Updated May 2026

Enclave Scoping: The 50-70% Cost Lever

If you only do one cost-reduction thing on your CMMC programme, do scope-reduction via a CUI enclave. The math is consistent across company sizes: a well-defined enclave reduces the assessment boundary by 50-70 percent and typically saves $150K-$400K over the three-year certification cycle versus a whole-company scope.

Why scope is the largest cost driver

Every CMMC cost line scales with scope. C3PAO assessor day count scales with the number of in-scope assets, network segments, and user populations. Remediation cost scales with the number of systems that need to meet the controls. Ongoing maintenance scales with the user count, device count, and log volume. Even the indirect costs (security tooling licences, training delivery, evidence-management labour) scale with scope. Reducing scope therefore compounds: a 50 percent scope reduction does not just halve the assessor fee, it also halves the remediation cost, halves the maintenance burden, and halves the tooling cost.

The reverse is also true. A scoping mistake that includes corporate IT systems unnecessarily in the assessment boundary doubles or triples every cost line. Most contractors who report runaway CMMC budgets cite scoping as the root cause: an SSP that defined the scope as "all company IT," a C3PAO that interpreted ambiguous boundaries broadly, a network architecture that did not cleanly separate CUI from non-CUI work.

The Cyber AB scoping guidance at cyberab.org and the DoD CIO Assessment Scope Guidance both recognise enclave scoping as a legitimate and encouraged approach. They also document the rigour required: an enclave is not just an organisational claim, it is a defensible architecture with documented boundaries and consistent enforcement.

The five boundaries of a defensible enclave

Identity boundary

Enclave users authenticate via a dedicated identity provider (Microsoft Entra ID GCC High, AWS IAM Identity Center on GovCloud) that is separate from the corporate IdP. Identities can be federated for SSO convenience but the authentication tokens, MFA enforcement, and conditional access policies live in the enclave. The C3PAO assesses the enclave IdP; the corporate IdP is out of scope.

Network boundary

Enclave systems sit in dedicated network segments (VLAN, VPC, virtual network) with controlled ingress/egress. Traffic to and from the enclave passes through a firewall or microsegmentation policy that logs every connection. The C3PAO will trace network paths to verify CUI cannot leak into corporate systems through unintended channels.

Device boundary

Only authorised devices can access enclave systems, with device posture verified at access time (managed device, current patch level, EDR running, disk encryption enabled). Corporate-only devices cannot reach enclave systems even with valid credentials. Bring-your-own-device is allowed only through controlled remote-access mechanisms (virtual desktop, Citrix, AVD) that keep CUI off the BYO device.

Data boundary

CUI never leaves the enclave through normal channels. Enclave email cannot send to corporate addresses (or, if it can, content is blocked by DLP). Enclave file shares cannot sync to corporate storage. Copy-paste between enclave and corporate sessions is blocked at the OS or application layer. Print, USB, and screen-capture are controlled.

Administration boundary

Enclave administration uses dedicated administrative accounts and dedicated administrative workstations (privileged-access workstations). Corporate IT admins do not by default have enclave admin rights. The enclave has its own ticketing, change management, and incident response processes. This is the boundary that often costs the most to implement because it requires organisational discipline, not just technical controls.

Cost comparison: whole-company versus enclave

Cost line	100 emp, whole-co scope	100 emp, 25-user enclave	Savings
Gap assessment	$25K - $45K	$10K - $18K	$15K - $27K
SSP authoring	$20K - $35K	$10K - $18K	$10K - $17K
Remediation: MFA + EDR + SIEM	$120K - $250K	$45K - $90K	$75K - $160K
C3PAO assessment fee	$60K - $100K	$35K - $55K	$25K - $45K
Annual maintenance	$70K - $120K	$30K - $55K	$40K - $65K
Enclave build cost (one-time)	N/A	$25K - $50K	($25K - $50K)
Year-1 total	$295K - $550K	$155K - $286K	$140K - $264K
3-year TCO	$435K - $790K	$215K - $396K	$220K - $394K

Common enclave-scoping mistakes

The most common failure mode is leaky boundaries. An enclave that is enforced by policy but not by technical control fails on first assessment. If users can send enclave email to corporate addresses, if enclave file shares sync to OneDrive corporate, if enclave devices can access corporate VPN, the C3PAO will expand the scope to include the corporate systems that are connected. The remediation effort to fix this mid-assessment is typically 3-5x the cost of building clean boundaries from the start.

