Most small defense contractors do not need to make their entire company network CMMC Level 2 compliant.
What they need is a clear, defensible way to control where Controlled Unclassified Information, or CUI, is processed, stored, and transmitted.
That is where a CMMC enclave can help.
A CMMC enclave is a defined environment for the users, devices, systems, and workflows that handle CUI. If your CUI can be isolated, an enclave may reduce the number of users, systems, and processes that fall into your CMMC assessment scope.
But an enclave is not the right answer for every contractor.
The real question is not, “Do we need GCC High?” or “Do we need a new Microsoft tenant?”
The better question is:
Where does CUI live, who touches it, and can it be separated from the rest of the business?
If the answer is clear, an enclave may be the most practical path. If CUI is spread across the whole company, a full-environment approach may be more realistic.
Short Answer: Do You Need a CMMC Enclave?
You may need a CMMC enclave if:
- Only some of your users handle CUI
- CUI is tied to specific contracts, projects, or workflows
- You want to reduce the number of systems included in CMMC scope
- Your standard business environment does not need to handle CUI
- You want a more manageable path to CMMC Level 2 readiness
You may not need an enclave if:
- Almost every employee handles CUI
- CUI is already spread across your full environment
- Your systems are too interconnected to separate cleanly
- Your company is so small that maintaining two environments creates more complexity than it solves
- A customer, prime contractor, or contract requirement forces a broader scope
For many small defense contractors, the best next step is not choosing the technology first. It is defining the scope first.
That is why Office Heroes usually recommends starting with a Compliance Readiness Baseline before committing to an enclave build or a full-environment compliance project.
What a CMMC Enclave Actually Does
A CMMC enclave creates a defined place for CUI work.
Instead of allowing CUI to move through normal email, file shares, unmanaged laptops, personal devices, and general business systems, the enclave gives your organization a controlled environment for regulated work.
A typical enclave may include:
- A dedicated Microsoft 365 GCC High environment
- Controlled user access
- Managed devices or virtual desktops
- Defined CUI storage locations
- Security logging and monitoring
- Policies and procedures for how CUI is handled
- Documentation that explains what is in scope and what is not
The goal is not just to buy new tools.
The goal is to create a clear boundary.
That boundary helps answer questions like:
- Which users handle CUI?
- Which systems process, store, or transmit CUI?
- Which devices are allowed to access the CUI environment?
- Which security tools protect the CUI environment?
- Which systems are outside the CMMC assessment scope?
- How do we prove that separation is actually working?
A good enclave makes those answers easier to explain, document, and defend.
Why CMMC Scope Matters More Than Technology
A lot of contractors start with the wrong question.
They ask:
- “Do we need GCC High?”
- “Do we need an enclave?”
- “Do we need virtual desktops?”
- “Do we need to replace every computer?”
Those are important questions, but they come after the scoping question.
For CMMC Level 2, scope starts with the assets that process, store, or transmit CUI.
In plain English:
- If a system handles CUI, it is likely in scope.
- If a user handles CUI, their access and workflow matter.
- If a tool protects the CUI environment, it may also be in scope.
- If a system cannot handle CUI and does not protect CUI systems, it may be out of scope.
- If a system could handle CUI but is controlled by policy and process, it may need to be documented carefully.
CMMC Level 2 scoping guidance separates assets into categories such as CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. That matters because not every system in the company is treated the same way.
A system that processes, stores, or transmits CUI is different from a normal business system that never touches CUI. A firewall, logging tool, or identity system that protects the CUI environment may also matter, even if it does not store CUI itself.
This is why scope can change the entire cost and complexity of a CMMC project.
If CUI is everywhere, then the assessment scope may include almost everything.
If CUI is limited to a defined environment, the assessment scope may be smaller and easier to manage.
That is the business case for an enclave.
Not cheaper technology.
Not checkbox compliance.
A smaller, clearer, more defensible CMMC scope.
When a CMMC Enclave Is Usually the Right Fit
A CMMC enclave is often a good fit when CUI only touches part of the business.
You Have a Limited Number of CUI Users
This is the most common scenario.
For example, a 40-person defense contractor may only have 8 people who actually need access to CUI. The rest of the company works on accounting, sales, operations, HR, scheduling, and non-CUI business activity.
