What the heck is a CMMC enclave?

An image of the front of the US Embassy in Moscow as an example of a CMMC enclave. Credit: I - stock.adobe.com

US Department of Defense (DoD) contractors that handle Controlled Unclassified Information (CUI) are subject to the DoD’s Cybersecurity Maturity Model Certification (CMMC) Level 2 assessments. CMMC assesses the contractor’s ability to adequately secure the CUI and is time consuming and costly. We’re talking weeks or even a month to prep for and conduct the assessment, and costs exceeding $50,000. So, naturally, our clients frequently ask us: “how can we save time and money on these assessments?” The answer to that question is easy: “setup a CMMC enclave for your CUI!” However, in practice, establishing an enclave may not be so simple. This post will explain the basics of the enclave approach and provide some tips on how your company may be able to build one.

What is an enclave?

You may have heard the term “enclave” used in everyday language, especially when referring to a geographic region that is separated from the main territory. For instance, the country of Azerbaijan has a portion of its territory – called the Nakhchivan Autonomous Republic – separated from the main country by a spit of Armenia, as shown in the image below:

A map image of Azerbaijan, showing the autonomous region enclave, for use as an example of an enclave.
A map image of Azerbaijan, showing the autonomous region for use as an example of an enclave. Image credit: By Karte: NordNordWest, Lizenz: Creative Commons by-sa-3.0 de, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=150193575

You may also have heard of national embassies referred to as “enclaves”, a sort of country within a country. Politically, embassies provide a protected boundary for the citizens of a nation embedded within another host nation. Sometimes those host nations are hostile, but most of the time the relationship is benign. Still, it is important for various reasons (secrecy, culture, etc.) that the guest nation maintain some sovereignty – some dominion – over its small portion within the host nation.

We can use this same separation approach to isolate our CUI within the broader scope of our enterprise IT systems, carving out a smaller protected space within which to handle our CUI. In the context of IT, the National Institutes of Standards and Technology (NIST, the government entity responsible for publishing the 800-171 standard for the protection of CUI) defines an enclave as:

“A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.”

NIST glossary definition of "enclave"

and goes on to define a “domain” as:

“A distinct group of computers under a central administration or authority.”

NIST glossary definition of a "domain"

The key word here is “distinct”. To setup an IT enclave means to carve out a separate operating environment, administrative authority (think “dominion”, the same root word as “domain”), and security policy for a distinct set of computers. Why would we want to do this? For the same reason nations want to establish security perimeters around their foreign embassies: to provide a more secure haven for their assets in a potentially hostile environment.

Note that the concept of a geographic or political enclave implies that the enclave is generally a smaller, more compact domain than the larger entity from which the enclave spawned, and it will have very well-defined boundaries. The protective boundary of an embassy is usually very distinct: a tall strong fence, with a few entry/exit points guarded by soldiers. The same is analogously true with IT enclaves. Smaller, well-defined IT boundaries are easier to defend, and therefore consume fewer security resources, including time and money. In fact, NIST in its 800-171 standard, recognizes the advantage an organization can realize by establishing an enclave to protect its CUI:

“[A contractor] may limit the scope of the security requirements by isolating the system components in a separate security domain [i.e. an enclave]. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for CUI and avoid increasing the organization’s security posture beyond what it requires for protecting its missions, operations, and assets.” (emphasis ours)

The NIST statement above mentions several techniques for enclave “boundary protection”, including firewalls; more to come on this later. Before we can protect the CMMC enclave boundary, we need to understand how to define a smaller boundary for our CUI, following a process we call scope reduction.

How do I scope a CMMC enclave?

We’ve addressed CMMC scoping several times before, most recently in our explanation of how to control the flow of CUI. Scoping is so critical to adequate protection of CUI and minimizing CMMC assessment costs that we dedicate the entire first lesson of our CMMC Level 2 Readiness Workshops to the topic. But in a nutshell, scoping means:

  1. identifying the IT assets – facilities, hardware, software, firmware, networking devices, peripheral devices (e.g. printers), cloud services, and people – that are used to handle – store, process, or transmit – or protect CUI, and then

  2. categorizing those assets according to the DoD’s CMMC Scoping Guide, and then finally,

  3. characterizing the internal and external boundaries that separate those assets from other internal assets and, most importantly, from the outside world, i.e. the Internet.

Not until we’ve scoped our system can we begin to think about applying protections to secure the system. But protecting these assets costs time and money, and, like NIST said in the quote above, most organizations will not want to spend money on cybersecurity “beyond what it requires for protecting its missions, operations, and assets.” So reducing the CMMC scope as much as possible is imperative, especially for small businesses. Scope reduction means preventing as many assets as possible from handling the CUI. This means controlling where the CUI flows, and erecting barriers – a security boundary – to prevent CUI from being handled superfluously.

The scoping outcome is unique for every organization; there is no standard scope that works for all organizations of all sizes in all industries. However, the scoping approach outlined above, is standard. And to scope toward an enclave, your organization will need to add the word “minimum” to step #1: “identify the minimum IT assets…used to handle CUI.” By following this minimization approach most organizations will be able to reduce the scope somewhat, say by eliminating the use of unnecessary cloud services. Some organizations may be able to reduce the scope significantly, perhaps by forming an “office within an office” or a separate staff-center for handling CUI. And a few organizations may be able to scope the CUI assets down to a few workstations, maybe even a single workstation. (The lucky organizations that can down-scope to a single workstation may benefit from our HRDN-IT™ Single PC CUI Enclave.)

