Skip to content
Contract Compliance

CMMC Enclave Approach: Is It Right for Your Small Business?

Josef Kamara Josef Kamara · · 13 min read

The CMMC enclave approach can shrink your certification cost. That is true in the right situation. It is also not a one-size-fits-all solution, and choosing the wrong approach costs more in the long run than starting with a clear picture.

This article answers the question a first-time defense bidder actually asks: what is a CMMC enclave, and is it right for my business?

The short answer: A CMMC enclave is a separate, locked-down part of your technology where contract-sensitive government information lives. Your assessor evaluates only that locked-down area, not your whole business. If your sensitive government data stays in a small, well-defined space, the enclave approach can cut your assessment cost significantly. If your government data is mixed into everyday business operations, it will not help until you clean up the mess first.

Start Here: What Problem Does an Enclave Solve?

CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense’s program for verifying that contractors protect sensitive government information properly. If your contract involves Controlled Unclassified Information (CUI), which is any non-public government data the DoD marks as sensitive, you will need CMMC Level 2 certification to keep winning that work after Phase 2 takes effect.

Level 2 requires a third-party assessment by a Certified Third-Party Assessment Organization, called a C3PAO (pronounced “see-three-pee-ay-oh”). The assessor reviews your cybersecurity controls across every system that touches CUI. The more systems in scope, the more expensive and time-consuming the assessment.

Here is the problem for a typical small contractor: your business technology is not designed with CUI in mind. Your employees use the same laptops for email, QuickBooks, and government contract work. Your files might be on a shared drive that everyone accesses. That means everything is potentially in scope for the assessor.

An enclave solves that by creating a clear boundary. You build a separate, protected area where CUI lives. The assessor evaluates that area only. Everything outside stays out of scope.

What the CMMC Enclave Approach Actually Means (Plain Language)

Imagine your business operates out of a large office building. Employees come and go, use shared computers, have access to common files. Now imagine you build a locked room inside that building. Only three people have keys. Only work-related government project files go inside. Nothing else enters. The assessor audits the locked room. The rest of the building is irrelevant to the assessment.

That locked room is the enclave idea.

In technology terms, the enclave is a separate digital environment. It might be a dedicated cloud account, a separate set of computers, or a managed service that your vendor runs on your behalf. The key is that CUI only lives inside it, and your regular business operations stay outside.

The Department of Defense’s CMMC Assessment Scoping Guide for Level 2 categorizes your assets by their relationship to CUI. Assets that store, process, or transmit CUI are in scope. Assets that have no contact with CUI can be out of scope. The enclave approach uses that scoping logic deliberately: design your environment so CUI touches as few assets as possible, and those assets are the enclave.

For a full explanation of what counts as CUI and how to identify it in your business, see our guide: What Is CUI? Controlled Unclassified Information Explained for Small Contractors.

Does an Enclave Actually Reduce Assessment Cost?

Yes, when the conditions are right. The assessor bills for scope. Fewer systems in scope means fewer hours, fewer interviews, less evidence to review. A clean enclave covering five users and one cloud environment is a shorter assessment than a full 25-person business network.

Practitioners report that C3PAO assessments for full business environments at typical small contractor scale have run $75,000 to $150,000 (practitioner-reported ranges; get a direct quote from a C3PAO because costs vary significantly by environment complexity and assessor). For a smaller, enclave-scoped assessment covering only a handful of users and systems, the range practitioners describe is $25,000 to $50,000 (same caveat: get a quote).

Those numbers assume the enclave is built correctly and the boundary holds. A leaky enclave, one where CUI has spread outside the designed area, does not produce a smaller assessment. It produces a larger one, because the assessor has to scope every system that touched CUI.

The cost question every small business owner should ask first is not “how much does an enclave cost?” It is: “does my situation actually fit the enclave model?” Answer that before spending anything on design or vendor selection.

The Decision Question: Is an Enclave Right for My Situation?

