Enclave
Also known as: CMMC enclave, CUI enclave
An enclave is a deliberately segmented part of a company network built to contain all federal contract data, so that CMMC assessment scope covers only the enclave instead of the entire IT environment. Contractors build enclaves to shrink cost: fewer systems in scope means fewer controls to implement, evidence, and assess.
In more detail
A typical CUI enclave is a separate tenant or isolated environment, often Microsoft 365 GCC High plus a locked-down set of devices, where CUI lives and nothing else does. Everything outside the enclave stays out of assessment scope as long as the separation is real and documented.
Enclaves earn their keep at CMMC Level 2, where 110 requirements and a paid C3PAO assessment make every in-scope system expensive. At Level 1 the math is different: the 15 basic safeguarding requirements are things a business should run everywhere anyway, so most FCI-only contractors simply bring their normal environment up to standard rather than building a separate one.
The scoping logic comes from the official CMMC scoping guides: assets that process, store, or transmit the covered information are in scope, and segmentation is what keeps everything else out.
Related terms
- Assessment Scope
The assessment scope (also called the boundary) is the set of assets, people, technology, facilities, external service providers, that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
- Microsoft 365 GCC High
Microsoft 365 Government Community Cloud High (GCC High) is the Microsoft cloud offering authorized to handle CUI and ITAR data for DoD contractors. GCC High is generally required at CMMC Level 2 when CUI is present; it is not required at Level 1, where standard Microsoft 365 Commercial is sufficient for FCI.
- Covered Contractor Information System
A Covered Contractor Information System is an unclassified information system owned, or operated by or for, a contractor that processes, stores, or transmits Federal Contract Information. FAR 52.204-21's 15 safeguarding requirements apply to every Covered Contractor Information System.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections, and at the contractual level, CMMC Level 2.
- Federal Contract Information
Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.