The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →

CMMC Secure Enclave: When It Cuts Your Level 2 Scope — and When It Backfires

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Department of Defense, the Cyber AB, or any U.S. government agency, and this page is not legal or compliance advice.

Sources we read for this guide: 32 CFR Part 170 (eCFR), the Federal Register CMMC Program Final Rule and DFARS Final Rule, the DoD CMMC Level 2 Scoping Guide, the official CMMC Program FAQ (Revision 2.3, May 2026), the Cyber AB Code of Professional Conduct v2.0, NIST CSRC (SP 800-171 Rev. 2, SP 800-172), and DFARS 252.204-7012 / -7019 / -7020 / -7021 / -7025 on Acquisition.gov.

A CMMC secure enclave is a deliberately walled-off part of your IT environment — cloud, on-premises, or a secure overlay — where you keep all of your Controlled Unclassified Information (CUI) and the systems that touch it, so the assessment focuses on that boundary, plus the systems that protect or connect to it, instead of automatically pulling in your whole company. The assessment standard inside that boundary is the 110 security requirements in NIST SP 800-171 Revision 2 — the same 110 that apply to CMMC Level 2.

Here's the part the vendor demos skip: an enclave does not reduce the 110 requirements. Every one of them still applies insidethe boundary. What it reduces is how many systems and people that boundary has to contain. And the boundary only counts if it's enforced by architecture, not drawn on a slide. Your CMMC Third-Party Assessment Organization (C3PAO — the independent firm authorized to certify Level 2) assesses whether your scope holds, and a paper-only enclave can be expanded on assessment day.

That's the whole decision in one breath. The rest of this page is the part nobody puts in one place: which situations an enclave actually fits, what has to live inside the boundary to survive an assessment, how the real architectures compare, what it costs in dollars we can source, and the specific scoping traps — VDI endpoints, encryption, your MSP — that 32 CFR Part 170 and the CMMC FAQ have now answered in writing.

Quick verdict: does an enclave fit your situation?

If this sounds like you…Enclave verdictWhyYour next move
A few users handle CUI mostly in documents, email, and proposalsStrong fitThe CUI flow is narrow enough to isolate cleanlyMap the CUI flow, then compare enclave paths
Engineering team needs CAD/CAM, local tools, supplier file exchangePossible, but design it carefullyWorkflow and how files leave the boundary decide it, not the softwareGet scoping help before you buy a platform
CUI is already spread across commercial M365, file shares, backups, and emailNot yetYou have CUI sprawl to clean up firstRun CUI discovery and remediation before buying
You use VDI and the endpoint only sends keyboard/video/mouseCan workThe regulation allows out-of-scope endpoints under strict conditionsVerify the configuration is enforced, not assumed
A vendor says “we encrypt it, so it's separated”Red flagEncryption alone does not create logical separationAsk for the boundary architecture, not the crypto
Your MSP or SOC handles your logs, identity, or security toolingStill relevantIf it touches Security Protection Data, it's in your scopeGet its shared-responsibility matrix before signing

The one honest caveat, up front

An enclave is not “CMMC in a box.” If your people keep downloading, printing, emailing, and editing CUI outside the boundary, an enclave can make your environment lookcleaner while leaving the real assessment problem untouched — and you'll have paid for a platform that didn't fix anything. That's the failure mode we see most often.

Here's the flip side, and it's the reason this strategy exists: when CUI flow is narrow, enforceable, and documented, an enclave is the difference between hardening 20 workstations and hardening 200. For most small and mid-size defense suppliers with that kind of contained CUI footprint, it's the most practical path through CMMC Level 2 — faster, cheaper, and less disruptive than re-architecting the whole company. The strategy is sound. The execution is where it lives or dies.

If nearly everyone in your company touches CUI as part of normal work, an enclave is the wrong tool for you. You'd be better served by a whole-environment Level 2 program — start with our CMMC Level 2 readiness checklist instead of shopping for an enclave.

