CMMC Enclave Scope Reduction VLAN Segmentation Asset Categories // 8 MIN READ

CMMC Level 2 Enclave Strategy

Segmentation, Scope Reduction, and Assessor Confidence

A CMMC enclave is a scope-reduction architecture that uses physical and logical separation techniques to contain CUI within a tightly defined assessment boundary — keeping the rest of the corporate environment out of scope. How well you build, document, and defend that boundary determines how long your assessment takes and how much it costs.

The most consequential cost lever in a CMMC Level 2 program is not which controls you implement — it is how much of your organization falls inside the assessment boundary. All 110 NIST SP 800-171 practices apply to every asset inside your assessed scope. Every asset you can credibly remove from that boundary eliminates a control verification obligation, reduces assessor sampling, and shortens the engagement.

The DoD CIO scoping guidance frames this through a specific architecture: the enclave. An enclave is a defined environment — physical, digital, or both — built specifically to process, store, and transmit CUI, with strict separation from the broader corporate network. Everything inside the enclave is fully assessed. Everything legitimately outside it is not.

The fundamental scoping logic: if only 8 employees in a 500-person company actually handle CUI, applying all 110 controls to the entire organization is not a compliance requirement — it is a failure to scope correctly. The enclave is the mechanism that contains the obligation.

What a CMMC Enclave Is — and What It Is Not

An enclave is not a permission restriction on a shared folder. It is not a policy statement in your SSP saying certain computers don't access CUI. It is a meticulously defined technical and physical boundary — with enforced separation, documented access controls, and evidence the assessor can verify independently of your word.

✗ Not an Enclave
A restricted folder on a shared network drive that "only some people access"
A policy document stating CUI shall not leave the CUI server
A SharePoint site with permission groups but no network segmentation
Verbal agreement that staff won't touch CUI from personal devices
A flat network where CUI systems and corporate systems share the same subnet
✓ An Enclave
A FedRAMP-authorized GCC High environment isolated from the standard Microsoft 365 tenant
A VLAN-segmented network where CUI systems cannot be pinged from corporate subnets
A VDI environment where CUI is processed in a secure cloud and never touches the local endpoint
A physically locked room with cipher access, visitor log, and camera coverage
An ACL-enforced boundary where only named security group members can reach CUI systems
A VDI architecture is one of the most practical enclave implementations for small defense contractors. The sensitive data never touches the local corporate laptop — it lives in and never leaves the secure cloud environment. The local device becomes a display terminal, not a CUI asset.

Logical vs Physical Separation: When Each Approach Works

The DoD scoping guidance identifies two separation techniques that establish a defensible enclave boundary. Most deployments require both — physical separation addresses the building, logical separation addresses the network.

Physical Separation

Hard Barriers

Physical separation uses architectural and access controls to prevent unauthorized personnel from physically reaching CUI systems or observing CUI on screens.

A cipher lock on a server room door is not sufficient on its own if the door has a window or the room is visible from a common hallway. Physical separation addresses observation as well as entry.

Implementation Examples
Cipher locks Badge reader access Visitor log + escort Frosted windows Camera coverage CUI room placards
Logical Separation

Technical Boundaries

Logical separation uses network architecture and access controls to prevent unauthorized systems from reaching CUI systems digitally — even if both sit in the same building.

A VLAN is not effective without corresponding ACLs. Logical separation requires both the network boundary and the enforced rules preventing traffic across it.

Implementation Examples
VLAN segmentation Access Control Lists (ACLs) Firewall rules Security group enforcement GCC High / FedRAMP tenant VDI architecture

In most deployments, physical and logical separation must work together. If your CUI server sits in the same open office as your corporate workstations, logical separation (VLAN) controls the digital boundary but does nothing to prevent an unauthorized employee from walking over and reading the screen. The combination — locked room plus VLAN — closes both attack surfaces and gives the assessor two independent verification points rather than one.

How Enclaves Change Asset Categories

Building an enclave does not just reduce your compliance workload — it fundamentally restructures how every piece of technology in your organization is categorized, assessed, and documented. The DoD CIO scoping guidance defines five asset categories, and your enclave strategy determines where each asset lands.

