top of page

DFARS and CMMC – How to leverage an Enclave to your advantage

First off –  What is an Enclave?

According to the NIST Definition of an Enclave:  “A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.”
You might be thinking:  “Ok Thanks Bill, what does that really mean?“

Ok, lets simplify it:  You run a separate system for a specific purpose.  What it means is that you have cordoned off and isolated a group of organizational and IT Assets to perform a specific task, and you have a defined boundary between that and the rest of what you use within your organization.   Much of the US Government works this way.  A person within the government may have a public facing system and a enclaved system to perform more sensitive work.  All this is, is applying the same methodology to a private organization. 

Why would you do this? 

Reduce the number of systems to only those which need protection and you can save on resources in the long run while reducing risk in the short run.    When you think about implementing complex security and privacy frameworks there is a math problem involved.  What I mean by that is that whatever you put in place, you need to put in place for all of the organizational assets that you have. Also it is not a one and done sort of thing.  You need to keep it up for so long as you are in business.  So if you are at a company which has 100 system components (different applications, pc’s, protective systems, hardware, networking etc.), you then need to ensure that the controls you are putting in place have been implemented on those systems. 

In essence the assets you manage are a giant multiplier of complexity.  So in my example of 100 System components, if you were to implement the core controls of NIST 800-171  the math problem works like this: 
  • (Assets) X (Number of Controls)

  • In my example this would mean implementing and maintaining over time 100 assets X 110 controls = 11,000 points of evidence of implementation to keep updated over time.  

Now this is a simplified equation for demonstrative purposes.  The actual implementation has additional complexities, like trying to meet objectives.  However, this gives you a good idea of why you would want to reduce the number of assets you are implementing controls against. 
How do you implement an Enclave?

 Comes down to two choices – Start Fresh, or Cordon off what you have. 



Start Fresh – New Enclave

Clean slate

Can use best of class and economical solutions.

Separated systems with clear boundaries

Potential for reduced number of systems and tools

Easier to defend during an incident, assessments, or audits.

Different systems

Need for Investment

Culture change if technologies are different from what is being used tin the rest of the organization

Cordon Off What you have

Reduced culture change

Limited or no new investment


Internal organizational lines may get blurry.

May get messy to track what is and what is not affected over time.

May get very complex as groups which may have little exposure may need to comply with more requirements than they need to.

May have more assets in your boundary that what is needed with a fresh start

How do I learn more? 

Give us a call and we will be happy to help!!

Our Google Business Page: 

7 views0 comments


bottom of page