Not sure whether your CUI workflow can actually fit inside a boundary?

That's the right question to settle before you spend a dollar on licensing. Get matched with providers who scope your level, boundary, and timeline first — and quote the platform second.

Check my enclave fit →

We screen each provider's category, public credential status where applicable (for example, a C3PAO's or RPO's listing in the Cyber AB Marketplace), and stated service scope before routing — it is not an endorsement, a certification guarantee, or any form of DoD or Cyber AB approval. Provider-matching may generate referral or lead-routing compensation for us; it never changes our regulatory analysis or which category we recommend. Please don't submit CUI, drawings, export-controlled content, contract numbers, vulnerabilities, or sensitive system details through the form.

What is a CMMC secure enclave?

A CMMC secure enclave is a controlled environment that contains the people, systems, applications, cloud services, endpoints, and processes that handle CUI, separated from the rest of the organization. The point is not to dodge CMMC requirements; it's to limit how many assets must meet and prove those requirements by controlling where CUI is processed, stored, transmitted, and protected. CMMC has no special shortcut called “enclave certification” — the assessment question is whether your scope definition is defensible and technically enforced.

In practice, an enclave is the controlled workspace for CUI. It might be built on Microsoft 365 GCC High, Azure Government, or AWS GovCloud; it might be a Virtual Desktop Infrastructure (VDI) environment; it might be a secure file-sharing and email overlay; or it might be a segmented on-premises network. Whatever the technology, the job is the same: create a defined boundary where CUI lives, and keep everything else out of it.

It helps to be precise about the words, because vendors use them loosely.

TermWhat it meansWhy it matters
CMMC secure enclaveA compliance-focused boundary built to contain CUI workflowsThe phrase used when the goal is reducing assessment scope
CUI enclaveThe same concept, framed around the dataThe better phrase when you're mapping where CUI actually flows
Secure cloudA cloud environment that handles CUI under controlled conditionsIf CUI is involved, it carries FedRAMP and cloud-provider obligations
VDI / AVD enclaveA virtual desktop where CUI stays inside the remote sessionThe endpoint can be out of scope — but only under strict conditions
Managed enclaveA provider-operated environment plus supportOnly as good as its responsibility matrix, evidence, and documentation
A secure enclave is not a certification by itself. It is not a substitute for a System Security Plan (SSP). It is not a guarantee that a C3PAO will agree with your boundary. It does not erase CUI sitting in old locations, and it does not give your team license to keep emailing and printing CUI outside the controlled space.

Does a CMMC secure enclave actually reduce CMMC Level 2 scope?

Yes — but only when the enclave changes the real CUI boundary, not just the diagram. Systems outside the enclave must not process, store, or transmit CUI, and some assets that protectthe enclave can remain in scope even though they never hold CUI themselves. The official asset categories decide this, and they matter far more than any vendor's marketing.

Under 32 CFR §170.19 and the DoD CMMC Level 2 Scoping Guide, every asset in a Level 2 assessment falls into one of fivecategories — not four, not six. Here's what the rule actually says, and what each category means for your enclave:

The five Level 2 asset categories (what the rule says vs. what it means for your enclave)

