Shared Responsibility

Clear ownership for business decisions, managed controls, and inherited platform services

Office Heroes CMMC Enclave is built around a defined shared-responsibility model.

That model matters because a controlled enclave depends on more than technology. It depends on clear ownership over user approvals, device approvals, data decisions, technical control operation, monitoring, backup, documentation, and inherited platform services.

This page explains what stays with your organization, what Office Heroes operates as part of the managed enclave service, and where Microsoft contributes inherited controls inside the GCC High platform.

Talk to an Expert

A strong enclave requires clear ownership

Confusion about responsibility creates operational gaps.

If user approvals are unclear, access discipline breaks down. If technical control ownership is vague, monitoring and evidence workflows become inconsistent. If platform inheritance is overstated, organizations start assuming the cloud provider is covering responsibilities that still belong to the customer or the managed service provider.

The Office Heroes CMMC Enclave model is designed to avoid that confusion by making responsibility explicit.

YOUR ORGANIZATION

Your organization owns business approvals and business-impact decisions

Your organization remains responsible for the business and governance decisions that determine how regulated work is approved and performed.

You own:

  • approving which users are authorized for enclave access
  • approving which devices are authorized where applicable
  • data classification decisions
  • ownership of sites, data, and business workflows
  • external sharing decisions
  • decisions about where regulated work is permitted to occur within the approved model
  • business acceptance of operational impact and risk where applicable

Office Heroes can operate the managed controls, but Office Heroes does not replace your authority over business ownership, user approval, or data-handling decisions.

OFFICE HEROES

Office Heroes implements and operates the managed enclave controls

Office Heroes is responsible for implementing and operating the technical and operational parts of the managed enclave service within the defined service scope.

Office Heroes provides and operates:

  • the managed enclave technical control baseline
  • identity and access enforcement configuration
  • MFA and Conditional Access implementation
  • privileged access structure and administrative separation
  • monitoring and review workflows
  • logging and alert handling processes
  • backup-related controls within the service scope
  • onboarding, offboarding, privileged access, and access review procedures
  • evidence-oriented operational workflows
  • standardized documentation support tied to enclave operations

The Office Heroes role is to operate the managed control and evidence model consistently within the approved enclave design.

MICROSOFT

Microsoft provides inherited controls within its service boundaries

Microsoft contributes inherited platform controls through the Microsoft 365 GCC High environment and related Microsoft services used by the enclave.

That inheritance is important, but it is limited to Microsoft’s documented service boundaries.

Microsoft contributes inherited controls for areas such as:

  • physical datacenter protections
  • platform and service operations within Microsoft-managed boundaries
  • cloud service control infrastructure
  • documented compliance and assurance artifacts for the applicable services

Inherited controls support the enclave, but they do not replace customer approvals or Office Heroes operational responsibilities.

IMPORTANT CLARIFICATION

Microsoft licensing and inheritance do not make an organization compliant

A Microsoft 365 GCC High license is necessary for the standard product model, but licensing alone does not make an organization compliant.

Likewise, inherited platform controls do not eliminate the need for:

  • defined boundary decisions
  • approved users and devices
  • managed access control operations
  • documented procedures
  • monitoring and review workflows
  • evidence support
  • ongoing operational discipline

The enclave depends on the combination of platform capabilities, managed control operation, and customer governance decisions.

HOW THE MODEL WORKS IN PRACTICE

Three lanes of responsibility

You decide and approve

You decide who should have access, which devices are approved where applicable, what data is CUI, where business ownership sits, and what operational decisions are acceptable for your organization.

Office Heroes implements and operates

Office Heroes deploys and operates the managed enclave baseline, monitors the environment, runs the review workflows, maintains the operational documentation structure, and supports evidence readiness.

Microsoft provides inherited platform controls

Microsoft provides the GCC High platform and inherited controls within documented service boundaries, but does not take over customer governance or managed service operations.

COMMON EXAMPLES

Who owns what in typical enclave decisions

Example 1

Question: Who approves a new enclave user?
Answer:
Your organization approves the user. Office Heroes implements the access assignment through the managed process.

Example 2

Question: Who decides whether a device can handle local CUI?
Answer:
Your organization approves the business need and device use within the approved model. Office Heroes applies the technical controls and operating requirements for that design.

Example 3

Question: Who operates monitoring and review workflows?
Answer:
Office Heroes operates the managed workflows within the enclave service scope.

Example 4

Question: Who classifies the data?
Answer:
Your organization classifies the data and determines what is CUI.

Example 5

Question: Who provides physical security for Microsoft datacenters?
Answer:
Microsoft provides that within its documented service boundaries.

Example 6

Question: Who owns external sharing decisions?
Answer:
Your organization owns the business decision. Office Heroes can help enforce the approved technical restrictions inside the enclave model.

WHY CARE

Clear responsibility supports stronger operations and cleaner assessments

A clear shared-responsibility model helps buyers in three ways.

First, it reduces confusion during normal operations.

Second, it makes policy, procedure, and evidence workflows easier to maintain.

Third, it gives a more defensible explanation of who does what when a customer, prime, or assessor asks how the enclave is actually operated.

FINAL POSITION

The enclave works best when responsibility is explicit

Office Heroes CMMC Enclave is designed as a managed service with a clear division of responsibility.

Your organization owns the approvals and business decisions. Office Heroes operates the managed technical controls and evidence workflows. Microsoft contributes inherited controls within service boundaries.

That clarity is part of what makes the enclave more practical to run and easier to support over time.

NEXT STEP

Review the shared-responsibility model for your environment

We can walk through how user approvals, device approvals, technical controls, inherited platform services, and ongoing operations would be divided in your GCC High enclave design.

Talk to an Expert
Request Product Overview
Talk to an Expert
Request Product Overview

Related Articles

Comparison graphic showing CMMC Compliance: a CMMC Enclave with a shield, lock, and price tag on a computer, versus Full Environment with documents, checklists, and coins—under the title "Which Should You Choose?".

CMMC Enclave vs Full Environment (Which Should You Choose?)

If you’re working toward CMMC Level 2, one of the biggest decisions you’ll make is this: 👉 Do you isolate CUI into a defined enclave, or ...
Read More →
A graphic with the text "Do I Need a CMMC Enclave? For Defense Contractors," showing a person beside a laptop displaying "CMMC Enclave vs. Full Environment" and highlighting Level 2 compliance requirements.

Do I Need a CMMC Enclave for Level 2 Compliance?

Most defense contractors do not need to secure their entire IT environment to meet CMMC Level 2 requirements. Instead, many organizations use a CMMC enclave to isolate ...
Read More →
Infographic for defense contractors stating "How Much Does a CMMC Enclave Cost? $150–$300/User" with charts, a shield, and price tags, highlighting essential CMMC compliance expenses.

How Much Does a CMMC Enclave Cost for Defense Contractors?

A CMMC enclave typically costs $150–$300 per user/month, with most defense contractors investing between $2,000–$12,000 per month depending on size and complexity. Deployment usually takes 30–90 days, and an ...
Read More →
Scroll to Top