclave changes the equation entirely by concentrating CUI handling into a purpose-built environment and reducing the assessment boundary to a manageable size.

Controlled Unclassified Information requires specific protections under CMMC, but it does not follow that every system, every user, and every network segment in your organization must meet those requirements. The enclave approach recognizes a practical truth: most employees and most systems in a defense contracting organization never touch CUI. By creating a segmented environment where CUI processing happens — and only happens — you transform a sprawling, enterprise-wide compliance challenge into a focused, bounded one.

This guide explains what a CUI enclave is, why the scoping advantage matters, how to implement one using different architectural approaches, and what pitfalls to avoid.

What Is a CUI Enclave?

A CUI enclave is a logically or physically segmented environment within your organization that is specifically designed, configured, and hardened to process, store, and transmit CUI. It is isolated from the general corporate IT environment through network controls, access restrictions, and security boundaries that prevent CUI from flowing into uncontrolled systems.

Think of it as a secure room within a building. The entire building does not need the same security controls as the secure room — the room has its own access controls, monitoring, and protections. Everything outside the room operates under normal business controls, while everything inside meets the stringent requirements of NIST 800-171 and CMMC Level 2.

The enclave concept is not new. The federal government has used compartmented information facilities (SCIFs) for classified data for decades. A CUI enclave applies the same segmentation principle to the unclassified-but-controlled tier.

Why Scope Reduction Matters

To appreciate the value of a CUI enclave, you need to understand how CMMC assessment scope works.

When a C3PAO conducts a CMMC Level 2 assessment, they evaluate compliance for every system that processes, stores, or transmits CUI, plus every system that provides security protections for those CUI systems (security protection assets), plus every system that can connect to the CUI environment (contractor risk managed assets).

Without an enclave, this scope often encompasses:

• Every employee laptop and workstation
• The entire corporate network infrastructure
• All email systems (because CUI might flow through email)
• All file storage systems (because CUI might be saved to shared drives)
• All cloud services that could potentially touch CUI
• Every user who could access CUI systems

With an enclave, the scope shrinks to:

• The enclave infrastructure and endpoints
• The network segment connecting to the enclave
• Users with enclave access (often 10–30% of total headcount)
• Security tools that protect the enclave
• Systems that connect to the enclave boundary

The practical impact is dramatic:

Dimension	Without Enclave	With Enclave
Systems in scope	All corporate IT	Enclave systems only
Users in scope	All employees	CUI-authorized personnel only
Network in scope	Entire corporate network	Enclave network segment
Controls to implement	110 across everything	110 within enclave, reduced set elsewhere
Assessment duration	3–5 days	1–3 days
Assessment cost	Significantly higher (full environment in scope)	Significantly lower (enclave only)
Remediation cost	Higher (all corporate IT must meet requirements)	Lower (scoped to enclave only)

For a 200-person defense contractor where only 30 people handle CUI, an enclave can reduce the scope — and therefore the cost — of CMMC compliance by 60 to 80 percent.

Enclave Architecture Approaches

There are four primary approaches to building a CUI enclave, each with different cost profiles, complexity levels, and operational implications.

Virtual Desktop Infrastructure (VDI)

A VDI-based enclave provides dedicated virtual desktops that users access to process CUI. The virtual desktops run within a hardened, segmented environment, and CUI never touches the user's physical endpoint.

How it works:

• Users log into their corporate laptop as normal for non-CUI work
• When they need to handle CUI, they launch a VDI session that connects to a virtual desktop in the enclave
• The virtual desktop runs in a secured data center or cloud environment with all NIST 800-171 controls applied
• CUI stays within the VDI environment — no data can be copied to the local machine, printed to unauthorized printers, or transferred outside the enclave
• When the session ends, the virtual desktop can be reset to a clean state

Advantages:

• Users can switch between CUI and non-CUI work from the same physical device
• Centralized management of the enclave environment
• Strong data loss prevention — CUI never resides on the local endpoint
• Relatively simple to audit since all CUI activity happens in a controlled environment

Considerations:

• VDI licensing and infrastructure costs vary based on provider and user count
• Performance depends on network connectivity — latency-sensitive work may be affected
• Users must adapt to working within VDI constraints (no local file saves, restricted clipboard)
• VDI infrastructure itself must meet all 110 controls

Dedicated Cloud Tenant (GCC High / GovCloud)

A cloud-based enclave uses a government-authorized cloud environment — most commonly Microsoft GCC High or AWS GovCloud — as the CUI processing platform.