Asset categoryWhat 32 CFR §170.19 / the Scoping Guide saysWhat it means inside an enclaveAssessed against the 110?
CUI AssetsProcess, store, or transmit CUI. Documented in your asset inventory, SSP, and network diagramThese live inside the boundary. Keep them as few as possible — this is the whole reason the enclave existsYes, fully
Security Protection Assets (SPAs)Provide security functions to the CUI environment (SIEM, firewall, VPN, EDR management), whether or not they hold CUIOften straddle the boundary, protecting the enclave from outside. Document the relationship and the responsibility splitAgainst the requirements relevant to their function
Contractor Risk Managed Assets (CRMAs)Can but are not intended to touch CUI, because policy and configuration keep CUI away. Managed under a risk-based policy and documented in the SSPThe category your boundary is meant to keep clean. Thin documentation here is exactly how an assessor pulls systems back into scopeIf sufficiently documented, not assessed against other requirements — but if policies, practices, or assessor findings raise doubt, they can be reclassified
Specialized AssetsCan touch CUI but can't be fully secured: IoT, Industrial IoT, Operational Technology, Government-Furnished Equipment, restricted systems, test equipment. Managed under a risk-based policy, shown in the network diagramCommon in manufacturing. Keep them out of the CUI flow where you can, and document how you manage themThe SSP is reviewed, but they are not assessed against the other CMMC requirements at Level 2
Out-of-Scope AssetsCannot process, store, or transmit CUI and provide no protection for it; physically or logically separated. No documentation requiredEverything the enclave deliberately walls off. It must be genuinely separated, not just labeledNo
Any asset that canestablish a network connection to a CUI Asset should generally be treated as a CRMA — not as Out-of-Scope — unless you can prove the connection can't carry CUI. “We put it on a different VLAN” is the start of the argument, not the end of it.

The line that beats the vendor diagrams

The DoD does not pre-approve your enclave. No one at the Department signs off on your architecture in advance. Your C3PAO assesses whether your scope definition is reasonable and whether your boundary is technically enforced. The enclave strategy is explicitly recognized in CMMC guidance as valid — the regulation even writes one enclave pattern (VDI) directly into the scoping rules — but a boundary that exists only on a network diagram can be expanded on the first assessment day. Architecture that the assessor can verify is architecture that holds.

What quietly pulls the rest of your company back into scope

This is the list we wish every enclave buyer saw before signing. Each of these can drag enterprise systems into your assessment even when CUI “lives in the enclave”:

Enclave fit by situation: the decision matrix

Use this matrix to match your situation to an enclave fit score, and understand what to focus on and what kind of help you need. If you land on “Low,” “Not yet,” or “Unknown until scoped,” buying an enclave today is premature — the money is better spent on CUI discovery and a readiness review.

SituationEnclave fitWhyWhat to focus onThe trapWhat you need
Small proposal/BD team; CUI enters by email and leaves by deliverable onlyHighNarrow, well-defined CUI flow with few usersMap exact entry/exit points; confirm endpoints and backupsAssuming email-only scope doesn't include shared drives or printingSecure overlay or managed enclave + RPO for documentation
Engineering or program team; CUI in CAD files, specifications, and supplier exchangesMediumCUI flow is broader; file-out paths need enforcementHow files leave the enclave and reach suppliers or local toolsBuying a collaboration enclave and ignoring local CAD and machine interfacesScoping help before platform selection; possibly hybrid/on-prem + MSP
Manufacturer with shop-floor CNC, test gear, or OT touching CUIMedium — requires careful designSpecialized Assets create scope complexity cloud-only enclaves missSpecialized Asset inventory; OT/ICS segmentation; how programs move to machinesBuying a document-sharing enclave and assuming it solved shop-floor CUIRPO with OT/manufacturing experience; possibly hybrid/on-prem architecture
Company-wide CUI; most staff touch it daily through normal work toolsLow — consider whole-environment Level 2Split-brain friction often costs more than it savesFull environment migration (e.g., GCC High for all users) vs. enclave costBuilding an enclave that nobody actually uses because the workflow doesn't fitCMMC readiness consultant + government-cloud migration planning
Paper CUI / ITAR obligations; physical handling and no digital workflowSituationalPhysical safeguarding process, controlled access, no scan/upload flowPhysical access controls, destruction procedures, and SSP documentationScanning or emailing the paper instantly creates digital scopeRPO / policy support
You'll likely need Level 3 for a critical programMedium–LowA narrow Level 2 enclave may not be enough for a future Level 3 designLevel 3 requirement analysis, Level 2 C3PAO readiness, a Level 3 architecture planDesigning only for Level 2 and rebuilding laterSenior RPO / vCISO + C3PAO sequencing
A prime's flow-down lands in 90 days and you don't know where CUI livesUnknown until scopedThe first decision isn't a platform — it's CUI discovery and reading the clauseThe contract clause, CUI category, CUI flow map, current SPRS postureBuying the first vendor demo you seeRPO / readiness consultant first

Found your row but not sure what to do with it?

