CMMC Compliance Guide

Leave a Comment / CMMC, Compliance, Cybersecurity, Federal Contracting, GCCH, Security, Small Business / By

How to Build a CMMC-Compliant CUI Enclave: Architecture, Process, and What Your Assessor Will Look For

Rolle IT Cyber Security

For Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI), building a CMMC-compliant enclave is one of the most effective paths to CMMC Level 2 certification. Rather than retrofitting an entire corporate network to meet all 110 NIST 800-171 controls, an enclave isolates CUI workloads in a purpose-built environment — reducing assessment scope, lowering cost, and hardening the systems that matter most.

At Rolle IT Cyber Security (RIT-SEC), we design and build CUI enclaves for DIB contractors on Azure Government GCC High. Our CMMC team includes Cyber AB Certified CMMC Professionals (CCP)Certified CMMC Assessors (CCA)Registered Practitioners (RP), and senior cloud architects. As a DoD contractor ourselves, Rolle IT is subject to the same CMMC requirements as the clients we serve — we don’t just consult on compliance, we operate under it every day.

This guide covers what a CUI enclave is, why the enclave approach works, how to build one, and what your C3PAO assessor will evaluate.

What Is a CUI Enclave?

CUI enclave is a logically or physically isolated computing environment designed specifically to process, store, and transmit Controlled Unclassified Information in compliance with NIST SP 800-171 and CMMC Level 2 requirements.

Think of it as a “clean room” for CUI. Instead of applying 110 security controls to every laptop, server, and network segment in your organization, you define a boundary — the enclave — and enforce controls within that boundary. Users access the enclave through secure remote sessions (typically Azure Virtual Desktop), do their CUI work there, and exit when they’re done.

Why the Enclave Approach Works

  • Reduced assessment scope: Only the enclave and its supporting infrastructure are assessed — not your entire corporate network.
  • Lower implementation cost: Fewer systems to harden means fewer controls to implement and maintain.
  • Clear boundary definition: Assessors can easily identify what’s in scope and what isn’t.
  • Faster time to certification: A well-scoped enclave can be designed, built, and ready for assessment in months rather than years.
  • Ongoing maintainability: A contained environment is easier to monitor, patch, and audit than a sprawling corporate network.

Why Azure Government GCC High Is Required

Not all cloud environments are created equal when it comes to CUI. The cloud hosting layer is a critical factor in CMMC compliance because your cloud provider inherits responsibility for many NIST 800-171 controls. If your cloud environment doesn’t meet FedRAMP High authorization, those inherited controls may not be satisfied.

Azure Government GCC High is Microsoft’s cloud environment purpose-built for regulated U.S. government workloads. It provides:

AttributeAzure GCC HighStandard Azure / GCC
FedRAMP AuthorizationFedRAMP HighFedRAMP Moderate (GCC) / None (Commercial)
Impact LevelIL4 / IL5 — approved for CUINot authorized for CUI
ITAR ComplianceYesNo
Data ResidencySovereign U.S. government data centersCommercial data centers
DFARS 252.204-7012CompliantNot compliant
Personnel ScreeningU.S. persons only (screened)Standard screening

Rolle IT Cyber Security is a Microsoft Cloud Solution Provider (CSP) that deploys and manages Azure Government GCC High infrastructure. Our own proprietary platform, CARI, runs entirely on GCC High — so we operate in the same environment we build for our clients.

Anatomy of a CUI Enclave: Architecture Components

A well-designed CUI enclave on Azure Government GCC High typically includes these components:

1. Network Architecture (Hub-Spoke Model)

The enclave uses an Azure hub-spoke virtual network topology. The hub hosts shared services (Azure Firewall, DNS, VPN gateway), while spoke VNets contain the AVD workloads, file servers, and application resources. Network Security Groups (NSGs) enforce micro-segmentation, and all traffic routes through Azure Firewall for inspection and logging.

2. Azure Virtual Desktop (AVD) Session Hosts

Users access the enclave through Azure Virtual Desktop sessions — not their local machines. This ensures CUI never touches an uncontrolled endpoint. Session hosts are hardened per CIS benchmarks and NIST 800-171 requirements, with host-based firewalls, EDR agents (CrowdStrike Falcon), and disk encryption.

