CUI Enclave Architecture — the highest-leverage decision in your CMMC program

A CUI enclave is a deliberately isolated environment — typically a small set of hardened workstations, a controlled storage tier, a defined network segment, and an explicit transfer path in and out — where Controlled Unclassified Information is allowed to exist. Everything outside the enclave is by definition out-of-scope for CMMC 2.0 Level 2 assessment. The whole point of an enclave is to make CUI a small, defended island rather than a sprawling pattern across your corporate IT.

CMMC assessment scope follows CUI. If CUI lives on 4 hardened workstations and an isolated file share, the C3PAO assesses those systems plus the supporting controls. If CUI lives on 400 corporate laptops, an unsegmented Microsoft 365 tenant, and three shadow-IT SaaS apps, the C3PAO assesses all of them. Contractors who isolate CUI to a defined enclave cut assessment scope by 60–90% and ongoing maintenance cost by 40–60% — without changing the underlying business workflow.

Not strictly. Microsoft 365 GCC High is the most common "enclave-in-a-tenant" pattern for organizations that want CUI inside their existing M365 workflow, and DoD contractors with substantial Office-based CUI handling often land there. But GCC High is expensive, slow to provision, and forces your entire tenant onto a regulated stack. A purpose-built CUI enclave — separate workstations, separate identity domain, separate file storage, with controlled transfer to your normal environment — is faster to stand up, cheaper to run, and easier to defend at assessment for organizations whose CUI handling is concentrated in a few projects or a small team.

Depends on the platform. A FedRAMP Moderate IaaS (Azure Government, AWS GovCloud) lets you inherit the physical security family (PE), most of the system-and-communications protection family (SC) at the infrastructure layer, parts of audit and accountability (AU), and parts of system and information integrity (SI). A managed CUI enclave service can extend inheritance further — to encryption-at-rest configuration, FIPS-validated cryptographic modules, baseline operating-system hardening, and audit log aggregation. Inheritance shortens your SSP, reduces the controls you must implement directly, and gives the assessor a documented shared-responsibility matrix.

Inside: any system that creates, stores, processes, or transmits CUI. Outside: marketing IT, general HR, accounting (unless invoicing references CUI specifications), employee personal devices, and the broader corporate Microsoft 365 tenant. The line is drawn by data flow, not by job title or team. A common mistake is to put a whole engineering team's workstations inside the enclave when only 4 of them actually touch CUI on a given contract. The right move is to put those 4 inside and define a strict transfer protocol for the rest.

Through a defined, monitored, and audit-logged path — not ad-hoc copy-paste, not personal email. Common patterns: an inbound transfer station that scans and decrypts customer-delivered packages before staging into the enclave; an outbound deliverable export that runs through DLP checks and produces a signed manifest; a courier process for physical media. The transfer path is itself a control surface that the C3PAO will examine, so it needs to be engineered as carefully as the enclave itself.

Generally no, or only with careful federation design. The enclave needs distinct identities, distinct conditional-access policies, and distinct privileged-access management — because a corporate account compromise should not grant enclave access. Common pattern: a separate identity tenant (Azure AD instance or on-prem AD forest) bound to the enclave's resources, with no SSO relationship to the corporate identity provider. Users with enclave access maintain a separate credential and complete a separate MFA factor.

Both. The MacTech CUI Vault is a deployable FIPS 140-3 controlled enclave engineered against the CMMC 2.0 Level 2 boundary — it ships with documented controls, an inheritance matrix, and a Trust Codex evidence kit so the assessor sees an enclave that is already aligned to the assessment methodology. For contractors who want a different platform (GCC High, on-prem, AWS GovCloud), MacTech consults on architecture, control implementation, and the SSP that ties them together.