The next step is a provider who fits that row — a readiness consultant (RPO) for the “scope first” rows, an enclave or secure-cloud provider for the “strong fit” rows, an MSP/MSSP for the operational rows. Get matched to the right category in one short form.

Map my CUI boundary →

What has to live inside the enclave to make the boundary hold up?

A defensible enclave contains not just the CUI files, but the entire workflow that creates, receives, edits, stores, transmits, protects, backs up, logs, and shares them. A boundary that covers the storage location but ignores email, downloads, printers, backups, security logs, admin accounts, and supplier sharing is usually not a boundary an assessor will accept. The test is simple to state and hard to fake: can CUI get out of the enclave through any path you haven't controlled?

Map the CUI flow before you map the network

Before anyone talks about platforms, draw the data. Every line below is a place CUI can escape your boundary:

  1. Where CUI enters (a prime's portal, an email, a contract deliverable)
  2. Who receives it (which people, which roles)
  3. Where it's stored (which repositories, which tenants)
  4. Where it's edited (which applications)
  5. Which apps process it (and whether they cache or sync)
  6. Which endpoints access it (managed, unmanaged, mobile)
  7. Whether it's downloaded, printed, exported, or emailed
  8. Which systems log or back it up
  9. Which providers administer or secure it
  10. Where CUI leaves the company (to subs, suppliers, the government)

If you can answer all ten with confidence, you're ready to choose a boundary. If you can't, no platform will save you — you have discovery to do first.

The boundary checklist

These are the questions to put to any team — or any vendor — before money changes hands. Each one is a place scope quietly grows.

Boundary itemThe question to answer before you buy
UsersWho is authorized to access CUI, and how is that enforced?
EndpointsCan endpoints store, cache, print, or copy CUI?
IdentityIs identity shared with the rest of the business, federated, or enclave-specific?
EmailCan CUI be sent through commercial email?
File sharingCan files be downloaded outside the enclave?
PrintingIs printing blocked, controlled, or logged?
BackupsWhere do backups live, and who administers them?
LogsDo logs contain Security Protection Data?
AdminsWho holds privileged access, and from where?
MSP/MSSPWhat do they manage, and what evidence do they provide?
Cloud providerIs the CUI cloud environment FedRAMP Moderate authorized or equivalent?
SuppliersHow is CUI shared downstream, and is that path controlled?

A proposal team of five people receiving CUI, drafting inside a controlled workspace, and sharing only through approved channels is often a textbook enclave. An engineering team that needs local CAD tools, machine interfaces, supplier transfers, and occasional printing can still use an enclave — but the design needs real scoping work first, because the “how does the file get out” question is where these projects succeed or fail. A manufacturer should never buy a document-sharing enclave and assume it solved CUI on the shop floor.

VDI and endpoints: can they really stay out of scope?

Yes — and this is one of the few places the DoD gives you a clear, written answer. 32 CFR §170.19 states that an endpoint hosting a VDI client configured to allow no processing, storage, or transmission of CUI beyond the keyboard, video, and mouse sent to the VDI client is an Out-of-Scope Asset — with no documentation requirements for that endpoint. The official CMMC FAQ then spells out exactly what “configured correctly” means in questions F-Q1 and F-Q2. The rule and the FAQ have settled a question the DIB argued about for years.

But read the conditions closely, because the whole benefit evaporates if you miss one. The governing test: if the configuration allows the endpoint to process, store, or transmit CUI, the endpoint is a CUI Asset and is fully in scope.

