Supported Operating Modes
One product. Three supported operating modes.
Office Heroes CMMC Enclave is one standardized managed offering with supported operating modes based on where CUI is permitted to be processed, stored, or transmitted.
The core product standard stays the same. The selected mode determines where CUI is allowed to exist, which assets are in scope, which users and devices are authorized for regulated work, and which implementation details apply to that deployment.
The modes are not separate products
Office Heroes CMMC Enclave is not three different enclave products.
It is one managed enclave standard with a fixed core baseline for identity, access control, monitoring, documentation, review workflows, shared responsibility, and evidence support.
The operating mode changes how that fixed standard is applied to your environment.
- The enclave standard stays fixed
- The operating mode determines where CUI is allowed to exist
- The deployment documentation reflects the selected mode
AVD-Only
In AVD-Only mode, CUI is permitted only within enclave-authorized Azure Virtual Desktop sessions and any enclave-authorized supporting storage locations explicitly identified in the approved enclave documentation.
Local endpoint devices used to access the enclave are not authorized to process, store, or transmit CUI outside the approved remote access path unless they are specifically approved and documented otherwise.
This is the preferred model when your goal is the most tightly controlled and clearly bounded CUI environment.
Best fit for
- Organizations that want the smallest practical CUI boundary
- Teams that can perform regulated work entirely through cloud desktops
- Buyers that want the cleanest separation between ordinary business systems and CUI handling
What this mode emphasizes
- CUI stays in approved cloud desktop and storage locations
- Local device handling of CUI is restricted
- Scope is easier to define and explain
- Administrative and evidence models stay more contained
Considerations
- Users must be able to work effectively through the approved cloud desktop path
- Business processes that rely on local device handling of CUI usually need redesign or a different mode
Local-CUI
In Local-CUI mode, CUI is permitted on specifically approved, managed, and controlled local corporate endpoints identified as enclave-authorized CUI devices.
Those endpoints are brought into the enclave boundary and are subject to the full set of endpoint control, protection, monitoring, and evidence requirements defined by the enclave standard.
This mode is used where business operations require local processing, storage, or transmission of CUI outside an AVD-only model.
Best fit for
- Organizations with business processes that require local device interaction with CUI
- Teams using software, peripherals, workflows, or field operations that cannot be limited to cloud desktop sessions
- Environments where approved local CUI endpoints are operationally necessary
What this mode emphasizes
- Approved local endpoints become part of the enclave boundary
- Endpoint control requirements become more important
- Device authorization and management discipline are critical
- Local handling rules must be documented clearly
Considerations
- More assets can move into scope
- Endpoint protection, monitoring, and evidence handling become more involved
- Clear device authorization and documentation are required
Mixed Mode
In Mixed Mode, the enclave supports both AVD-only CUI access and local-CUI endpoint access.
Some approved users and devices may access CUI only through enclave-authorized cloud desktops, while other specifically approved users and managed devices may process, store, or transmit CUI locally where business operations require it.
This mode is used when one operating model is too restrictive for part of the business but a broad local-CUI design is unnecessary for everyone.
Best fit for
- Organizations with multiple work patterns across departments or roles
- Environments where some users can stay fully cloud-based while others need approved local CUI handling
- Companies that want to keep local CUI access limited to a smaller approved population
What this mode emphasizes
- Different user and device populations must be distinguished clearly
- AVD-only and local-CUI groups must be documented separately
- Policy assignments, asset inventories, and scope records must stay precise
- The boundary remains controlled, but the implementation is more segmented
Considerations
- Documentation discipline matters more
- User populations and device populations must be separated clearly
- Scope management is more nuanced than in a pure AVD-only design
How the modes compare
| Category | AVD-Only | Local-CUI | Mixed Mode |
|---|---|---|---|
| Where CUI is allowed | Approved cloud desktops and approved enclave storage locations | Approved managed local endpoints and approved enclave locations | Approved cloud desktop locations for some users and approved local endpoints for others |
| Local device handling | Restricted | Authorized on approved in-scope endpoints | Authorized only for the approved local-CUI population |
| Boundary simplicity | Highest | Moderate | Moderate to more complex depending on the user mix |
| Endpoint scope impact | Lower | Higher | Variable by approved endpoint population |
| Best general use case | Tightest possible CUI boundary | Local CUI handling is operationally required | Different teams need different approved operating paths |
AVD-Only
Local-CUI
Mixed Mode
Which mode is right for your business
The right operating mode depends on how your users actually work, where regulated data needs to exist, what systems and devices have to touch CUI, and how tightly you want to contain the enclave boundary.
Choose AVD-Only when
You want the smallest practical CUI boundary and your regulated work can stay inside approved cloud desktop sessions.
Choose Local-CUI when
Your business requires local processing, storage, or transmission of CUI on specifically approved, managed endpoints.
Choose Mixed Mode when
Some users can operate fully through cloud desktops, but other approved users and devices need controlled local CUI handling.
The selected mode must be documented clearly
Each deployment must be assigned one operating mode: AVD-Only, Local-CUI, or Mixed Mode.
That designation should be reflected consistently in the enclave documentation set, including:
- the system security plan
- the enclave boundary statement
- architecture documentation
- asset inventory
- access control records
- client-specific implementation details
When the selected mode is documented clearly, the enclave is easier to operate, easier to explain, and easier to support over time.
Start with the mode that matches reality
The best enclave design is the one that matches how your business actually handles regulated work.
Trying to force an AVD-only model where local CUI handling is truly required creates friction. Allowing unnecessary local CUI handling where cloud desktop access would work expands scope without clear benefit.
The goal is to choose the most controlled model that still supports the business.
Determine which operating mode fits your environment
We can help you evaluate whether AVD-Only, Local-CUI, or Mixed Mode is the right design based on your users, workflows, endpoint needs, and desired CUI boundary.