Two types of businesses benefit from an enclave. Two types do not. Here is an honest picture of each.

The enclave approach works when:

  • Your government contract work is a distinct slice of your business. One contract, a defined set of technical documents, a small group of employees who do that work. CUI stays in that lane. Your HR system, QuickBooks, and general email never touch it.
  • You can draw a clear map of where CUI comes in and goes out. It arrives by email from the prime contractor. It lives in a specific project folder. It leaves as a deliverable uploaded to the government portal. Short list. Short path.
  • The employees who handle CUI are a small, defined group. Three engineers, two project managers. Not everyone in the building.
  • Your general business technology does not need to touch CUI. The accountant, the receptionist, and the business development team do their jobs without ever seeing a CUI document.

The enclave approach does not work when:

  • CUI has mixed into everyday business operations. If program managers, finance staff, and shop floor supervisors all routinely open contract documents, CUI is already everywhere. An enclave boundary cannot hold when the data predates it.
  • You have multiple prime contracts with different requirements. Managing a clean boundary across three different primes, each with different CUI categories and handling rules, through a single shared environment is difficult and risky.
  • Employees regularly send government documents to personal email or home computers. If that is already happening, the boundary has a hole in it before the assessor shows up.
  • Your business IT is too integrated to separate cleanly. A single shared file server that mixes CUI with everything else requires significant cleanup before an enclave boundary is defensible.

If you are unsure which category you fall into, start by mapping your CUI data flow. Trace where contract documents arrive, who copies them, where they end up, and where they exit. If that map shows a short, clean path, the enclave approach fits. If the map spreads across most of your business, fix the data flow problem first. The enclave is not a workaround for a CUI containment problem. It is a design choice for businesses that already have containment.

Three Ways Small Contractors Build an Enclave

You do not need to understand the technical details of enclave architecture to make the right procurement choice. But you do need to understand the three main options, what each costs, and what questions to ask vendors.

Option 1: A Managed CMMC Enclave Service (Recommended for Most Small Businesses)

A CMMC-specialized managed service provider (MSP) builds and runs the enclave on your behalf. You get a fully hosted environment: cloud storage, email, identity controls, security monitoring. The MSP manages the technical side. You manage user behavior, access requests, and documentation of how your employees handle CUI within the environment.

This is the right choice for small businesses without dedicated IT staff. You are buying a compliant environment, not building one from scratch.

Practitioners report monthly per-user fees for managed CMMC enclave services ranging from $200 to $600 per user per month (practitioner-reported ranges; verify current pricing directly with vendors). For a five-person enclave that is $1,000 to $3,000 per month. Before you react to that number, compare it to the alternative: building and maintaining infrastructure yourself, plus paying a C3PAO to assess it.

Questions to ask any managed enclave vendor before signing a contract:

  • Has your environment been assessed by a C3PAO? If so, what was the scope and when?
  • What security responsibilities fall to me versus to you? Get this in writing. In CMMC, “shared responsibility” has a specific meaning for assessors.
  • What documentation do you provide to support my assessment? Ask for examples.
  • What is the process if a security incident occurs inside the enclave?

Option 2: Microsoft GCC High

Microsoft Government Community Cloud High (GCC High) is a version of Microsoft 365 built specifically for contractors who handle sensitive government data. It runs on separate infrastructure from the commercial Microsoft cloud and meets FedRAMP High authorization requirements. FedRAMP is the federal government’s cloud security program.

For many small contractors, a properly configured GCC High tenant is the most direct path to a defensible enclave for email, file storage (SharePoint), and collaboration (Teams). Microsoft handles the underlying infrastructure controls. You handle user configuration, access policies, and documentation within your tenant.

The important word there is “properly configured.” A GCC High account with default settings is not automatically CMMC-compliant. You still need to configure security policies, control who has access, document your practices, and maintain those settings. Most small contractors need a consultant or MSP to configure GCC High correctly and help maintain it.