VDI conditionEffect on endpoint scope
CUI remains entirely inside the VDI sessionSupports out-of-scope endpoint treatment
Endpoint receives only keyboard/video/mouseSupports out-of-scope endpoint treatment
Copy/paste between session and local device is blockedPrevents local CUI processing
File transfer and drive mapping are disabledPrevents CUI leaving the session
Printing from the session to the local device is disabled or tightly controlledAvoids uncontrolled CUI output
Screenshots/saving of CUI are blockedPrevents local CUI capture
MFA to the VDI server is separate from the unmanaged endpoint (hardware token or PKI with PIN)Supports the access boundary
Access is restricted to authorized users and allowable locationsSupports a defensible boundary
The configuration lets the endpoint download, cache, print, or edit CUI locallyThe endpoint becomes a CUI Asset — fully in scope
These controls have to be technically enforced, not just written into a policy. An assessor tests whether CUI can actually reach the endpoint, not whether a document says it shouldn't.
Even when endpoints qualify to be out of scope, the VDI platform itself remains fully in scope: the identity services, networking, storage, and all the infrastructure behind the virtual desktop. VDI shrinks the endpoint count; it doesn't make the environment disappear.

The tradeoff nobody puts on the slide

If your engineers can't move files, print drawings, or collaborate with suppliers, they will route around the enclave — and a boundary your own people bypass isn't a secure enclave, it's a future assessment finding. Design for the way your people actually work, then enforce it.

Encryption, MSPs, and the cloud: three places contractors get the scope wrong

These three areas produce more bad enclave decisions than anything else, and the official CMMC FAQ now addresses all three in writing. Encryption protects data but does not, by itself, create a network boundary. An MSP usually doesn't need its own certification but is often part of your scope. And buying a government cloud like GCC High satisfies only half the equation — it never makes you certified. Get these three right and your enclave decision gets dramatically simpler.

Encryption is not separation — but it's not useless either

The CMMC FAQ answers two related questions that vendors love to blur. First (FAQ B-Q8): encrypted CUI is still CUI.Encrypting a file or a packet does not “decontrol” it; as long as the underlying information is controlled, the ciphertext is too, and you can't treat it as out of scope just because it's wrapped. Second (FAQ F-Q3): encryption alone cannot create logical separation for a network inside your assessment scope. Logical separation comes from enforced architecture — firewalls, routing controls, network segmentation — that actually stops CUI from moving where it shouldn't.

Now the useful part. FAQ F-Q4 confirms that if your enclave is otherwise logically separated from the broader enterprise network, transmitting properly encrypted CUI across out-of-scope enterprise networking does not drag those enterprise components into scope. In plain terms: you can run encrypted CUI over your general corporate network as transit without pulling that network into your assessment, as long as the separation is real and enforced, not crypto alone. Prove your boundary with segmentation you can demonstrate on a network diagram, and let encryption do what encryption is for.

What MSPs, MSSPs, and CSPs actually have to prove

A provider's label matters less than what it does with your data. Relevant terms:

Here's how the CMMC FAQ (questions E-Q1 through E-Q5) and 32 CFR §170.19 actually sort this out:

The throughline: an MSP's certification is a strong indicator, not a substitute. Your scope is determined by how CUI and SPD are processed, stored, transmitted, and protected — not by who you hired. For a deeper breakdown, see our guide on CMMC external service provider requirements.

Does buying GCC High make you compliant? No — and this is the most expensive misunderstanding in CMMC

Under DFARS 252.204-7012, any cloud service that stores, processes, or transmits CUI must meet the FedRAMP Moderate baseline — or documented FedRAMP Moderate equivalency(FAQ E-Q1). Equivalency, defined by the December 21, 2023 DoD CIO memorandum, means a cloud offering has been assessed by a FedRAMP-recognized third-party assessor against 100% of the FedRAMP Moderate baseline, with no outstanding control-related Plans of Action and Milestones, documented in a “body of evidence.” Equivalency is a DoD construct, not a FedRAMP authorization listed on the FedRAMP Marketplace.

