Frequently Asked Questions

Office Heroes CMMC Enclave is a standardized managed enclave offering for defense contractors and similar regulated organizations that need a defined place to handle CUI inside a client-dedicated Microsoft 365 GCC High environment.

It is designed to create a controlled operating domain for regulated work rather than pull the customer’s entire business into one broad compliance boundary.

The standard model is built in your client-dedicated Microsoft 365 GCC High tenant.

Office Heroes does not position the enclave as a shared tenant service. The supported standard model is a single client-dedicated GCC High tenant with enclave segmentation.

For the standard Office Heroes CMMC Enclave model, yes.

The enclave is designed around a client-dedicated Microsoft 365 GCC High tenant because that is the supported platform foundation for the product.

No.

Microsoft licensing and platform inheritance do not, by themselves, make an organization compliant. Licensing determines feature availability. Compliance depends on implemented controls, documented procedures, managed operations, evidence, and ongoing governance.

The current official product baseline is Microsoft 365 G3 GCC High per enclave user.

That is the standard baseline position for the current Office Heroes CMMC Enclave model unless a later approved standard revision explicitly authorizes a different minimum.

It is one product with supported operating modes.

Office Heroes CMMC Enclave is not positioned as three different enclave products. It is one standardized managed offering with supported operating modes based on where CUI is permitted to be processed, stored, or transmitted.

The supported operating modes are:

• AVD-Only
• Local-CUI
• Mixed Mode

The core product standard remains the same across all three. The selected mode changes where CUI is allowed to exist and which assets are brought into scope.

In AVD-Only mode, CUI is permitted only within enclave-authorized Azure Virtual Desktop sessions and approved enclave storage locations explicitly identified in the approved documentation.

This is the preferred mode when the goal is the smallest practical and most tightly controlled CUI boundary.

In Local-CUI mode, CUI is permitted on specifically approved, managed, and controlled local corporate endpoints that are brought into the enclave boundary.

This mode is used where business operations require local processing, storage, or transmission of CUI outside an AVD-only model.

In Mixed Mode, some approved users and devices access CUI only through enclave-authorized cloud desktops, while other specifically approved users and managed devices are authorized for local CUI handling.

This mode is used when one operating model is too restrictive for part of the business but unnecessary for everyone.

The base enclave includes the fixed managed baseline for identity, access control, monitoring, protection, backup-related controls within scope, administrative workflows, and documentation support tied to enclave operations.

That includes items such as:

• Entra ID access control
• MFA and Conditional Access enforcement
• privileged access structure
• logging and monitoring
• alert review workflows
• endpoint protection
• DNS-layer protection
• onboarding, offboarding, and access review procedure support
• documentation and evidence-oriented operating structure

The enclave is not a generic promise to take over all customer governance, classify all data automatically, or make every business system part of the managed scope.

Your organization still owns business approvals, data classification, site and workflow ownership, external sharing decisions, and business-impact decisions related to how regulated work is performed.

The enclave model is meant to create a defined place for regulated work.

That can provide:

• a clearer CUI boundary
• fewer unnecessary users and systems in scope
• more disciplined control operation
• stronger documentation and evidence workflows
• a more practical operating model for small defense contractors inside GCC High

The standard model always includes the enclave identity and control plane, approved enclave users, approved enclave desktop platform, approved enclave storage locations, security tooling that protects enclave components, and documented approved external connections tied to enclave operations.

If something processes CUI directly or provides security protection for enclave components, it belongs in scope.

Ordinary business systems, users, devices, collaboration spaces, and unmanaged local storage that do not process, store, transmit, or protect CUI remain outside the enclave unless they are later approved and documented into scope.

The goal is to avoid dragging the entire business into one undifferentiated control boundary.

Yes, depending on the operating mode and how they are used.

In an AVD-Only design, endpoints used only to access approved cloud desktop sessions may remain outside the core CUI processing boundary if they do not process, store, or transmit CUI locally and do not provide security protection for enclave components.

If endpoints handle CUI locally, they move into scope.

Yes, but only when the approved design authorizes CUI to exist in those workloads and the documentation explicitly identifies them as approved enclave locations.

They are not assumed in scope automatically just because the tenant contains them.

Your organization approves users and devices.

Office Heroes implements and operates the managed technical controls and workflows used to grant, review, adjust, and revoke access within the approved enclave model.

Office Heroes operates the managed technical control baseline within service scope, including access enforcement configuration, monitoring and review workflows, administrative procedures, evidence-oriented operating processes, and related documentation support tied to enclave operations.

Microsoft provides the GCC High platform and inherited controls within Microsoft’s documented service boundaries.

That inherited control position is important, but it does not replace customer governance or Office Heroes managed service responsibilities.

No.

Office Heroes CMMC Enclave is designed to support secure, controlled, and assessment-ready operations. Final assessment outcomes depend on the assessed scope, implemented controls, documented evidence, operating discipline, and assessor review.

No.

The product is intentionally based on a boundary model. It is meant to create a defined place for regulated work, not to force every ordinary business process, user, and system into one broad enclave boundary.

Not as the standard enclave model.

A single GCC High tenant without defined enclave segmentation falls outside the supported standard Office Heroes CMMC Enclave model.

Not as a standard product model.

Multi-tenant architecture is outside the standard offering and would require separate non-standard engineering treatment, separate review, and separate documentation.

The primary buyer is a small defense contractor, DoD subcontractor, or similar compliance-driven organization that needs a practical GCC High enclave for CUI without building a fully custom enterprise-wide environment from scratch.