GCC High costs more than standard Microsoft 365 commercial subscriptions. Get current pricing from a Microsoft licensing partner before budgeting.

Option 3: On-Premises Isolated Segment

Some contractors, particularly those doing manufacturing work with physical controlled drawings or sensitive production data, keep the enclave on their own premises: separate computers, a separate network segment, access controls managed in-house.

This option gives you direct control. It also requires the most technical investment and ongoing maintenance. Unless you have in-house IT staff with government cybersecurity experience, this path usually costs more than a managed service once you account for setup, maintenance, and the expertise needed to keep it assessment-ready.

Ask your prime contractor or contracting officer whether they have any restrictions on cloud-hosted data for your specific contract before choosing. Some contracts or programs require on-premises handling.

What CMMC Still Requires Inside the Enclave

One misconception worth addressing directly: an enclave does not reduce the security requirements. It reduces the scope of what gets assessed. Every CMMC Level 2 security requirement still applies inside the enclave boundary.

CMMC Level 2 maps directly to the 110 security requirements in NIST Special Publication 800-171 Revision 2 (NIST SP 800-171 R2), as incorporated by reference under 32 CFR 170.14. NIST SP 800-171 is the federal government’s standard for protecting CUI in non-government computer systems. Those 110 requirements cover areas like who can access systems, how access is logged, how you respond to security incidents, and how you protect data in transit and at rest.

A managed enclave MSP or a properly configured GCC High tenant handles most of the infrastructure-layer requirements. You are still responsible for the people and process requirements: who has access and why, how you train employees, what your incident response plan says, and how you document your practices. Those portions of the assessment are yours regardless of what technology you use.

Your Subcontractors Are Affected Too

If your contract requires CMMC Level 2 and you pass CUI to subcontractors, those subcontractors carry their own obligation. Your prime contract’s DFARS (Defense Federal Acquisition Regulation Supplement) clauses require you to flow that obligation down. Specifically, DFARS 252.204-7012(m) requires you to include the CUI safeguarding clause in subcontracts where performance involves covered defense information. DFARS 252.204-7021 requires you to verify that subcontractors have a current CMMC certification at the appropriate level before awarding work that involves CUI.

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is the set of rules that DoD adds on top of the standard federal acquisition rules. The clauses above are part of your contract whether or not you read them. They create real obligation.

Your enclave boundary ends at your organization. Your subcontractor’s CUI environment is their responsibility, and their assessor’s scope. But your contract makes you responsible for verifying they meet the requirement before you send them any CUI.

The Decision Framework: Three Questions Before You Commit

Before talking to any vendor or MSP about enclave options, answer these three questions honestly.

Question 1: Can I draw a clean CUI map right now? If you can list on one page exactly where CUI enters your organization, who touches it, where it lives, and how it exits, you have a clear enclave candidate. If you cannot draw that map, stop here and do the mapping exercise first.

Question 2: Does my contract actually require CMMC Level 2? Not all government contracts involve CUI. Level 1 applies to contracts with Federal Contract Information (FCI) only, and Level 1 is a self-assessment with much lower cost. Check your contract’s DFARS clauses. If DFARS 252.204-7021 appears, CMMC applies. If it does not appear, verify with your contracting officer before assuming you need Level 2. See our full guide on CMMC certification for small businesses for a breakdown of which level applies to which contract type.

Question 3: Am I buying compliance or building it? A managed enclave MSP sells you a compliant environment. You are still responsible for the people and documentation side. A GCC High configuration is a foundation you must build on correctly. An on-premises segment is something your team builds and maintains. Be clear about which you are choosing and what internal capacity you need to support it.

What to Do Next

If the enclave approach looks like a fit after working through those questions, the right first step is a readiness assessment from a CMMC Registered Practitioner Organization (RPO) or a C3PAO. A readiness assessment reviews your current environment, identifies gaps, and gives you a realistic picture of what it would take to reach assessment-ready status. This is not the formal CMMC assessment. It is a pre-assessment that surfaces problems at low cost before you pay for the formal evaluation.

