How CMMC enclaves cut your assessment scope by 60–70% — and where they fail.

In one published case study, a 40-person Arizona machine shop cut their CMMC certification cost from $140,000 to $78,000 by moving the work that touches Controlled Unclassified Information into an enclave. That’s a 45% reduction. The architecture decision behind it is the single most important call most defense contractors will make in CMMC compliance, and most get it wrong by making it implicitly, or by not making it at all.¹

An enclave isolates Controlled Unclassified Information (CUI) into a defined, defensible boundary. Only the systems inside that boundary get assessed. Everything outside it stays out of scope. That’s the single most effective lever for reducing the cost, complexity, and timeline of CMMC Level 2, and the single most common place that contractors lose the assessment when the boundary turns out to be wrong.

Why scope is the only lever that matters.

CMMC compliance cost scales linearly with scope. Every system inside the assessment boundary needs all 110 NIST SP 800-171 controls, full evidence, full documentation, and full assessor time. Halve the systems and you roughly halve the cost. There is no other variable in the equation that produces this leverage. Not tooling, not consultants, not timing, not negotiation with your C3PAO.

The DoD’s own rule recognises this. 32 CFR Part 170 explicitly acknowledges that different business segments or enclaves can be assessed at different CMMC levels, and notes that External Service Providers creating enclave services let contractors “enclave operations more easily.”² The regulatory framework was built with the enclave model in mind. The question for most contractors is not whether to use it, but how to draw the boundary in a way an assessor will accept.

The corollary is also true. Contractors who skip the scoping decision and treat their entire environment as in-scope routinely spend $150,000 to $300,000 on a certification that should have cost $50,000 to $130,000. That over-spend isn’t a failure of execution. It’s a failure of the architectural decision made before execution started.

What an enclave actually is, in three dimensions.

The Cyber AB defines an enclave as “a set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter.”³ The definition is regulatory. The reality is operational, and it lives across three dimensions every contractor needs to handle:

• People. The employees who actually work with CUI: engineers, program managers, the IT staff who administer the enclave systems. Everyone else stays outside. The mistake here is treating CUI access as a default permission rather than an explicit one.
• Systems. The workstations, servers, cloud services, and network gear that store, process, or transmit CUI, plus the security tools that protect them. The security tools are the part most contractors miss. Your SIEM, your endpoint protection console, your identity provider all sit inside the boundary, even though they don’t directly touch CUI.
• Processes. How CUI enters, how it moves around, how it exits. Not the policies on paper. The technical controls that enforce those policies. A policy that says “do not email CUI to external addresses” isn’t enforcement. A DLP rule that blocks the email is.

The C3PAO assessment evaluates everything inside that boundary against all 110 NIST SP 800-171 requirements. Everything outside is not assessed. The cleaner the boundary, the cleaner the assessment.

Enclave or full migration: the real question.

Most published guidance frames this as a percentage threshold. “If more than 60–70% of your users handle CUI, an enclave doesn’t make sense.” That heuristic isn’t wrong, but it misses the actual decision. The real question isn’t a ratio. It’s whether the people and systems outside the proposed enclave have a business reason to stay outside, and whether the operational cost of running two environments is justified by the savings.

Three questions to answer before you commit:

• Does the work outside the enclave benefit from looser controls? If your marketing team genuinely doesn’t need 15-character passwords and 15-minute screen locks to do their job, an enclave preserves their ability to work without enforcing CMMC controls on them. If your business already runs enterprise-grade controls everywhere, the savings shrink.
• Do you have the discipline to maintain a boundary? An enclave isn’t a one-time architectural decision. Every new SaaS adoption, every new hire, every contractor onboarding raises the question “does this touch CUI?” Without quarterly scope reviews, the boundary erodes.⁴ Most enclaves that fail at assessment failed at maintenance, not at design.
• What share of your revenue depends on DoD work? If defence contracts are 30% of your business, applying NIST 800-171 to the other 70% is over-engineering. If they’re 95%, the savings of an enclave start to evaporate, and full migration becomes the cleaner answer.

The contractors who should not build an enclave are the ones already running close to CMMC controls (mature ISO 27001 or SOC 2 environments where the delta is small), and the contractors whose CUI flows through every business process. For everyone else, which is most small and mid-sized contractors, the enclave is the right architecture.

How to build one that survives an assessor.

Building an enclave is a defined process. The architectural details vary by organisation, but the sequence is the same. Skip any of these steps and the enclave doesn’t survive its first C3PAO walkthrough.

1. Map where CUI actually lives. Before you can isolate CUI, you need to know where it currently is. Trace the data flows: where it enters (prime contractor portals, email, file transfers), where it’s stored (file shares, databases, cloud drives), where it’s processed (workstations, applications), and where it exits (deliverables, subcontractor hand-offs). Most contractors discover that CUI touches far fewer systems than they assumed. A few discover it touches systems they didn’t realise.
2. Define the boundary. Draw a clear line between systems that handle CUI and systems that don’t. The CMMC Scoping Guide defines five asset categories — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialised Assets, and Out-of-Scope Assets — each with different documentation and assessment requirements.⁶ The goal is to maximise the number of assets in the last three categories and minimise the first two.
3. Implement the boundary. Separation must be technically enforced, not just documented. Microsoft 365 Commercial does not meet CMMC requirements for CUI — it lacks FedRAMP authorisation and fails DFARS 252.204-7012 requirements.⁷ If your enclave handles CUI through email or file sharing, you need Microsoft 365 GCC High, AWS GovCloud, or Azure Government. GCC High licensing runs roughly 30% above commercial rates at the comparable G5 tier ($93/user/month), but you only need it for users inside the enclave.⁸ Everyone else stays on commercial.

