top of page

DFARS And CMMC – Enclave Example Part 2

What would an example enclave look like? 

The below illustration lays it out.

The yellow box represents your current environment for doing all of your normal business.  The blue box represents your CUI Enclave. 

Normal business environment

Most organizations will have at least this type of environment, which is most likely a lot more complex than this diagram.  You might have your email / work space,  protection assets (antivirus, anti malware, firewalls, vpn etc.), Databases for information, Marketing systems, HR Systems, Inovice and billing, and maybe paper or printed documents.   This is used by your whole organization to do day to day business.

The blue box is your enclave.  This is used by a small set of users who have a need to access the CUI Information.  These systems are limited to those which apply to the CMMC Level 2 Scoping guidance and may include assets similar to that of the normal business environment with the difference that they might store, process, transmit (or in some cases protect) CUI.   There may be a need for example for service delivery or engineering personnel and systems to be a part of this as they may work with or manipulate that CUI.   It is also to note that assets in an enclave do not need to be only the traditional IT Assets, but it also extends to the internet of things,  devices or equipment that makes things, works on prototypes, or performs quality related activities. 

The biggest walk away to this diagram is that a particular person may wind up having access to the normal business environment AND the CUI Enclave.  However, the  CUI information should never be transmitted or process or stored across these two environments. 

The CMMC Level 2 Scoping Document can be helpful in determining what assets belong in the enclave.  The documents are available here-


How do I learn more? 

Give us a call and we will be happy to help!!

7 views0 comments


bottom of page