How it works:

• The organization maintains a standard commercial cloud tenant (Microsoft 365, AWS) for non-CUI business operations
• A separate GCC High or GovCloud tenant is provisioned exclusively for CUI processing
• Users who handle CUI are granted accounts in the government tenant
• Email, file storage, collaboration, and applications within the government tenant are configured to meet NIST 800-171 controls
• Network and identity boundaries enforce separation between the commercial and government environments

Advantages:

• Cloud provider handles many infrastructure-level controls (physical security, network encryption, availability)
• FedRAMP High authorization of the cloud platform satisfies a significant portion of NIST 800-171 controls
• Familiar tools (Outlook, Teams, SharePoint) reduce user training burden
• Scalable — adding users is straightforward

Considerations:

• GCC High licensing is significantly more expensive than standard commercial licensing — contact Microsoft for current pricing
• Requires careful identity and access management to prevent CUI leakage between tenants
• Not all third-party integrations and applications are available in GCC High
• Endpoint devices used to access GCC High must still meet certain control requirements

Physically Segmented Network

A physical enclave uses dedicated hardware — separate workstations, network equipment, and infrastructure — that is physically isolated from the corporate network.

How it works:

• Dedicated workstations in a secured area are connected to a physically separate network
• The enclave network has no connectivity to the corporate LAN, corporate Wi-Fi, or the general internet
• CUI processing happens exclusively on enclave workstations
• Users physically move to the enclave area when they need to work with CUI
• All enclave hardware is inventoried, labeled, and managed under CMMC controls

Advantages:

• Strongest isolation — no logical attack path between corporate and CUI environments
• Simplest to explain and demonstrate to assessors
• Eliminates many network-related control complexities

Considerations:

• High capital expenditure for duplicate hardware and infrastructure
• Operationally inconvenient — users must physically relocate to work with CUI
• Scales poorly as CUI processing needs grow
• Maintenance and patching require managing a separate fleet of devices
• Not practical for organizations with distributed or remote workforces

Managed Enclave Services (MSSP)

A growing number of Managed Security Service Providers (MSSPs) offer turnkey CUI enclave solutions. The MSSP provides and manages the enclave infrastructure, and the organization's users access it as a service.

How it works:

• The MSSP provisions a dedicated enclave environment (typically VDI or cloud-based) for the organization
• The MSSP manages infrastructure, patching, monitoring, logging, and incident detection within the enclave
• Users access the enclave through a secure portal or VPN
• The MSSP provides compliance documentation and evidence for the controls they manage
• The organization retains responsibility for user-level controls (training, access management, policies)

Advantages:

• Fastest time to deployment — weeks rather than months
• MSSP handles the most technically complex controls
• Shared responsibility model reduces the organization's direct compliance burden
• Predictable monthly cost
• Particularly valuable for small contractors without internal IT security expertise

Considerations:

• Monthly per-user costs can be significant; contact vendors for current pricing
• Dependency on a third-party vendor for critical operations
• Shared responsibility boundaries must be clearly documented for the C3PAO assessment
• The organization must still manage its own policies, training, personnel security, and physical security controls

Choosing the Right Approach

The best enclave architecture depends on your organization's specific situation:

Factor	VDI	GCC High	Physical	Managed MSSP
Best for	Mid-size orgs with existing IT capability	Organizations already on Microsoft stack	Small orgs with minimal CUI users	Small orgs without internal security expertise
Number of CUI users	10–100+	10–500+	1–20	5–100
Upfront cost	Medium–High	Low–Medium	High	Low
Monthly cost	Medium	Medium	Low	High
Time to deploy	2–4 months	1–3 months	1–2 months	2–6 weeks
Internal expertise needed	High	Medium	Medium	Low
Remote workforce support	Excellent	Excellent	Poor	Excellent

Many organizations use a combination. A common pattern is GCC High for email and collaboration combined with VDI for specialized applications that require CUI processing.

