For most small and mid-size defense contractors, applying all 110 NIST 800-171 practices across the entire corporate network is prohibitively expensive. An enclave solves this by creating a separate, hardened environment specifically for CUI processing. Only the enclave — not your whole business — needs to meet every CMMC Level 2 requirement.
This is the single most effective strategy for reducing CMMC compliance costs, and it's how the majority of small contractors (under 100 employees) are approaching certification.
What Is a CMMC Enclave?
A CMMC enclave is a logically or physically separated portion of your IT environment that processes, stores, and transmits CUI. By confining CUI to this enclave and preventing it from touching the rest of your network, you limit your CMMC assessment scope to only the enclave and its supporting infrastructure.
Think of it like a clean room in manufacturing — a controlled environment within your larger facility, with strict access controls and monitoring at every entry and exit point.
Three Enclave Approaches
Option 1: Cloud Enclave (Most Popular)
Use a CMMC-compliant cloud provider that handles the infrastructure-level controls for you. Your CUI processing happens inside the provider's environment, which is already hardened to NIST 800-171 standards.
- How it works: Users access CUI through virtual desktops or a secure browser session inside the cloud enclave. CUI never touches local machines.
- Your responsibility: Access control policies, user training, and operational procedures. The provider handles encryption, logging, patching, network security, and physical infrastructure.
- Cost: $30-150/user/month depending on the provider and features.
- Best for: Companies with fewer than 100 CUI users, especially those without a dedicated IT security team.
Option 2: On-Premise Enclave
Build a physically and logically separated network segment within your existing infrastructure. This typically means a dedicated VLAN, firewall rules, and separate servers for CUI processing.
- How it works: CUI systems sit on a separate network segment with firewall rules blocking unauthorized traffic. Users access the enclave from dedicated workstations or through a jump box.
- Your responsibility: Everything — hardware, software, configuration, monitoring, patching, and physical security for the enclave infrastructure.
- Cost: $50,000-200,000 initial setup + $20,000-60,000/year ongoing for a mid-size company.
- Best for: Companies with existing IT teams and infrastructure, or those processing large volumes of CUI that make cloud per-user pricing expensive.
Option 3: Hybrid Enclave
Combine cloud and on-premise components. For example, use a cloud enclave for email and document collaboration, but keep manufacturing systems and engineering workstations on a hardened on-premise segment.
- Best for: Manufacturing companies that need local access to CUI for production but want cloud simplicity for office workers.
Enclave vs. Full Network: Cost Comparison
| Cost Area | Full Network Approach | Enclave Approach | Savings |
|---|---|---|---|
| Security Tools (EDR, SIEM, vuln scanning) |
All endpoints: $40,000-100,000/yr | Enclave only: $8,000-25,000/yr | 60-80% |
| Configuration Management (hardening, patching) |
All systems: $25,000-60,000/yr | Enclave systems: $5,000-15,000/yr | 70-80% |
| C3PAO Assessment | Full scope: $40,000-80,000 | Reduced scope: $20,000-40,000 | 40-50% |
| Ongoing Monitoring | All systems: $30,000-80,000/yr | Enclave only: $10,000-25,000/yr | 60-70% |
| Staff Training | All employees: $10,000-25,000 | Enclave users only: $3,000-8,000 | 60-70% |
| Estimated 3-Year Total (50-person company) |
$250,000-500,000 | $80,000-180,000 | 60-70% |
For a detailed breakdown of all CMMC costs, see our CMMC Cost Breakdown.
How to Implement an Enclave
Step 1: Map Your CUI Data Flows
Before you can isolate CUI, you need to know everywhere it lives and moves. Trace CUI from the moment it enters your organization (contract documents, emails from primes, engineering data) through every system it touches until it's delivered or destroyed. Common CUI locations people miss: email archives, shared drives, backup systems, personal devices, and printers.
Step 2: Define the Enclave Boundary
Draw a clear line around the systems that will process CUI. Everything inside the boundary is "in scope" for CMMC. Everything outside must be prevented from accessing CUI. Your boundary document should list every server, workstation, network device, and application inside the enclave.
Step 3: Implement Segmentation Controls
The boundary between the enclave and the rest of your network must be enforced by technical controls — not just policy. This means firewalls, VLANs, access control lists, and monitoring at every crossing point. Data Loss Prevention (DLP) tools can help detect CUI leaving the enclave boundary.
Step 4: Harden the Enclave
Apply all 110 NIST 800-171 practices to the enclave environment: MFA, FIPS-validated encryption, logging and monitoring, endpoint detection, vulnerability scanning, and all the rest. This is where compliance software makes the biggest difference.
Step 5: Establish Operating Procedures
Write procedures for how users access the enclave, how data enters and leaves, how incidents are handled, and how changes are managed. These procedures become part of your SSP and will be reviewed during the assessment.
Compare Enclave Solutions
See which compliance software and cloud enclaves are best for your organization size.
Software Comparison →Common Enclave Mistakes
- CUI leaking outside the enclave. Users copy files to their local desktop, email CUI to personal accounts, or print to non-enclave printers. DLP and strict egress controls are essential.
- Forgetting supporting systems. Your DNS server, Active Directory, backup system, and SIEM are "in scope" if they support the enclave — even if they sit outside it. These are called Security Protection Assets (SPAs) and must also meet relevant CMMC practices.
- No boundary monitoring. Having a firewall isn't enough. You need active monitoring and alerting on all traffic crossing the enclave boundary. Assessors will ask to see your boundary monitoring logs.
- Treating email as outside the enclave. If users receive CUI via email (most do), then your email system is in scope. Either route CUI email through the enclave or use a separate email system for CUI communications.
- Inadequate documentation. Your System Security Plan must clearly describe the enclave boundary, all in-scope assets, data flows, and the controls protecting the boundary. Vague boundaries lead to assessment findings.
Is an Enclave Right for You?
An enclave makes sense if:
- Fewer than half your employees regularly handle CUI
- CUI processing can be separated from day-to-day business operations
- You want to minimize the number of systems requiring full CMMC controls
- Your budget is a primary constraint
A full-network approach might be better if:
- Nearly all employees handle CUI daily
- CUI is deeply integrated into business processes (e.g., every engineering workstation touches CUI)
- You already have mature security practices across your network
- The overhead of maintaining a separate enclave exceeds the cost of securing everything
FAQ
Does the DoD approve enclave approaches?
The DoD doesn't approve or reject enclave architectures directly. Your C3PAO assessor evaluates whether your scope definition and boundary controls are adequate. The enclave approach is explicitly recognized in CMMC guidance as a valid strategy.
How many users can an enclave support?
There's no technical limit. Cloud enclaves can support hundreds of users. The question is whether it's cost-effective — cloud enclave pricing is per-user, so at some point (usually around 100-200 users), a full-network approach becomes cheaper than per-user cloud fees.
Can I use a personal device to access the enclave?
It depends on the architecture. With virtual desktop enclaves, users can access from any device since CUI stays in the cloud — the local device never touches CUI. With on-premise enclaves, devices connecting directly need to meet CMMC requirements.