A readiness assessment from an RPO typically costs a fraction of the formal C3PAO assessment. That investment almost always pays off by catching boundary gaps and documentation problems that would have failed you at the formal assessment.

For the full picture of what CMMC requires, what each level costs, and how to build a preparation timeline, start with our complete guide: CMMC Certification for Small Businesses: What It Actually Takes.

Frequently Asked Questions

Does DoD allow small businesses to use an enclave approach for CMMC Level 2 assessments?

Yes. The DoD CMMC Assessment Scoping Guide for Level 2 permits assessment of a defined enclave rather than the full contractor environment. The enclave must satisfy all CMMC Level 2 requirements (the 110 NIST SP 800-171 R2 requirements) within its boundary, and CUI must not flow outside that boundary through any uncontrolled path.

Can a small business get CMMC Level 2 certified without a full-time IT person?

Yes, through a managed CMMC enclave MSP or a properly configured GCC High tenant. You will still own the people and documentation responsibilities: access approvals, employee training, incident response procedures, and evidence collection for the assessor. The technical infrastructure can be managed by a qualified vendor. The compliance posture cannot be fully outsourced.

What happens if CUI has already spread across our whole business?

An enclave cannot solve that problem immediately. You need to first contain the CUI: pull it back to a defined set of systems, stop the spread, and document where it has been. That cleanup work happens before you design an enclave. A CMMC Registered Practitioner Organization (RPO) can help you assess the cleanup required and sequence the work.

Is a GCC High tenant automatically CMMC-compliant?

No. GCC High provides a compliant infrastructure foundation, meaning Microsoft’s underlying infrastructure meets the relevant security standards. Your configuration of that environment, your access controls, your policies, and your documentation are your responsibility. A poorly configured GCC High tenant fails a CMMC assessment. Most small businesses need professional help to configure and maintain it correctly.

Do our subcontractors need their own CMMC certification if we use an enclave?

Yes, if you pass CUI to them. Your prime contract’s DFARS 252.204-7021 clause requires you to verify that any subcontractor handling CUI has a current CMMC certification at the appropriate level before you award them that work. Your enclave boundary covers your organization only. Subcontractors are responsible for their own environment and certification.

How do we find a legitimate CMMC assessor?

C3PAOs (Certified Third-Party Assessment Organizations) are authorized and listed in the CMMC Marketplace on the Cyber AB website (cyberab.org). Verify any assessor you are considering against that list. RPOs (Registered Practitioner Organizations) can help you prepare for assessment but cannot conduct the formal Level 2 certification assessment themselves. Both types are listed in the Cyber AB Marketplace.

The enclave approach is a real, DoD-recognized strategy for keeping CMMC Level 2 assessment scope manageable. It is not a workaround. It is not a loophole. It is a design choice that pays off when your CUI stays in a small, well-defined space.

If your CUI map is clean and your contract team is small, the enclave is worth designing around. If CUI has already mixed into your broader business, start with the data flow cleanup before committing to any architecture.

Get an RPO readiness assessment before you spend money on infrastructure. That one step surfaces the real cost picture and prevents expensive rebuilds after the assessor finds what you missed.

C3PAO CMMC CMMC assessment cost CUI enclave GCC High NIST 800-171 scope reduction small business contractors
Josef Kamara

Written by

Josef Kamara

CPA, CISSP, CISA. Former Big Four auditor (KPMG, BDO). Specializing in government contracting compliance, cybersecurity, and audit readiness.

All articles

More on Contract Compliance

Average SPRS Score: What Your Prime Sees and How to Fix It

12 min read

CMMC Phase 2 Deadline November 2026: What Small DIB Contractors Must Do Now

14 min read

CMMC Level 2 Cost Decoded: What the DoD’s $104,670 Really Means for Small Business

12 min read

New to government contracting?

Our Start Here guide walks you through everything from SAM registration to your first proposal, step by step.

Start your journey