CMMC Asset Category Map — How the Enclave Boundary Determines Assessment Obligation
Inside the Enclave — Fully Assessed
CUI Asset
Systems Processing, Storing, or Transmitting CUI
All 110 NIST 800-171 controls apply. Every assessment objective evaluated. These are the core of the assessment.
Security Protection Asset (SPA)
Tools That Protect the Enclave
Vulnerability scanners, EDR platforms, SIEM agents monitoring CUI systems. Because they protect the enclave, all 110 controls apply to them as well.
Outside the Enclave — Partial Assessment
Contractor Risk Managed Asset (CRMA)
Corporate Systems on the Broader Network
HR laptops, accounting workstations, marketing desktops. They have theoretical connectivity to the broader network but are separated from the CUI enclave by logical or physical controls. Assessed against SSP only — not all 110 controls.
Specialized Asset
IoT, OT, Test Equipment, Government-Furnished Property
Devices that cannot run standard security software. Documented in the SSP with compensating controls. Not assessed against all 110 practices.
CUI Asset
Full 110-control assessment
SPA
Full 110-control assessment
CRMA
SSP documentation only
Out-of-Scope
Not assessed
The SPA Trap
Organizations frequently forget that security tools protecting the enclave — vulnerability scanners, EDR platforms, log collectors — are classified as Security Protection Assets and subject to the full 110-control assessment. An MSP whose vulnerability scanner reaches into your CUI environment is an SPA. Their systems are now in scope, and their own CMMC compliance becomes your problem to document.

The Confidence Problem: What Makes an Enclave Defensible to Assessors

An assessor reviewing your asset inventory who sees 2,000 corporate devices classified as CRMAs faces a fundamental verification question: how do they know CUI hasn't leaked onto any of those machines? The answer — or the absence of one — is what drives sampling volume, audit duration, and cost.

This is the confidence problem. An assessor's willingness to accept your CRMA classification without extensive sampling is directly proportional to the technical evidence you can provide that the separation is real, enforced, and current.

⚠ Low Confidence — High Sampling Cost
Flat Network — No Segmentation
CUI Server Corp PC ×50 HR Laptop Accounting Marketing PC
All devices on the same subnet. Corporate PCs can reach CUI server with no technical barrier.
Assessor cannot trust CRMA classification without evidence.
Must sample large numbers of corporate devices for CUI presence. Extended audit window. Significantly higher billable hours.
✓ High Confidence — Reduced Sampling
VLAN-Segmented Network
VLAN 10 — CUI Enclave CUI Server
Corp PC ×50 HR Laptop Accounting
Firewall ACLs block all traffic from corporate VLAN to CUI VLAN. Assessor can verify the rule independently.
Assessor can verify the boundary without sampling every device.
VLAN config + ACL ruleset is the evidence. Sampling focused on a representative subset. Shorter assessment, lower cost.

The tools that raise assessor confidence most effectively are those that create verifiable, technical evidence the assessor can review independently. A VLAN configuration file, a firewall ACL ruleset, a data classification policy enforced by Microsoft Purview, or a GCC High tenant separation — these are evidence. A policy document stating CUI shall not leave the enclave is not.

The Documentation Package That Makes an Enclave Defensible

Before an assessor evaluates a single control, they will review your documentation package to understand your claimed boundary. An enclave without documentation is just an assertion. The following four documents, taken together, give an assessor a complete and independently verifiable picture of your scope.

