CMMC

CMMC Enclave vs Enterprise: Which Approach Actually Works?

By Arnold De La Vega
CUI enclave inside Microsoft 365 GCC High and Azure Government, with regular users and Microsoft 365 Commercial outside the boundary as out-of-scope
A CUI enclave keeps GCC High services, CUI mail, and authorized devices inside the boundary. Everything else stays out of scope.

If you’ve started looking at CMMC Level 2, you’ve already hit this question. Do you treat the whole company as in scope (the enterprise approach, sometimes called “All-In”), or do you carve out a small CUI boundary and keep everyone else out (the enclave approach)?

What the enterprise approach actually means

Enterprise approach is when your entire environment is in scope. Every user, every laptop, every server, every Microsoft 365 tenant. The full 110 NIST 800-171 controls apply to all of it.

You’re not carving anything out. You’re saying “yeah, CUI could be anywhere in our stack, so we’ll secure all of it.”

This is the default if you don’t do anything special. Get a GCC High license for everyone, harden every device, it doesn’t matter who’s handling CUI. You just secure the entire company to be capable of handling CUI.

Enterprise approach: every user, every device, and every Microsoft 365 GCC High service inside a single CMMC scope boundary. No out-of-scope side
The enterprise approach pulls every user and device into the same in-scope boundary. There's no "out of scope" side.

What the enclave approach actually means

An enclave is a stand-alone information system with a perimeter around the resources that handle CUI. Everything inside the boundary is in scope. Everything outside is out of scope, as long as you can prove it cannot process, store, or transmit CUI.

The diagram at the top of this post shows what that actually looks like: GCC High services, a CUI mail flow, and authorized devices live inside the boundary, while regular users on commercial Microsoft 365 stay out of scope.

CMMC enclave vs enterprise at a glance

EnclaveEnterprise (All-In)
ScopeSmall, walled-off boundaryEntire company
Users in scopeOnly CUI handlersEveryone
GCC High licensingOnly enclave usersAll users
Endpoint hardeningOnly enclave devicesAll devices
Assessment costLowerHigher
Operational overheadHigher (boundary has to be maintained)Lower (one standard for everything)
Audit complexityHigher (assessors press on the boundary)Lower (everything is in scope, nothing to argue)
Best fitSmall CUI footprint, mature operationsWidespread CUI, small team, or messy data flow

The cost difference between enclave and enterprise

Cost is the entire reason that enclave vs enterprise is a discussion in the first place.

In an enterprise approach you’re licensing GCC High for everyone. You’re hardening every endpoint. You’re documenting every system. You’re training every user. You’re running an assessment over the entire environment.

In an enclave approach you’re only doing all that for the people who actually touch CUI. The rest of the company stays on commercial M365, regular laptops, regular training.

For a 100 person shop where only 15 people handle CUI, the cost difference is can be huge. The math gets ugly fast.

When the enclave approach makes sense

A few signals that point to enclave:

  • Most of your staff don’t touch CUI. Engineering and contracts handle it. Accounting, HR, marketing, and ops don’t.
  • You have clean processes around how CUI enters the company. You know which contracts have it, who gets the data, where it lives, how it leaves.
  • You know how to identify CUI.
  • You have someone who can maintain the enclave on top of your commercial IT systems.

When the enterprise approach makes sense

A few signals that point to enterprise:

  • CUI shows up everywhere. Sales has it, contracts has it, engineering has it, the receptionist sometimes prints it, and you have no desire to change this.
  • You don’t want to put time and effort into properly identifying CUI.
  • You’re a small shop. If you’re 12 people and 8 of them touch CUI, there’s nothing to carve out. Just secure the whole thing.
  • Most of your revenue comes from contracts that require CUI handling. The non-CUI portion of the business is small enough that the savings don’t justify the maintenance burden.

The hidden cost most people miss with enclaves

This is the part that gets glossed over in sales pitches.

The real cost of an enclave isn’t the licensing or the assessment. It’s the day-to-day operational drag on the people working inside it.

Picture what your day looks like with an enclave. You’re working on a project. Someone sends you a file. Is it CUI or not? If yes, you have to open it in the CUI system. If no, you open it in the regular one. You’re constantly checking which mailbox an email landed in. Which Teams environment you’re chatting in. Which VDI session you’re working in. Which laptop has the right access.

It’s a constant mental tax. “Wait, is this the CUI laptop or the regular one.” “Did I just paste something into the wrong window.” “Why is this file not opening.. oh right, wrong environment.”

For users who handle CUI all day, the context switching can be a massive hindrance to productivity. They’re flipping between two inboxes, two collaboration tools, sometimes two laptops. Every task has an extra step where they have to ask “which system am I supposed to be in right now.”

That cost doesn’t show up on a spreadsheet, but it is definitely something to consider. People get sloppy. People get frustrated. People start finding workarounds. Under DFARS 252.204-7021, DIBCAC can show up to your business any time they want to. If they see these workarounds taking place, which allow for unauthorized flows of CUI, your SPRS score can drop, completely voiding the $50k you spent on a CMMC Level 2 assessment.

The enterprise approach skips this entirely. Everything is in one place. One inbox. One Teams. One laptop. Users don’t have to think about scope, because the scope is “everything.”

How we think about it

When a defense contractor asks us which one to do, we look at three things.

First, what percentage of staff actually need CUI to do their job. If it’s under 30 percent, enclave is on the table. If it’s over 70 percent, just go enterprise. There’s more to it than this, but this is a solid estimate.

Second, the data flow. If we can find out how CUI enters, where it lives, who touches it, and how it leaves, an enclave is buildable. This takes expertise required to identify CUI because we both know the government and primes sometimes don’t even mark this information. Or overmark this information.

Third, who is going to maintain the boundary. Depending on the enclave solution you choose to go with, you need someone who is competent enough to maintain it.

The short version

Enterprise is more expensive but simpler in that its just one big system. Enclave is cheaper but has a hidden operational tax that can’t be measured with dollar amounts as easily.

If your CUI footprint is small and your operational discipline is good, go enclave. If either one of those isn’t true, go enterprise.

Pick based on which one you can actually run and makes the most sense for your business.

Find Out Where You Stand

Tell us about your situation. We'll tell you whether certification applies, what level you need, and what it takes to get there.

30 minutes. No obligation. Real answers.