Which CMMC enclave architecture fits: GCC High, AWS GovCloud, a secure overlay, managed, or on-prem?

Build your own if you have in-house cloud and security depth; buy a managed enclave if you need speed and lack that depth; choose the cloud platform based on whether you handle export-controlled data and what your team already runs. The right architecture follows your CUI flow and your export-control status — not a vendor's preference.

Editorial comparison by The Defense Compliance Report. FedRAMP statuses reflect each platform's authorization and should be confirmed against the live FedRAMP Marketplace before you rely on them; a platform's authorization does not mean your configuration is compliant — your C3PAO assesses your configuration. Cost signals are industry-reported and will vary. Last verified: June 3, 2026.
ArchitectureWhat it actually isFedRAMP statusExport-controlled CUI (ITAR/EAR)?Covers / you still needBest-fit profileCost signal (industry-reported)The #1 mistake
Microsoft 365 GCC HighA productivity suite (Exchange, Teams, SharePoint, OneDrive) on Azure GovernmentRuns on Azure Government (FedRAMP High P-ATO); enforces U.S.-person access. Confirm current Marketplace status of the GCC High productivity layer before relying on itYes — appropriate for ITAR/EARCovers core collaboration; you still implement endpoints, EDR, logging, configuration, and your SSP/POA&MMicrosoft-centric DIB handling CUI and/or export-controlled dataRoughly $60s–$80s+/user/month for licensing, before servicesAssuming the license alone makes you compliant
AWS GovCloud / Azure GovernmentGovernment cloud infrastructure (IaaS/PaaS) for apps, databases, dev/data workloadsFedRAMP High (verify the exact service and impact level on the Marketplace)Yes (verify by service)Covers infrastructure; you still need a productivity layer (email/documents) and own a meaningful share of shared-responsibility controlsEngineering, application, or data workloads; program-mandated cloud; complex CUI environmentsInfrastructure pricing varies widely; add productivity layer + MSP/engineering laborBuying infrastructure expecting an out-of-the-box email/collaboration enclave
Secure overlay (e.g., PreVeil)End-to-end encrypted email and file channel for CUI users, layered on top of commercial productivity toolsSome publicly state FedRAMP Moderate Equivalency (3PAO-attested; verify the Body of Evidence and CRM — not Marketplace-authorized)Verify against your data type and whether the overlay enforces U.S.-person accessCovers CUI email + files for designated users; you still manage endpoints, backups, identity, and documentationSmall teams; narrow CUI flow; fastest deployment with minimal migration~$20–$32/user/month; small CUI team often under ~$50,000/year all-inTreating the overlay as the whole enclave when CUI also lives on endpoints, in ERP, or in CAD
Fully managed enclave (enclave-as-a-service)Provider-operated hardened environment — often a virtual desktop — that CUI users log into, with inherited controls and a responsibility matrixVaries — some publicly state FedRAMP Moderate Equivalency; verify each provider's Body of Evidence and CRM individuallyVaries (verify per provider)Covers hosted desktop/apps/files with inherited controls; you still attest to compliance and own your outside-enclave environmentNo in-house security team; want fastest deployment and maximum inherited controls~$150–$400/user/month; roughly $2,000–$12,000/month total for a small teamNot verifying the responsibility matrix or assuming “managed” means hands-off for assessment
On-premises / hybrid (with MSP/MSSP)Dedicated hardware in your facility (or a co-lo), segmented from the rest of the networkFedRAMP doesn't apply to on-prem directly; you demonstrate security requirements through your own configuration and evidenceYes (data doesn't leave your building — though supplier sharing and VPN must be controlled)Covers the local CUI environment; you still need ongoing MSP/MSSP operations, security monitoring, and documentationManufacturing, OT/CNC shops, classified adjacency; orgs with existing on-prem investmentVariable capital cost + ongoing MSP; typically higher one-time cost than cloud optionsAssuming physical separation equals no assessment obligations, or that air-gap means no documentation required

Assessment cost figures are the DoD's published estimates from the rulemaking; operational and one-time ranges are industry-reported and dated mid-2026. Named-platform FedRAMP statuses should be confirmed live on the FedRAMP Marketplace, and provider credentials in the Cyber AB Marketplace, before you rely on them.