Doc 01
System Security Plan (SSP)
The master blueprint. The SSP provides the narrative describing exactly how the enclave is constructed, what separation techniques are in place, and how each CMMC control is implemented within the boundary. It sits on top of all other documentation and tells the assessor what they're about to verify.
Assessors read the SSP before examining anything else. If the boundary description in the SSP doesn't match the network diagram, the discrepancy becomes a finding before a single system is tested.
Doc 02
Asset Inventory
A comprehensive spreadsheet listing every person, system, software tool, and facility in the environment — explicitly categorized as CUI Asset, SPA, CRMA, Specialized Asset, or Out-of-Scope. Every asset with an ambiguous classification is a potential finding.
Assessors will compare the inventory against what they observe during the assessment. Undocumented assets discovered during testing — devices on the network not in the inventory — immediately raise questions about your scoping methodology.
Doc 03
Network Diagram
A visual map of the logical and physical boundaries — where firewalls sit, how VLANs are numbered, how the CUI enclave connects to or is isolated from corporate segments, and how external access (VPN, remote work) routes into the environment.
Assessors use the network diagram to design their testing strategy before the assessment begins. An unclear or out-of-date diagram signals boundary confusion and typically results in expanded scope.
Doc 04
Data Flow Diagram
A visual map of the CUI information lifecycle — how CUI enters the organization (email, portal, USB), how it routes into the enclave, who touches it, how it is stored, and how it is ultimately destroyed or returned at contract closeout.
The data flow diagram is how assessors verify your scope claim is complete. If CUI follows a path that touches a system you've classified as out-of-scope, that system's classification becomes immediately questionable.

Common Enclave Mistakes That Expand Scope

Most scope expansion happens not from deliberate misrepresentation but from implementation gaps that allow CUI to reach systems outside the intended boundary — silently, before anyone notices. These four patterns are the most common.

Mistake 01The Flat Network

The most common enclave failure: every device on the same subnet, with no VLAN, no ACL, and no firewall rule preventing corporate PCs from reaching the CUI server. The CUI server may have access controls — but if a corporate PC can ping it, the assessor has no basis for accepting the CRMA classification without extensive sampling.

→ Segment the network before the assessment. A documented VLAN with enforced ACL rules is the minimum technical evidence required to justify a CRMA boundary.
Mistake 02Email as CUI Ingress

CUI that arrives via standard commercial email — Microsoft 365 Business, Google Workspace, or similar — has already left the enclave before it reaches the recipient. The moment CUI touches a commercial tenant without FedRAMP authorization, the entire tenant is potentially in scope. This is one of the most common and most expensive unintentional scope expansions in the supply chain.

→ Establish a designated CUI ingress channel — a GCC High mailbox, a secure portal, or a physical transfer process — before CUI-generating contracts begin. Retroactive remediation after contamination is far more expensive than prevention.
Mistake 03Undocumented SPAs

Security tools that reach into the enclave — vulnerability scanners, EDR agents, SIEM collectors — are Security Protection Assets and fully in scope. Organizations routinely deploy these tools without cataloging them as SPAs, then face unexpected scope expansion when an assessor identifies them during the network diagram review.

→ Inventory every tool that touches, monitors, or protects CUI systems. If it reaches the enclave, it is an SPA. Its own security posture is now part of your assessment.
Mistake 04Stale Documentation

An asset inventory, network diagram, or data flow diagram that reflects the environment as it existed 18 months ago — before a cloud migration, a network refresh, or a new contract — is not just unhelpful. It actively undermines assessor confidence. When the documentation doesn't match reality, assessors expand their sampling to compensate for the gap they cannot explain.

→ Treat scoping documentation as a living record. Any material change to the environment — new systems, new vendors, new data flows — triggers an update to all four documents before the next assessment.

The Bottom Line

An enclave is not a compliance shortcut — it is an architectural decision that determines the cost and duration of every CMMC assessment your organization will undergo. A well-constructed, well-documented enclave gives the assessor verifiable evidence that your boundary is real, enforced, and current. That evidence replaces sampling. Sampling replaced by evidence is time — and time, in a C3PAO engagement, is money.

Build the separation before the contracts that require it begin. Document it precisely. Keep the documentation current. And understand that the assessor's job is not to trust your classification decisions — it is to verify them. Give them the tools to do that quickly.

The question an assessor is always asking at the boundary is: "How do I know CUI isn't on those systems?" Your VLAN diagram, your ACL ruleset, your data flow, and your asset inventory are the answer. Without them, the question stays open — and open questions get resolved through sampling.

Related Articles

CMMC Level 2 Assessment Scope ExplainedSecurity Protection Data (SPD): Why Logs Expand Your ScopeCMMC Remote Work ScopingHow to Write a CMMC System Security Plan (SSP)CMMC and MSPs: Scope, Shared Responsibility, and Evidence