CMMC Managed Enclaves: Scope Reduction Without GCC High Migration
The Bottom Line
A CMMC managed enclave is a defined, controlled environment — typically built on Microsoft 365 Commercial — where Controlled Unclassified Information (CUI) lives and is managed separately from the rest of your business systems. By containing CUI within a clear boundary, an enclave limits which assets, users, and systems fall within the scope of a CMMC Level 2 assessment. This is called scope reduction: the smaller the in-scope environment, the smaller the remediation burden.
For small defense contractors with a limited CUI footprint — fewer than 15 users who regularly handle CUI, CUI concentrated in a small number of file types and applications — a managed enclave on M365 Commercial is often the most cost-effective path to Level 2 certification. It avoids the licensing premium and migration project cost of GCC High, while still supporting a defensible NIST 800-171 Rev 2 control implementation.
It is not the right answer for every contractor. When CUI is widespread, scattered across many applications, or the contract explicitly requires GCC High, an enclave approach creates management overhead that negates its cost advantage.
Enclave or GCC High? Get a recommendation.
Answer questions about your CUI volume, user count, and contract requirements. Our assessment routes you to the right environment approach before you commit to one.
Find your CMMC path →What a CUI Enclave Is, Technically
Under 32 CFR Part 170 and NIST SP 800-171 Rev 2, your CMMC assessment boundary covers all assets — people, technology, and facilities — that process, store, or transmit CUI, or that provide security services to those assets. A scoped CUI enclave defines a smaller, controlled zone within your broader IT environment where CUI is permitted to exist. Systems and users outside that boundary do not process CUI and are therefore out of scope for your Level 2 assessment.
In a Microsoft 365 Commercial implementation, a typical enclave uses:
- A dedicated SharePoint site or separate SharePoint tenant configured specifically for CUI storage, with strict access controls and audit logging.
- Azure AD Conditional Access policies that restrict CUI access to managed, compliant devices only — blocking personal devices and unmanaged endpoints.
- Microsoft Purview (formerly Azure Information Protection) labels that mark CUI content and enforce DLP policies preventing exfiltration via email, Teams chat, or download to non-managed storage.
- Dedicated Teams channels for CUI collaboration, with external sharing disabled and guest access blocked.
- Unified audit logs retained per NIST 3.3 requirements, forwarded to a SIEM or log management system managed by the MSP.
- Privileged access management (PAM) ensuring that only designated administrators can configure enclave settings — with just-in-time access and approval workflows.
The MSP that manages the enclave is typically a CMMC-aware Managed Service Provider who maintains the technical controls, updates configurations as requirements change, and produces the evidence needed for a C3PAO assessment.
When an Enclave Works Well
| Condition | Enclave suitable? | Why |
|---|---|---|
| Fewer than 15 users access CUI regularly | Yes — strong fit | Enclave scope is small and manageable; licensing premium is minimal |
| CUI lives in a small set of defined file types or projects | Yes — strong fit | Classification labels and DLP policies are effective; scope boundary is clear |
| Budget constraints make GCC High migration unattractive | Yes — evaluate | Enclave avoids $20K–$80K migration cost; higher ongoing management overhead is the tradeoff |
| Contract does not require GCC High or IL4 | Yes — evaluate | When GCC High is not contractually mandated, an enclave is a valid alternative if properly designed |
| Heavy reliance on commercial SaaS tools | Yes — enclave preferred | GCC High restricts third-party apps; enclave approach preserves commercial tool access outside the CUI boundary |
When an Enclave Doesn’t Work
- CUI is scattered across many applications and users. If CUI flows through your ERP, project management tools, email, file shares, and collaboration platforms — and 40 out of 50 employees touch it regularly — the enclave boundary becomes so large that it provides little scope reduction. You end up managing a full M365 hardening project without the platform-level coverage advantages of GCC High.
- Your contract or prime requires GCC High or IL4. If the contract clause specifies the environment, the enclave approach does not satisfy the requirement regardless of how well-designed it is.
- CUI governance is weak and unlikely to hold. An enclave’s effectiveness depends entirely on users staying within it. If your organization cannot maintain disciplined data handling — CUI files emailed from personal accounts, stored on personal OneDrive, shared via uncontrolled channels — the enclave boundary erodes. A C3PAO who discovers CUI outside the declared boundary will expand the assessment scope accordingly.
- Ongoing enclave management cost exceeds GCC High TCO. For a 40+ user organization with significant CUI volume, the MSP cost of maintaining and monitoring a commercial enclave at CMMC standards for three years may exceed the total cost of migrating to GCC High once and enjoying its higher platform-level control coverage. Run the numbers before committing.
The Scope Reduction Math
The value of an enclave is proportional to how much it reduces the number of in-scope assets. Under NIST SP 800-171A, an asset is in scope if it processes, stores, or transmits CUI, or provides security services to assets that do. An enclave reduces scope by:
- Limiting which user accounts can access CUI. Users outside the enclave group do not handle CUI and their devices are out of scope.
