What is CUI Enclave?
A CUI enclave is a segmented, hardened environment that isolates CUI so only that boundary — not the whole company — falls in CMMC scope.
A CUI enclave is a deliberately scoped environment (often a dedicated cloud tenant or GCC High environment) where all CUI is stored, processed, and transmitted. Everything outside the enclave stays out of assessment scope.
Enclaves are the dominant cost-control strategy: rather than bringing an entire corporate network up to 110 controls, a contractor secures a much smaller boundary. Enclave seats commonly run $150–$300 per user per month.
Over-scoping — failing to segment CUI into an enclave — is the most common reason small contractors overspend on CMMC.
- CUICUI is government-created or -owned information that requires safeguarding under law, regulation, or government-wide policy, but is not classified.
- NIST SP 800-171NIST SP 800-171 is the federal standard of 110 security controls for protecting CUI in non-federal systems — the technical basis of CMMC Level 2.
- DFARS 252.204-7012DFARS 7012 is the long-standing clause requiring contractors to safeguard covered defense information per NIST 800-171 and report cyber incidents within 72 hours.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
