CUI Enclave
Also known as: Enclave, CUI boundary
A CUI enclave is a deliberately small, separated environment where all of an organization's CUI is stored and worked, walled off from the rest of the business. Building an enclave is the most common way a small contractor shrinks CMMC Level 2 scope from the entire company down to a handful of assets, which sharply reduces both cost and effort.
Related terms
- Assessment Scope
The assessment scope (also called the boundary) is the set of assets, people, technology, facilities, external service providers, that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections, and at the contractual level, CMMC Level 2.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- Microsoft 365 GCC High
Microsoft 365 Government Community Cloud High (GCC High) is the Microsoft cloud offering authorized to handle CUI and ITAR data for DoD contractors. GCC High is generally required at CMMC Level 2 when CUI is present; it is not required at Level 1, where standard Microsoft 365 Commercial is sufficient for FCI.