CMMC secure enclave FAQ

Is a CMMC secure enclave required?

No. An enclave is an optional scoping strategy, not a CMMC requirement. What's required is meeting the controls for your CMMC level; an enclave just limits how much of your environment those controls apply to.

Does an enclave eliminate the 110 Level 2 requirements?

No. If your contract requires CMMC Level 2, the security requirements are identical to NIST SP 800-171 Revision 2 — 110 requirements across 14 families. An enclave reduces which assets must meet and prove those requirements; it does not change the requirements themselves.

Can a secure enclave get me CMMC certified?

No platform certifies you by itself. If your contract requires Level 2 (C3PAO), an authorized C3PAO performs the certification assessment. If it requires Level 2 (Self), you perform the self-assessment and affirm your status. The enclave is the environment you get assessed on. See our guide on self-assessment vs. C3PAO to understand which path applies to you.

Can VDI keep my laptop out of scope?

Yes, if CUI stays entirely inside the VDI, the endpoint carries only keyboard/video/mouse, file transfer and copy/paste are disabled, MFA to the VDI is separate, and access is limited to authorized users and locations. If the configuration lets the laptop process, store, transmit, cache, print, or download CUI, it becomes a CUI Asset. The rule is in 32 CFR §170.19, with details in the CMMC FAQ (F-Q1, F-Q2).

Can encryption alone create logical separation?

No. The CMMC FAQ (F-Q3) is explicit: encryption protects confidentiality but does not, by itself, prevent data transfer or enforce a network boundary. Logical separation requires enforced segmentation. Encrypted CUI is also still CUI (B-Q8).

Do I need GCC High for CMMC Level 2?

Not always. The real question is where CUI is processed, stored, and transmitted, and whether the cloud service meets FedRAMP Moderate authorization or equivalency. GCC High is common and is the practical path for export-controlled (ITAR/EAR) data; other authorized or equivalent options can work for CUI without export control. See our GCC High for CMMC guide.

Does my MSP need its own CMMC certification?

Not necessarily. An MSP that handles neither CUI nor Security Protection Data isn't an ESP under CMMC. An MSP that handles your SPD has its services assessed as Security Protection Assets within your assessment, and an MSP that doesn't store, process, or transmit CUI is not automatically required to hold its own certification (it may pursue one voluntarily). If it stores your CUI, its systems fall within your scope.

Can commercial Microsoft 365 stay outside the enclave?

Potentially, but only if it doesn't process, store, or transmit CUI and doesn't provide security protection that brings it into scope. The practical risk is that users keep sending or saving CUI in commercial email or file shares — which re-creates the scope you were trying to avoid.

Are backups and logs in scope?

They can be. Backups that contain CUI, and logs or security tooling that protect CUI Assets or hold Security Protection Data, need to be evaluated within your assessment scope.

Can I use a POA&M if my enclave isn't finished?

Only narrowly. Level 1 allows no POA&Ms. Level 2 allows Conditional status only if your assessment score divided by total Level 2 requirements is at least 0.8, only for select non-critical requirements scored NOT MET, and the POA&M must be closed within 180 days through a closeout assessment (32 CFR §170.21). It's a short bridge for loose ends, not a substitute for finishing the build.

Does NIST SP 800-171 Revision 3 apply to CMMC Level 2 right now?