In that case, it may not make sense to bring all 40 users into the CMMC environment.
An enclave may allow the contractor to focus CMMC controls around the 8 users and the systems they use for CUI.
That does not eliminate responsibility. But it can make the project more manageable.
Your CUI Is Tied to Specific Contracts or Workflows
An enclave works best when CUI has a predictable path.
For example:
- Engineering drawings for a specific DoD contract
- Technical files shared by a prime contractor
- Controlled project documentation
- Manufacturing specifications
- Contract deliverables
- CUI-related communication with a defined team
If those files and workflows can be moved into a controlled environment, an enclave can create a cleaner separation between regulated work and normal business activity.
You Want to Reduce Disruption
A full-environment CMMC approach can affect every user, device, application, and workflow.
That may be necessary for some companies.
But for many small contractors, it creates unnecessary disruption.
An enclave can help avoid turning the entire business into a compliance project. Instead of changing how everyone works, you focus on the people and systems that actually touch CUI.
That can reduce:
- User disruption
- Documentation burden
- Device replacement
- Security configuration work
- Ongoing management complexity
- Assessment preparation time
You Need a Clearer Story for an Assessor
CMMC is not just about having tools in place. You need to explain how your environment works.
A well-designed enclave helps you tell a clearer story:
- Here is where CUI enters.
- Here is where CUI is stored.
- Here is who can access it.
- Here is how access is controlled.
- Here is how the environment is monitored.
- Here is what is outside the boundary.
- Here is why those outside systems cannot process, store, or transmit CUI.
That clarity matters.
If your scope is vague, your project becomes harder to manage and harder to assess.
When a Full Environment May Be the Better Choice
A CMMC enclave is not always the right answer.
Sometimes trying to isolate CUI creates more problems than it solves.
Almost Everyone Handles CUI
If nearly every employee works with CUI, there may not be much value in creating a separate enclave.
For example, if a 12-person company has 10 people regularly accessing CUI, separating two people from the CUI environment may not reduce much scope.
In that case, a broader environment approach may be simpler.
CUI Is Spread Across Too Many Systems
An enclave depends on separation.
If CUI already exists in many places, such as:
- Local desktops
- Personal folders
- Shared drives
- Email archives
- Teams chats
- Legacy applications
- File transfer tools
- Engineering systems
- Manufacturing systems
then the first problem is not building an enclave.
The first problem is understanding and cleaning up CUI sprawl.
If you do not know where CUI is, you cannot draw a defensible boundary around it.
Your Systems Cannot Be Separated Cleanly
Some environments are too interconnected for a simple enclave.
For example:
- CUI flows through an ERP system
- Engineering tools are tied to local servers
- Manufacturing systems need direct access to controlled files
- Users must move data between multiple systems to do their jobs
- Legacy applications cannot support modern access controls
An enclave may still be possible, but it will require more planning.
In some cases, securing the broader environment may be more realistic than trying to force separation.
The Enclave Would Create Operational Problems
A badly designed enclave can frustrate users and cause workarounds.
That is dangerous.
If users feel the enclave slows them down too much, they may start moving files back into normal email, local folders, or unmanaged systems.
That defeats the purpose.
The right approach must balance compliance, security, and daily operations.
The CUI Questions That Decide the Answer
Before deciding between an enclave and a full-environment approach, answer these questions.
1. Where does CUI enter the business?
Examples:
- Prime contractor portals
- Email attachments
- Secure file transfer
- Customer systems
- Engineering platforms
- Contract documents
- Government-furnished information
If you do not know where CUI enters, you cannot control where it goes.
2. Where is CUI stored?
Examples:
- Microsoft 365
- SharePoint
- OneDrive
- Teams
- Local file servers
- Engineering systems
- Laptops
- External drives
- Email inboxes
- Backup systems
Storage locations are often where scope expands.
If CUI is stored in many places, the environment becomes harder to control.
3. Who needs access to CUI?
Not everyone needs access.
You should identify:
- Users who need regular CUI access
- Users who need occasional access
- Administrators who support the environment
- External partners or service providers
- Users who do not need access at all
This helps determine whether a limited enclave is practical.