An important concept in scope reduction is to understand that any interconnected IT components – whether those connections are physical or digital and whether or not they are used to actually handle the CUI – are considered in-scope for a CMMC assessment, because all connections represent a potential vector for attack and CUI compromise. That means that all those interconnections and interconnected components – such as internal or cloud-based file sharing services – must be protected. And since cyber protections and the assessments thereof are time consuming and costly, it behooves us to scope down to the minimal IT footprint.

The DoD has recognized that many organizations will choose the enclave approach; as such there is an “Enclave” option in the Supplier Performance Risk System (SPRS) when reporting CMMC Level 1 compliance or SPRS scores, as shown in the image below:

SPRS screenshot showing the CMMC Enclave reporting option
SPRS screenshot showing the CMMC Enclave reporting option. ©2025 Totem Technologies

Now that we’ve covered scope reduction, we can finally talk about “isolation” or erecting a security boundary around our scoped system so that we can truly call it a CMMC enclave.

What does it mean to isolate a CMMC enclave?

To be able to claim that we have a CMMC enclave for our CUI and therefore be able to focus an assessor’s attention on that enclave, we must isolate that enclave from the rest of our corporate network. Isolation, or “separation”, means severing all unnecessary connections into and out of the enclave.

Think for a moment about why we can consider an embassy as an enclave: the guest nation controls a small piece of its sovereignty embedded in another nation’s territory, through a combination of flow control and differentiated authentication:

  • Flow control: the embassy fences are tall and robust, and the embassy buildings’ walls are strong and thick, and basically insurmountable to all but the most prepared and technologically advanced adversary. Consequently, entry to and exit from the sovereign areas is funneled through well fortified choke points and gates.

  • Differentiated authentication: to pass through the embassy gates, staff, citizens, and tradespeople need credentials-signed authorization issued specifically by the consulate, not necessarily the host nation, as well as passports, and any inappropriate spoken dialects and accents, etc. are immediately suspect.

To achieve separation or isolation our enclave will need those same protective features: network traffic flow control and differentiated authentication.

An organization can achieve enclave separation physically or logically. The CMMC Level 2 Scoping Guide gives some high-level guidance on how to achieve logical and/or physical separation:

A screenshot from the CMMC Level 2 Scoping Guide outlining high-level system separation concepts
A screenshot from the CMMC Level 2 Scoping Guide outlining high-level system separation concepts. Credit: DoD CIO CMMC website

Let’s elaborate on these separation concepts and outline some more concrete approaches to isolating a CMMC enclave.

Physical separation

You may have heard physical enclaving referred to as “air gapping”. Physical isolation in fact is required for many classified systems and is the most effective CMMC enclave technique. But it necessarily is very restrictive and can disrupt normal or entrenched operations. If your organization is going to claim its CMMC enclave is physically isolated from the rest of the corporate network, then the enclave will either need:

  • No network connections period, where any data is manually moved in or out on removable media or portable storage devices (e.g. controlled USB drives), and/or

  • Separate networking hardware, including the routers and switches.

Logical separation

Logical separation may be less disruptive than physical separation but comes with a higher burden of proof. To be logically separated from the host network, a CMMC enclave must have:

  • A separate logical computing zone from the host organization, with network traffic access control. In other words, the enclave will need to be in a separate firewall zone, with active firewall rulesets only allowing a very small subset of organizational network or Internet traffic into and out of the enclave zone. Note: the CMMC scoping guide mentions Virtual Local Area Networks (VLANs), but simply relegating the CUI traffic to a separate VLAN on its own is not enough to claim enclave status. This is because a VLAN is simply a network traffic labeling scheme, and not a network traffic flow control mechanism like that provided by a firewall.

  • Separate user credentials. Users must provide distinct (there’s that word again!) usernames, passwords, multifactor authentication, passkeys, etc. to gain access to the enclave resources. This means separate credentials from the ones they use to access non-enclave computers and sites. Most enclaves will require totally separate domain credentials from the host or corporate network. For instance, if the corporate username is “[email protected]”, the enclave username would be something like “[email protected]”.

You can be sure the CMMC Assessors will be looking for your system to meet the above criteria if you’re claiming your CUI is protected in an enclave.

Wrapping up

There you have an explanation of what an IT enclave is, how to down-scope your IT assets for the enclave approach, and what technical thresholds must be met to be able to claim a CMMC enclave.

If you’re interested in learning more about enclaves, or need some additional help figuring out your approach, considering joining us in one of our CMMC Readiness Workshops. We dedicate an entire session to discussing enclave options.

Also, if you run a microbusiness, you may be interested in our Single PC Hardening Guide for tips on how to develop a single-workstation CUI enclave. Or you can just rent or purchase one of our HRDN-IT™ secure single PC enclave workstations and save the time hardening one on your own.

If you’re at a larger organization and ready to implement an enclave but aren’t sure how, we recommend you reach out to one of our Trusted Managed Service Provider Partners for assistance.  

Good Hunting!

–Adam

Like this post? Share it!

Get notified when new blogs are published!

Unsure where to start with CMMC? Use code "CMMC10" to save 10% on our CMMC Readiness workshop!

Sign up now