No. The CMMC FAQ (B-Q3) confirms the model uses NIST SP 800-171 Revision 2 under 32 CFR Part 170 unless the DoD updates the rule. Treat Revision 3 as a future-watch item.

Does a secure enclave change my SPRS or CMMC UID obligations?

No. The enclave is the system you certify, and it receives a CMMC Unique Identifier tied to that assessed scope. Under DFARS 252.204-7025 and -7021, you still need a current CMMC status and annual affirmation in SPRS for each system handling FCI or CUI, and DFARS 252.204-7019/7020 assessment-posting obligations still apply when they're in your contract.

What if we may need Level 3 later?

Design with that in mind. Level 3 builds on Level 2 and adds 24 selected NIST SP 800-172 requirements for the most sensitive CUI, so an enclave designed only for a narrow Level 2 path may need a redesign. Plan the architecture for where you're headed, not just where you are.

How we built this guide

We built this page as a primary-source scoping decision guide, not a provider ranking. We cross-checked the active CMMC rule, the DFARS implementation clauses, the NIST publication versions, the official scoping guidance, the CMMC FAQ's edge cases, and the Cyber AB ecosystem rules, and we used contractor forums only to understand the questions people actually ask — never as a source for regulatory claims.

The Small Business Administration's Office of Advocacy formally asked the DoD for clear, concise enclave guidance for small businesses to lessen the compliance burden — confirming this isn't a niche concern but a recognized one across the DIB.

What this page is not

It is not legal, contractual, or compliance advice. It is not a guarantee of any assessment outcome. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance and is not affiliated with the Department of Defense, the Cyber AB, or any U.S. government agency. It is not a provider review or ranking, and it does not claim any specific provider is authorized unless that status is independently verified. Verify current requirements against the primary sources we cite before making decisions.

A note on independence: we may receive referral compensation from some provider categories when a reader asks to be matched. That doesn't change the regulatory facts, the evidence requirements, or the fit criteria on this page. Read our Editorial & Advertising Policy.

Need help deciding what type of CMMC provider you need?

Get matched with verified providers in 60 seconds — tell us your CUI flow, environment, and timeline, and we'll route you to the right category.

Get matched with verified providers →

We screen each provider's category, public credential status where applicable, and stated service scope before routing; matching is not an endorsement or a certification guarantee. Please don't submit CUI, drawings, export-controlled content, contract numbers, vulnerabilities, or sensitive system details through the form.

Related guides

Sources

  • 32 CFR Part 170 (eCFR) — CMMC Program Final Rule (published Oct 15, 2024; effective Dec 16, 2024), including §170.19 (five asset scoping categories) and §170.21 (POA&M and Conditional certification).
  • Federal Register — CMMC Program Final Rule and Regulatory Impact Analysis; DFARS Final Rule (DFARS Case 2019-D041) (published Sept 10, 2025; effective Nov 10, 2025).
  • DoD CIO — CMMC Level 2 Scoping Guide; CMMC Level 2 Assessment Guide; December 2023 memo on FedRAMP Moderate Equivalency for Cloud Service Providers.
  • CMMC Program FAQ, Revision 2.3 (May 2026) — questions B-Q3, B-Q8, E-Q1 through E-Q5, F-Q1 through F-Q4.
  • Acquisition.gov — DFARS 252.204-7012, 252.204-7019, 252.204-7020, 252.204-7021, 252.204-7025.
  • NIST CSRC — Special Publication 800-171, Revision 2; Special Publication 800-172.
  • Cyber AB — Code of Professional Conduct v2.0; Marketplace ecosystem data.
  • SBA Office of Advocacy — public comment on the CMMC Program proposed rule (Feb 2024).
  • FedRAMP Marketplace — product authorizations (Microsoft 365 GCC High via Azure Government; AWS GovCloud; and others). Re-verify live before relying on any status.

Last verified: June 3, 2026. Cost ranges reflect public provider pricing and DoD's published estimates; individual quotes vary with scope, user count, and starting maturity.