Enclave Design Principles

Regardless of the implementation approach, effective CUI enclaves share common design principles:

Minimize the Boundary

The smaller the enclave, the cheaper and easier it is to secure and assess. Be ruthless about what goes inside the boundary. If a system does not need to touch CUI, it stays outside.

Enforce One-Way Data Flow Where Possible

Ideally, CUI flows into the enclave from external sources (DoD systems, prime contractors) and does not flow out to the general corporate environment. When CUI deliverables need to leave the enclave (submitted to the government, shared with authorized partners), that happens through controlled channels with logging and approval.

Implement Strong Identity Boundaries

Access to the enclave must be controlled through separate credentials or at minimum through multi-factor authentication with conditional access policies that verify device compliance, location, and user identity before granting access.

Document Everything

The C3PAO assessor needs to see clear documentation of the enclave boundary, the data flow in and out, the access controls, and the security controls implemented within the boundary. Network diagrams, data flow diagrams, and the System Security Plan must accurately reflect the enclave architecture.

Test the Boundary

Before your assessment, verify that the enclave boundary actually works. Can a user copy CUI from the enclave to a personal device? Can an unmanaged device access the enclave? Can CUI be emailed from the enclave to a non-authorized recipient? Penetration testing of the enclave boundary is a worthwhile investment.

Common Mistakes in Enclave Implementation

Based on the assessments we have supported, these are the most frequent enclave-related issues:

CUI leakage outside the enclave. Users email CUI documents to colleagues using corporate (non-enclave) email, save CUI to personal cloud storage, or print CUI on non-enclave printers. Technical controls must prevent this, not just policies.

Incomplete scoping of security protection assets. The systems that protect the enclave — firewalls, SIEM, directory services, DNS — are in scope for assessment even though they sit outside the enclave itself. Organizations frequently forget this and fail to apply NIST 800-171 controls to these supporting systems.

Shared infrastructure without proper segmentation. An enclave that shares an Active Directory domain, a firewall, or a SIEM with the corporate environment creates assessment scope expansion. The shared infrastructure becomes an assessment target.

Neglecting endpoint security for enclave access devices. Even in a VDI-based enclave where CUI does not reside on the endpoint, the device used to access the VDI session must meet minimum security requirements. A compromised endpoint could capture keystrokes or screen content from the VDI session.

Insufficient user training. Users with enclave access need specific training on CUI handling procedures, not just general security awareness. They need to know what constitutes CUI, how to handle it within the enclave, and what to do if they encounter CUI outside the enclave boundary.

The Path Forward

Implementing a CUI enclave is one of the highest-leverage decisions a defense contractor can make in their CMMC preparation journey. The scope reduction translates directly into lower assessment costs, faster remediation timelines, simpler ongoing maintenance, and a higher probability of passing the C3PAO assessment on the first attempt.

Start by conducting a CMMC gap assessment that includes a thorough review of your CUI data flows. That assessment will reveal where CUI lives today and inform the enclave design that determines where CUI should live tomorrow. From there, select the implementation approach that matches your organization's size, technical capability, workforce distribution, and budget.

The goal is not to build the most sophisticated enclave possible. The goal is to build the smallest, simplest enclave that contains all your CUI processing and can be defended under assessment. Everything outside that boundary is a system you do not have to certify, a control you do not have to implement at CMMC level, and a dollar you do not have to spend. That is the strategic advantage of the enclave model, and it is why every defense contractor handling CUI should be thinking about it.