4. What systems protect the CUI environment?
Security tools may also matter for scope.
Examples include:
- Identity management
- Endpoint protection
- Logging and monitoring
- SIEM tools
- Backup systems
- Firewalls
- VPNs
- Vulnerability management tools
- Managed service provider systems
If a system protects CUI assets, it may need to be documented and managed as part of the CMMC scope.
5. Can non-CUI systems be kept out of scope?
To keep systems out of scope, you need to show they cannot process, store, or transmit CUI and do not provide security protections for CUI assets.
That usually requires some combination of:
- Technical separation
- Access controls
- Data handling rules
- User training
- Policies and procedures
- Monitoring
- Documentation
This is where many companies underestimate the work.
Out of scope does not mean “we hope users do not put CUI there.”
It means the environment is designed and operated so CUI does not belong there.
Enclave vs Full Environment: Quick Decision Table
| Situation | Enclave May Fit | Full Environment May Fit |
|---|---|---|
| Only some users handle CUI | Yes | Maybe |
| Almost everyone handles CUI | Maybe | Yes |
| CUI is limited to specific workflows | Yes | Maybe |
| CUI is spread across many systems | Maybe, after cleanup | Yes |
| You need to reduce disruption | Yes | Maybe |
| Systems are tightly integrated | Maybe | Yes |
| You need a fast, focused path | Yes | Maybe |
| You cannot clearly separate CUI | No | Yes |
| You are already moving to GCC High | Yes | Maybe |
| You have complex manufacturing or engineering systems | Maybe | Maybe |
The best choice depends on scope, not company size alone.
A 10-person company can need a full-environment approach.
A 100-person company can sometimes use a focused enclave.
The deciding factor is how CUI moves through the business.
Common CMMC Enclave Models
There is not one universal enclave design.
Most small contractors end up using one of three models.
Option 1: Virtual Desktop Enclave
In this model, users access CUI through a controlled virtual desktop environment.
This can be a strong fit when you want a clean boundary between the user’s normal workstation and the CUI environment.
A virtual desktop approach can help limit where CUI is processed and stored.
Best fit:
- Smaller CUI user groups
- Users who can work inside a controlled desktop
- Companies that want a tighter boundary
- Teams that need to reduce local device complexity
Potential downside:
- Less flexible for some users
- May require workflow changes
- Performance and usability need to be planned carefully
Option 2: Controlled Device Enclave
In this model, users work from managed laptops or desktops that are configured for CUI access.
This can feel more natural for users, but it often requires more endpoint management and documentation.
Best fit:
- Users who need local applications
- Teams with more complex workflows
- Companies that can manage devices tightly
- Environments where virtual desktop alone does not work
Potential downside:
- More endpoint scope
- More configuration work
- More risk of CUI spreading if controls are weak
Option 3: Hybrid Enclave
A hybrid model combines virtual desktops, managed devices, GCC High, and controlled workflows.
This is common when a company has different types of CUI users.
For example:
- Some users only need email and files
- Some users need engineering tools
- Some users need controlled local devices
- Some users need occasional access
Best fit:
- Mixed teams
- Complex workflows
- Contractors with different user groups
- Environments where one model does not fit everyone
Potential downside:
- More planning required
- More documentation required
- More ongoing management required
The right model should match how your company actually works.
A design that looks good on paper but frustrates users will not hold up over time.
For more detail, see Office Heroes CMMC Enclave Modes: AVD-Only, Local-CUI, and Mixed Mode.
Do You Need GCC High for a CMMC Enclave?
Often, yes.
For many defense contractors, Microsoft 365 GCC High is a common foundation for handling CUI because it is designed for government and defense contractor requirements.
But GCC High by itself is not CMMC compliance.
GCC High does not automatically give you:
- A complete CMMC scope
- Finished policies and procedures
- A complete System Security Plan
- User training
- Evidence collection
- Device compliance
- Secure workflows
- Proper access reviews
- Assessment readiness
Think of GCC High as part of the foundation.
You still need the operating model around it.