The second failure mode is incomplete enclave coverage. If 25 users are designated CUI handlers but actually 35 users touch CUI in practice (because of informal collaboration patterns, ad-hoc data sharing, or undocumented processes), the assessment will find evidence of CUI outside the documented enclave. This is the second-largest source of post-assessment scope expansion. Mitigate with strict CUI marking, DLP enforcement, and quarterly access reviews.

The third failure mode is administrative drift. Enclave administration done by corporate IT staff using their corporate accounts breaks the administration boundary. Over time, ad-hoc requests for enclave changes from corporate IT staff erode the boundary. The remediation is to formalise enclave admin as a dedicated role (often combined with the broader Information System Security Manager role) with its own credentials, workstations, and change control.

Enclave-by-platform cost summary

The platform choice for the enclave does not significantly change the scope-reduction value but does change the operating cost. For productivity-shaped workloads (email, file collaboration, video conferencing), GCC High is usually the cheapest path. For custom-application workloads (web apps, databases, data lakes), AWS GovCloud or Azure Government make more sense. For organisations doing both, two enclaves (productivity + application) are common. Detail on each platform: GCC High migration cost, AWS GovCloud cost, Azure Government cost.

Related cost pages

Frequently asked questions

What is a CMMC enclave?

A CMMC enclave is a defined sub-set of an organisation's IT environment that handles all Controlled Unclassified Information (CUI) and is isolated from non-CUI systems via clear identity, network, device, and data boundaries. Everything inside the enclave is in CMMC assessment scope. Everything outside is not. Building an enclave is the dominant scope-reduction strategy because it converts company-wide compliance into enclave-only compliance.

How much does enclave scoping save?

A well-scoped enclave typically reduces the assessment boundary by 50-70 percent versus a whole-company scope. For a 100-employee defense contractor with 25 CUI handlers, the enclave approach typically saves $40K-$100K in C3PAO assessment fees, $60K-$200K in remediation cost (only enclave systems need MFA/EDR/SIEM at CMMC bar), and $30K-$80K per year in ongoing maintenance. The total savings over a 3-year period commonly run $150K-$400K.

What makes a clean enclave boundary?

Five clean boundary lines together. Identity: enclave users authenticate against a dedicated identity provider (or a clearly separated tenant in your main IdP). Network: enclave systems sit in a separate network segment with controlled ingress/egress (firewall, microsegmentation, or dedicated VLAN). Device: only authorised devices can access enclave systems, with device posture verified at access time. Data: CUI never leaves the enclave through normal channels (no enclave-to-corporate email, file share, or copy-paste). Administration: enclave admin functions are performed by enclave-specific roles with separate credentials.

Can I use my existing corporate M365 tenant as the enclave?

Not for CUI handling. Commercial Microsoft 365 does not hold the FedRAMP-equivalent authorisation required under DFARS 7012(b)(2)(ii)(D) for CUI processing. A CMMC enclave for CUI typically requires a separate M365 GCC High tenant, AWS GovCloud account, or Azure Government subscription. The commercial tenant can remain for non-CUI corporate work. Most organisations end up with two tenants and a clear policy on which work happens where.

What does an enclave cost to build?

Build cost depends on platform and scope. A small GCC High enclave (25 users, single workload) typically costs $25K-$50K to provision and configure including the migration project, then $10K-$15K per month to operate. A small AWS GovCloud enclave for a custom application workload typically costs $30K-$60K to architect and stand up, then $1.5K-$3.5K per month to operate. Hybrid enclaves combining both platforms run higher. See the GCC High migration cost and AWS GovCloud cost pages for detailed breakdowns.

Does enclave scoping work for Level 3?

Yes, and it is arguably even more important for Level 3 because of the higher per-asset cost of the additional NIST SP 800-172 controls. Most Level 3 implementations use the same enclave approach as Level 2, with tighter additional controls applied to the enclave (advanced threat protection, more aggressive monitoring, additional segmentation). The cost differential between a Level 2 enclave and a Level 3 enclave is typically 3-5x because of the assessor day count and the enhanced control implementation.