The Defense Contractor's Guide to Secure Enclaves for CMMC

The CMMC Final Rule (Cybersecurity Maturity Model Certification) is in place. So for Department of Defense (DoD) contractors across the Defense Industrial Base (DIB), the clock is ticking and CMMC has moved from a future worry to required.

But for many organizations it doesn’t make sense to bring your company-wide IT environment in line with NIST 800-171 and CMMC Level 2 standards if only a small part of the business handles Controlled Unclassified Information (CUI).

That’s where an enclave solution comes in. Instead of trying to secure your whole organization, you build a vault around the parts of the business that come into contact with CUI. This helps save time and money as you work towards CMMC compliance efforts.

Here’s what you need to know about how and when to build a secure enclave for CMMC 2.0.

What is a CMMC Secure Enclave?

A secure enclave is a segmented IT environment, often cloud-based, where all Controlled Unclassified Information (CUI) is stored, processed, and secured, ensuring robust data security through effective network segmentation. It essentially isolates your CUI network from the rest of your company. Think of it like a house, instead of needing to ensure the whole home is locked down, you just need to ensure one room is secure and meets the CMMC Level 2 requirements.

An enclave can be both digital and physical, also covering what people within your company have access to. Only staff that need to access CUI as a crucial part of their job should be able to access the enclave and physical access to where servers or CUI documents are stored also needs to be restricted to those who strictly need access.

Without a CUI enclave, your boundary is your entire company. Every device, every user, and every piece of software is in scope for the CMMC assessment process. That’s expensive. The goal with an enclave should be to make it as small as possible.

When you have an enclave in place, you essentially have two zones within your company network:

• The Red Zone: Your standard commercial network. This is where your marketing team emails vendors, your HR director manages payroll, and your sales team browses LinkedIn. It has standard security, lower costs, and open internet access.
• The Green Zone: The Enclave that meets CMMC Level 2 requirements. It has restricted access, multi-factor authentication, logging, endpoint security, and meets all NIST 800-171 requirements needed for CMMC Level 2.

The Core Concept: Scoping & Boundaries

The most critical step in CMMC compliance is defining your "compliance boundary." If you can say 'CUI comes in here, lives only in this VPC, and only one infrastructure person touches it,' you can really limit the scope.

Without an enclave, your boundary is your entire company. Every device, every user, and every piece of software is in scope for the assessment.

With an enclave, you create a hard, defensible perimeter around the data, not the people. The C3PAO assessor only looks at what’s inside the Green Zone. Everything outside of it is effectively invisible to the audit.

The Business Case for a CMMC Enclave

Bringing your entire company in line with CMMC compliance requirements can be very expensive and time consuming, especially for small and medium-sized defence contractors.

Even for enterprise businesses, it often doesn’t ensure the whole company operates in line with CMMC standards. If you’re a 50-person machine shop and only three people handle CUI, ensuring the other 47 other employees and their equipment meet CMMC requirements isn;t the best use of capital.

Here’s why it makes sense to implement a cost-effective CMMC enclave:

Cost Savings

Even at a small to medium-sized business, it can require 2-3 the budget to bring the whole company in line with CMMC rather than building an enclave. Just the software costs alone can add up — there’s no need to buy 50 Microsoft 365 GCC High licenses if only five people need to use it and the other 45 are fine on Microsoft Commercial licenses.

For a detailed breakdown of these figures, check out our guide on CMMC certification costs.

Simplified Audits (And Clear Boundaries)

An enclave also means there’s a smaller compliance footprint that needs to be audited, meaning your audits are more straightforward too.

Bringing your entire company in line with CMMC Level 2 is a lot of work — and so is auditing it. When you build an enclave, it’s far easier to prove compliance because CUI is stored and processed in a specific place.

For the C3PAO assessing your business, it’s 10x simpler for them to audit a secure enclave than to try and ensure every single part of the business meets CMMC standards. If your scope is the entire building, they are interviewing your HR director and auditing the marketing team’s iPads.

Risk Reduction

Security isn't just about passing an audit, it's about data protection and enhancing overall cybersecurity. By isolating CUI, you minimize the potential for spillage onto less secure commercial systems. A smaller target is easier to defend, easier to patch, and easier to monitor.

An enclave also means only the employees who need to handle CUI have access to it, which again, reduces risk. But also makes training those employees about how to handle CUI and the related protocols much easier.

Step-by-Step: How to Design and Build Your Enclave

Building a secure enclave sounds daunting but when you break it down it’s fairly straightforward (though still a lot of work). Here’s how to get started:

Step 1: Define the Scope

Before you start planning the technical and implementation work, you first need to know where CUI lives on your systems and who (people and teams) have access to it. It’s very rare that everyone across your company will need access to CUI and you should try to keep the boundary as small as possible.

The first thing to do is to map the flow of CUI:

• How does it arrive? (Email? SAFE portal? Physical mail?)
• Who touches it? (Engineers? QA? Billing?)
• Where does it rest? (File server? SharePoint?)

Then, once you know how your organization handles and interacts with CUI, you can decide what should be in scope for CMMC and what is out of scope.

Step 2: Build Your Boundary

Once mapped, it’s time to build your CMMC boundaries to ensure every system that touches CUI is within your secure enclave. Ensure the following access controls are in place:

• Identity Management: Strict Role-Based Access Control (RBAC).
• MFA: FIPS-validated Multi-Factor Authentication is non-negotiable.

You also need to ensure you have the right software in place. For example, Microsoft 265 Commercial doesn’t meet CMMC requirements, so you’ll need Microsoft GCC or GCC High licenses for anyone touching CUI — GCC High (or Azure Government for specific needs) is often the go-to as it supports the DFARS 7012 requirements.

Step 3: Policies and Procedures

Technology is only half the battle. You need a System Security Plan (SSP) that specifically describes the enclave's boundaries. The SSP is the primary document assessors use to understand what’s in scope for your CMMC assessment and how you’ve implemented the required controls.

You’ll also need to produce and implement a number of policies and functions including:

• Risk Assessment Policy
• Access Control Policy
• Identification & Authentication Policy
• Incident Response Policy
• Audit & Accountability (Logging & Monitoring) Policy

Step 4: Mock Audit

Run a self assessment against CMMC Level 2 requirements and the 110 controls of NIST 800-171. Running through this process will help you to identify any gaps in your compliance before you go through your official CMMC audit with a C3PAO.

It’s often helpful to work with a third-party Registered Practitioner Organization (RPO) like Workstreet for a gap analysis / self assessment. As an outside party an RPO can bring external credibility and help you to analyse your systems and ensure you're audit ready.

How Workstreet Can Help

Scoping is one of the most important parts of CMMC. It helps you to understand what’s in scope for your audit and what’s not. Getting this wrong can be incredibly costly and time consuming.

As the only AI-powered RPO, Workstreet has helped numerous organizations to scope CMMC, implement enclaves and controls, and prepare for audits, including those with ITAR requirements. Whether it’s your first time prepping for CMMC or you’re an experienced defense contractor that knows NIST 800-171 inside out, CMMC is too important to tackle alone.

Ready to define your boundary? Speak with one of our Workstreet CMMC experts today and we can help ensure you meet the requirements for your DoD contracts.