- Limiting which devices are managed as in-scope. Conditional Access policies enforce that only managed, compliant devices can access CUI. Unmanaged devices are blocked — and therefore out of scope for device-level control assessment.
- Limiting which servers and services are in-scope. Systems that have no path to CUI — production servers, billing systems, HR platforms without CUI access — remain out of scope.
In a well-designed enclave for a 50-person company where 8 employees handle CUI, the assessment boundary might cover only those 8 user accounts, their 8 managed devices, the SharePoint site, and the MSP’s management infrastructure — rather than the entire company IT environment. That is a meaningful reduction in assessment cost and remediation surface.
How to Evaluate Enclave Providers
A managed enclave is delivered by a CMMC-aware MSP. When evaluating providers, ask:
- Have your enclave designs been used in a C3PAO Level 2 assessment? This is the only meaningful test of enclave design quality. Ask for a reference — not just a testimonial.
- How do you handle CUI that escapes the enclave boundary? Spills happen. What is the detection mechanism, the remediation workflow, and the documentation process?
- What evidence do you produce for each NIST 800-171 control your enclave addresses?A CMMC-aware MSP can describe the specific policy output, configuration export, or log record that satisfies each in-scope control’s examination criteria.
- How is the enclave architecture documented in the SSP? The MSP’s role in your SSP needs to be explicit — which controls are provided by the MSP, which are retained by your organization, and which are shared.
- What is the monitoring and alerting architecture? NIST 3.14.6 requires monitoring of organizational systems to detect attacks and anomalous activity. Ask how the MSP monitors the enclave and what they do when an alert fires.
Find enclave-capable MSPs matched to your situation
Our 14-question path assessment routes you to CMMC provider types — including enclave specialists — based on your CUI footprint, user count, and contract requirements.
Find your CMMC path →Enclave Providers: Who Builds and Manages CUI Enclaves
A CUI enclave is only as good as the MSP who designs and maintains it. The market for enclave-capable providers breaks into four categories:
| Provider Category | What They Do | Best Fit | Watch For |
|---|---|---|---|
| Defense-focused MSPs with CMMC practices | Design and manage CUI enclaves as part of a CMMC readiness offering; document controls for C3PAO evidence; may also hold RPO credentials | Small-to-mid contractors who need both IT managed services and compliance documentation | Confirm they have clients who completed Level 2 assessment with enclave architecture — not just "in progress" |
| M365 / Entra ID specialists | Deep expertise in Microsoft 365 Conditional Access, Purview, SharePoint, and Teams hardening; build enclave configurations aligned to NIST 800-171 | Contractors whose CUI environment is primarily M365 Commercial and who need a technically precise enclave configuration | Verify they can produce CMMC-specific evidence exports — not just technical configuration reports |
| MSSPs with enclave operations | Combine enclave management with SOC services — SIEM, log retention (NIST 3.3), alert triage, and IR | Contractors who need both enclave infrastructure and the security operations layer (SOC) inside a single managed services agreement | Confirm the enclave management and SOC are genuinely integrated — not two separate contracts bundled into one proposal |
| Pure-play CUI enclave providers | Purpose-built managed enclave services specifically for CMMC contractors; provide a turnkey compliant environment rather than managing your existing tenant | Contractors who want the smallest possible CUI footprint in a separately managed compliant environment, with minimal internal IT overhead | Understand who owns the assessment boundary documentation and SSP in a shared-environment model — and whether the provider is in scope for your C3PAO assessment |
Enclave providers will appear in the DCR Provider Directory once editorial vetting is complete. In the interim, the CMMC MSP guide covers the full set of due-diligence questions and red flags applicable to any enclave-capable managed services provider.
Enclave vs. GCC High: Decision Checklist
| Question | If YES → consider |
|---|---|
| Does your contract specify GCC High or IL4? | GCC High — required |
| Does your prime flow down a GCC High requirement? | GCC High — verify clause |
| Are fewer than 15 users regularly accessing CUI? | Enclave — strong fit |
| Is CUI confined to a few well-defined file categories? | Enclave — strong fit |
| Do you rely on many commercial SaaS tools not available in GCC High? | Enclave — preserves commercial ecosystem |
| Is CUI widespread across 30+ users and many systems? | GCC High — enclave overhead may exceed cost |
| Are you pursuing FedRAMP High, DoD IL4/IL5, or ITAR work? | GCC High — consult counsel |
Related Guides
- GCC High for CMMC: When You Need It and When You Don’t
- CMMC MSPs and MSSPs: How to Choose for Level 2 Readiness
- CMMC Gap Assessment Services: Cost, Scope, Red Flags
- CMMC Level 2 Cost in 2026: Budget Ranges and Estimator
- FCI vs CUI: The Distinction That Determines Your CMMC Level
- CMMC for Machine Shops
- CMMC for Manufacturers: OT, CUI, and Multi-Prime Compliance
- CMMC for Small Defense Contractors
Find enclave providers matched to your CUI environment
Our path assessment routes you to enclave-capable MSPs, GCC High partners, or RPOs based on your contract level, CUI footprint, and user count — before you talk to any provider.
Find your CMMC path →