That includes:
- Who can access CUI
- Which devices are allowed
- How CUI is stored
- How sharing is controlled
- How activity is monitored
- How incidents are handled
- How evidence is collected
- How responsibilities are documented
If you are already considering GCC High, it is a good time to ask whether a managed CMMC enclave would give you a cleaner path than trying to retrofit your entire environment.
Real-World Example: 25-User Defense Contractor
Here is a simplified example.
A 25-user defense contractor supports DoD-related work, but only 7 users regularly handle CUI.
Before scoping, CUI was moving through:
- Local desktops
- Shared folders
- Project files
- A few unmanaged workflows
If the company tried to make everything CMMC-ready, all 25 users, many devices, and multiple business systems would likely need to be addressed.
Instead, the company first mapped where CUI actually entered, where it needed to live, and which users truly needed access.
The result was a smaller controlled environment:
- 7 CUI users
- Dedicated CUI storage
- Controlled access
- Managed devices or controlled desktop access
- Clear rules for keeping CUI out of normal business systems
- Documentation for the boundary and operating model
The remaining users stayed focused on normal business operations and did not need access to the CUI environment.
That is the kind of scenario where an enclave can make CMMC more manageable.
The key was not the tool selection.
The key was scope clarity.
What Can Go Wrong With a Bad Enclave Strategy
A CMMC enclave can reduce complexity, but only if it is designed correctly.
Here are the common mistakes.
Mistake 1: Treating GCC High as the whole solution
GCC High is not a complete CMMC program.
You still need configuration, documentation, process, monitoring, evidence, and ongoing management.
Mistake 2: Letting CUI leak back into normal workflows
If users download CUI to local desktops, forward it to standard email, or save it in normal file shares, the boundary breaks.
The enclave only works if people use it correctly.
Mistake 3: Ignoring security tools and administrators
Some systems do not store CUI but still protect the CUI environment.
Those tools, administrators, and service providers may still matter for scope.
Mistake 4: Drawing the boundary before understanding the business
A boundary that does not match how people work will fail.
Start with the workflow. Then design the environment.
Mistake 5: Skipping documentation
If you cannot explain the boundary, it will be hard to defend.
You need documentation that shows:
- What is in scope
- What is out of scope
- How CUI is controlled
- How users are trained
- How systems are managed
- How evidence is collected
- How responsibilities are divided
Mistake 6: Making the enclave too restrictive
If the enclave is painful to use, users will find workarounds.
Good design reduces risk without making daily work impossible.
A Practical CMMC Enclave Decision Checklist
Use this checklist before choosing an enclave or full-environment approach.
CUI Scope
- Do we know where CUI enters the business?
- Do we know where CUI is stored today?
- Do we know which users need CUI access?
- Do we know which systems process, store, or transmit CUI?
- Do we know whether CUI exists in email, Teams, SharePoint, OneDrive, local folders, or file servers?
Separation
- Can CUI workflows be separated from normal business workflows?
- Can users work inside a controlled environment without constant workarounds?
- Can non-CUI users stay out of the CUI environment?
- Can we prevent CUI from being saved in standard business systems?
- Can we explain why certain systems are out of scope?
Technology
- Do we need Microsoft 365 GCC High?
- Do we need virtual desktops?
- Do we need managed CUI devices?
- Do we need a hybrid model?
- Do existing applications support the enclave approach?
Documentation
- Do we have an asset inventory?
- Do we have a network diagram?
- Do we have policies for handling CUI?
- Do we have procedures users can actually follow?
- Do we know what evidence we need to collect?
- Do we know which responsibilities belong to us, Office Heroes, Microsoft, or another provider?
Business Fit
- Will this reduce cost and disruption?
- Will users actually follow the process?
- Will the enclave support current contracts?
- Will it support likely future contracts?
- Will it help us prepare for assessment instead of creating more confusion?
If you cannot answer these questions yet, you are not alone. Most contractors need help with scoping before they can choose the right architecture.
What This Typically Costs
CMMC enclave costs vary based on:
- Number of CUI users
- Licensing needs
- GCC High requirements
- Device strategy
- Virtual desktop requirements
- Existing security maturity
- Documentation needs
- Monitoring and support needs
- Whether CUI cleanup is required
- How complex the workflows are
As a general planning range, many contractors should expect CMMC enclave support to be priced per user per month, with project and implementation costs depending on the environment.
