← Custodia
Definition

Enclave

Also known as: CMMC enclave, CUI enclave

An enclave is a deliberately segmented part of a company network built to contain all federal contract data, so that CMMC assessment scope covers only the enclave instead of the entire IT environment. Contractors build enclaves to shrink cost: fewer systems in scope means fewer controls to implement, evidence, and assess.

In more detail

A typical CUI enclave is a separate tenant or isolated environment, often Microsoft 365 GCC High plus a locked-down set of devices, where CUI lives and nothing else does. Everything outside the enclave stays out of assessment scope as long as the separation is real and documented.

Enclaves earn their keep at CMMC Level 2, where 110 requirements and a paid C3PAO assessment make every in-scope system expensive. At Level 1 the math is different: the 15 basic safeguarding requirements are things a business should run everywhere anyway, so most FCI-only contractors simply bring their normal environment up to standard rather than building a separate one.

The scoping logic comes from the official CMMC scoping guides: assets that process, store, or transmit the covered information are in scope, and segmentation is what keeps everything else out.

Primary source
DoD CIO, CMMC Documentation

Related terms

Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)