4. Document the boundary in your SSP. The System Security Plan describes what’s inside, what’s outside, why exclusions are justified, and how separation is enforced — including a system boundary diagram, a component inventory, external connections with data-flow directions, and implementation descriptions for all 110 controls as they apply to the enclave. The SSP is what the assessor follows. If it matches reality, the assessment runs smoothly. If it doesn’t, the assessment stalls within the first few hours.
5. Test before the assessor arrives. Walk the enclave internally. Can a user outside the enclave reach CUI? Can CUI be emailed to a non-enclave address? Can an unmanaged device connect to enclave systems? Every gap you find now is a gap the assessor would have found, and finding it now costs you a remediation week, not a failed assessment.

What “enforced” actually means.

“Documented” boundaries fail. “Enforced” boundaries pass. The difference matters because assessors evaluate the boundary through three lenses: documentation, technical evidence, and staff interviews. All three must be consistent. A boundary that exists only on paper, described in the SSP but not configured in the systems, fails the second and third lenses simultaneously.⁹

Enforcement happens at five layers, each testable:

• Network layer. VLAN separation between enclave and corporate networks. Firewall rules that block traffic between the two except through documented, monitored chokepoints. No shared management plane between enclave and corporate firewalls.
• Identity layer. Separate tenant or separate identity domain. Sharing Active Directory or Entra ID across enclave and corporate users pulls the corporate identity infrastructure into scope — your AD becomes a Security Protection Asset, and your “isolated” enclave isn’t isolated. Most contractors don’t catch this until late in implementation.
• Data layer. DLP policies that prevent CUI export to non-enclave systems. Conditional access policies that block CUI access from unmanaged devices. Encryption-at-rest and encryption-in-transit configured to FIPS 140-3 standards.
• Endpoint layer. Managed devices only. No personal devices, no contractor-owned laptops, no shared workstations. Each endpoint inside the enclave is centrally managed, monitored, and patched on the same cadence.
• Audit layer. Separate logging pipeline tied to the enclave’s SIEM. Logs from enclave systems flow to a CUI-protected log repository, indexed against the 110 controls, retained for the full assessment look-back period.

Each layer has a test. Can someone outside the enclave reach the enclave’s logs? Can a non-enclave user authenticate to an enclave service? Can a managed device exfiltrate CUI to a personal cloud account? If any answer is “yes,” the boundary is documented but not enforced. The assessor will find what you didn’t.

What it costs, what it saves.

Enclave costs vary based on user count, build-vs-buy, and which cloud environment you need. The cost question matters less than the savings question. For most contractors, the enclave’s value is what it removes from the certification budget, not what it adds.

Managed enclave services — turnkey solutions where a provider handles implementation, configuration, monitoring, and ongoing compliance — run $300–$400 per user per month for hosted secure enclaves, or $3,000–$4,000+ per month for fully managed environments with dedicated support.¹⁰ For a 15-user enclave, that’s roughly $4,500–$6,000 per month, or $54,000–$72,000 annually. Some managed providers include the C3PAO assessment in their pricing. A few offer pre-certified enclaves where the environment is already assessed and contractors join an existing certification scope.

Self-built enclaves are cheaper in licensing but heavier in expertise. Cloud licensing (GCC High at $93/user/month for the all-inclusive G5 tier, or Business Premium at $60/user/month with the $24 CMMC compliance add-on)⁸, security tooling (SIEM, EDR, vulnerability scanning) at $10K–$50K/year, network segmentation infrastructure at $5K–$30K one-time, consulting support at $20K–$80K, and the C3PAO assessment at $30K–$50K for single-site small businesses. Total first-year self-built cost for a 15-user enclave: roughly $80,000–$150,000, dropping to $40,000–$70,000 per year for ongoing compliance.

Where enclaves fail at first contact.

Enclaves don’t fail at the design stage. They fail at the assessment stage, when an assessor finds something the SSP didn’t describe. Four failure patterns recur across the published assessment record.

What this means for your assessment.

A well-built enclave makes the C3PAO assessment faster, cheaper, and more likely to pass. Smaller scope means fewer assessor-days, which means a lower assessment fee. Cleaner evidence collection means you produce screenshots and configuration exports for 30 systems instead of 500. Focused interviews mean the assessor talks to 15 enclave users rather than a cross-section of your entire workforce — including people who have no idea what NIST SP 800-171 is.

But a poorly-built enclave makes the assessment worse than a full-enterprise approach would have been.

The discipline that distinguishes successful enclaves from failed ones isn’t architectural sophistication. It’s a single named owner who treats the boundary as non-negotiable, with leadership backing to say no when an exception is requested. Without that, exceptions compound, the boundary blurs, and the next assessment finds CUI in places it shouldn’t be. The architecture is the visible part. The operational discipline is the part that actually determines whether the enclave survives.