The important point is this:
A smaller CMMC scope usually gives you more control over cost.
If an enclave reduces the number of users, devices, applications, and workflows in scope, it can reduce both implementation effort and ongoing management burden.
For a deeper pricing discussion, see How Much Does a CMMC Enclave Cost for Defense Contractors?.
How Office Heroes Helps
Office Heroes helps small defense contractors make CMMC practical.
We do not start by selling tools.
We start by helping you understand your environment:
- Where CUI lives
- Who needs access
- Which systems are in scope
- Which systems may be kept out of scope
- Whether GCC High is needed
- Whether an enclave makes sense
- Which enclave model fits your workflow
- What needs to be documented
- What needs to be remediated before assessment
From there, we can help design and manage a CMMC enclave that gives your team a controlled place to handle CUI.
The goal is not to make compliance more complicated.
The goal is to create a path your business can actually operate.
Learn more about the Office Heroes CMMC Enclave and how the boundary and scope model works.
Not Sure Which Path Is Right?
That is normal.
Most contractors do not know whether they need an enclave, a full-environment approach, or something in between until they complete a scoping review.
The biggest mistake is spending money on the wrong architecture before you understand your CUI boundary.
Start with a Compliance Readiness Baseline.
We will help you identify:
- Where CUI lives
- Which users and systems are in scope
- Whether an enclave can reduce complexity
- What gaps need to be fixed
- What path makes the most sense before you commit to a build
If an enclave is the right fit, we can help you move toward a managed CMMC enclave model. If it is not, you will know that before wasting time and budget.
Schedule a Compliance Readiness Baseline
Frequently Asked Questions
Do small defense contractors usually need a CMMC enclave?
Many small defense contractors benefit from a CMMC enclave, but not all of them need one. An enclave is usually helpful when only some users and systems handle CUI. If CUI touches almost every part of the business, a full-environment approach may be more realistic.
Is a CMMC enclave required for CMMC Level 2?
No. CMMC Level 2 does not require an enclave specifically. An enclave is one possible architecture for limiting and managing assessment scope. The requirement is to protect CUI and meet the applicable CMMC Level 2 requirements within the defined scope.
Does GCC High make us CMMC compliant?
No. GCC High can be an important foundation, but it does not make an organization CMMC compliant by itself. You still need proper configuration, access control, device management, policies, procedures, evidence, monitoring, and assessment preparation.
What is the difference between a CMMC enclave and a full environment?
A CMMC enclave limits CUI work to a defined environment. A full-environment approach treats most or all of the business environment as part of the CMMC scope. The right choice depends on where CUI lives and whether it can be separated from normal business systems.
Can an enclave reduce CMMC cost?
Often, yes. If an enclave reduces the number of users, systems, devices, and workflows in scope, it can reduce implementation and management costs. But the savings depend on how cleanly CUI can be separated and how much remediation is needed.
Can users work from normal laptops with a CMMC enclave?
Sometimes. It depends on the enclave model. Some companies use virtual desktops to keep CUI inside a controlled environment. Others use managed devices with strict controls. Some use a hybrid approach. The right answer depends on workflows, applications, risk, and documentation requirements.
What happens if CUI leaks outside the enclave?
If CUI is stored, processed, or transmitted outside the enclave, those systems may become part of the CMMC scope. That can increase cost and complexity. It can also create documentation and assessment problems. This is why user training, technical controls, and clear procedures matter.
Do we need an enclave if only one or two people handle CUI?
Maybe. For a very small team, a separate enclave may or may not be worth the overhead. Sometimes a focused controlled environment still makes sense. Other times, securing the small environment as a whole is simpler. The decision should be based on CUI flow, not just headcount.
Should we build an enclave before a readiness assessment?
Usually, no. It is better to understand scope before building. A readiness baseline can help determine whether an enclave is the right approach, what should be included, and what gaps need to be fixed before implementation.
What is the first step if we are not sure?
Start by mapping CUI. Identify where it enters, where it is stored, who uses it, and which systems protect it. If you need help, schedule a Compliance Readiness Baseline so you can make the enclave decision with better information.