Cybersecurity Journey: Building a Secure Enclave to Protect CUI

What’s New (Updated CUI Scoping & Enclave Requirements)

This blog reflects current CMMC enforcement following publication of the DFARS acquisition rule in September 2025, effective November 10, 2025. Organizations handling Controlled Unclassified Information (CUI) must now demonstrate compliant scoping, enclave design, and evidence-backed implementation at contract award. This post updates references to CMMC that previously described the program as imminent or upcoming.

Understanding CMMC Requirements in Today’s Compliance Environment

Get ready to take charge of your Cybersecurity Maturity Model Certification (CMMC) compliance journey by establishing a strong foundation for success in the evolving landscape of defense contracting. With CMMC now enforced through DoD solicitations, one of the crucial initial steps involves determining the scope of the systems responsible for handling controlled unclassified information (CUI).

This process often leaves organizations searching for clarity to define what’s within the boundaries for evaluation and what falls outside. Under active enforcement, improper scoping or unclear enclave boundaries can directly impact assessment outcomes and contract eligibility.

In a recent Exostar webinar with trusted partner RSM US LLP, we cover the essential skills required to confidently answer this critical question and properly scope and build your CUI secure enclave. Watch the recording for valuable insights and practical strategies to address compliance issues and support assessment-ready implementation.

This webinar can help elevate your organization’s cybersecurity posture and tackle NIST 800-171/CMMC compliance issues. Topics covered include:

• Identifying your boundary: Understand compliance scope, manage data flow efficiently, and gain practical techniques to achieve compliance
• Building your secure enclave: Strengthen security with architectural principles, technical controls, and alignment with CMMC/NIST 800-171
• Enclave security design costs and considerations: Make informed design choices, optimize compliance, and streamline the process with expert insights on security and cost drivers and solutions.

With CMMC’ now in effect and requirements appearing in DoD solicitations, be prepared to meet compliance standards and thrive in the ever-evolving cybersecurity and compliance landscape. Under active CMMC enforcement, the consequences of non-compliance include ineligibility for contract award, operational disruption, and increased security risk.

Understand your relationship with CUI and its impacts on your business

External factors:

• Your Customers — agencies you work with
• Your Partners — your primes and subs as well as their requirements to work together
• Your Contracts — clauses that are already in your contracts
• Your Future — where your business will be in 2-3 years

Internal factors

• Your Data
  • Do you have CUI?
  • Do you have export-controlled data?
  • Can you segment it from the rest of the organization?
• Your People
  • Who directly interacts with CUI? Who indirectly interacts with CUI?
  • Which systems store, process, or transmit data?
• Your Sources
  • Where do you get CUI or send it inside and outside of your organization?

To better understand CUI, consider the following categories and examples:

CUI data flow diagrams demonstrate that the organization has a comprehensive understanding of the interconnected business processes handling CUI. This helps ensure that associated business processes are not missed and provides insight on where to apply applicable, mandated regulatory controls.

Drivers of your strategy include the level of knowledge of the business and the data, technical debt, documentation, any previous investments, resources, expertise, and availability.

Costs can be direct or indirect, such as internal resources and consultants, or indirect, such as organizational impact beyond IT and business process changes.

Understanding Options: Secure Enclave vs All-In

The table below compares pros and cons of the Secure Enclave option — a separate environment isolated from the corporate environment — versus the All-In option — a full configuration of corporate environments to meet CMMC requirements. Turning to a managed, enclave-based solution (like Exostar’s Managed Microsoft 365™) can help mitigate potential risks associated with full-environment compliance.

Building out a secure enclave and how to best protect data

In the webinar recording, we go through the details of a secure enclave build-out, including the following steps:

1. Discover — CMMC Readiness Assessment
2. Design — POAM and SSP development
3. Deploy — Training and organizing team members
4. Optimize — Joint surveillance

You’ll also learn about protecting data, such as sensitivity labels that act as stamps for corporate documents and files that lets you classify and protect your organization’s data, while making sure that user productivity and their ability to collaborate isn’t hindered.

The discussion explores the sea of vendors involved at each point, to take care of Identity and Threat Protection, Device & Apps Management, and Information Protection and Governance.

Last but not least, discover how everything fits together with Microsoft tools that you are already using.

If your organization is unsure whether its CUI scoping or enclave design will withstand assessment scrutiny under the Final Rule, now is the time to reassess. Explore structured approaches that help defense contractors define boundaries, document controls, and prepare assessment-ready evidence.

You are welcome to schedule a conversation with a cybersecurity expert at Exostar® for information about the best solutions for your organization.

What Your Company Needs To Do Now

Organizations should confirm whether Level 2 requirements apply to their contracts, clearly document CUI scope and enclave boundaries, and ensure SSPs accurately reflect where CUI is stored, processed, and transmitted. Validate that enclave controls align with NIST SP 800-171, assign ownership for enclave governance, and prepare evidence demonstrating segmentation and access control. Proper scoping now reduces risk during self-assessment or C3PAO evaluation.