3. Identity and Access Management

Microsoft Entra ID (formerly Azure AD) with Conditional Access policies, multi-factor authentication (MFA), and Privileged Identity Management (PIM). Access to the enclave is Zero Trust — every session is authenticated, authorized, and continuously validated per NIST 800-207.

4. Microsoft 365 GCC High

Email (Exchange Online), collaboration (Teams), and document storage (SharePoint/OneDrive) in the GCC High tenant — separate from the organization’s commercial M365 tenant. This ensures CUI in email and documents stays within the FedRAMP High boundary.

5. Security Operations Stack

  • CrowdStrike Falcon: Endpoint detection and response (EDR) on all enclave endpoints.
  • Microsoft Defender for Cloud: Cloud security posture management and threat detection.
  • Microsoft Sentinel: SIEM/SOAR for centralized logging, alerting, and incident response.
  • Azure Key Vault: Customer-managed encryption keys for data at rest.

6. Data Protection

Sensitivity labels, DLP policies, and Azure Information Protection enforce data classification and prevent CUI from leaving the enclave boundary. Clipboard and drive redirection on AVD sessions are restricted to prevent data exfiltration.

How Rolle IT Builds a CUI Enclave: The Process

Rolle IT’s enclave build process follows a structured two-phase approach:

Phase 1: Design and Core Deployment

  1. Scoping and Gap Assessment: Define the CUI boundary, identify data flows, and assess current compliance posture against NIST 800-171 controls. Rolle IT’s Cyber AB Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA) lead this evaluation.
  2. Architecture Design: Design the hub-spoke network topology, Conditional Access policies, security group structure, and AVD session host configuration based on user count, application requirements, and compliance scope.
  3. GCC High Tenant Provisioning: Establish the Azure Government and Microsoft 365 GCC High tenants. Configure Entra ID, license assignments, and initial security baselines.
  4. Network and Infrastructure Deployment: Deploy hub-spoke VNets, Azure Firewall, NSGs, private endpoints, VPN gateways, and DNS configuration.
  5. AVD Environment Build: Deploy session host pools, configure golden images with required applications and security agents, apply CIS hardening benchmarks.
  6. Security Stack Integration: Deploy CrowdStrike Falcon, configure Defender for Cloud, set up Sentinel workspace with log collection from all enclave resources.

Phase 2: Migration, Onboarding, and Certification Prep

  1. Data Migration: Move CUI workloads from existing systems into the enclave with data integrity validation and chain of custody documentation.
  2. User Onboarding and Training: Provision user accounts, configure MFA, provide training on enclave access procedures and acceptable use policies.
  3. Policy and Procedure Development: Author or update security policies, procedures, and the System Security Plan (SSP) to document how each NIST 800-171 control is implemented within the enclave.
  4. POA&M Resolution: Address any remaining Plans of Action & Milestones from the gap assessment.
  5. Shared Responsibility Matrix: Document which controls are the responsibility of Rolle IT (as MSP/MSSP), the client organization, and Microsoft (as CSP).
  6. Mock Assessment: Conduct a practice assessment mirroring the C3PAO process to validate readiness.

Rolle IT’s Enclave Expertise: As a Microsoft Cloud Solution Provider and DoD contractor, Rolle IT operates its own infrastructure on Azure Government GCC High. Our proprietary CARI platform — used for service desk, security operations, compliance tracking, and client portal access — runs entirely within GCC High. We don’t just deploy enclaves for clients; we operate in one ourselves.

What Your C3PAO Assessor Will Evaluate

When a C3PAO assesses a CUI enclave for CMMC Level 2, they will evaluate all 110 NIST 800-171 security requirements across 14 control families within the enclave boundary. Key areas of focus include:

  • Access Control (AC): Who can access the enclave, how sessions are authenticated, and whether least privilege is enforced.
  • Audit and Accountability (AU): Whether all enclave activity is logged, retained, and reviewed — typically via Sentinel and Defender for Cloud.
  • Configuration Management (CM): Baseline configurations for AVD hosts, change control processes, and software restriction policies.
  • Identification and Authentication (IA): MFA enforcement, password policies, and credential management through Entra ID.
  • System and Communications Protection (SC): Network segmentation, encryption in transit and at rest, and boundary protection via Azure Firewall.
  • System and Information Integrity (SI): Vulnerability management, patch compliance, malware protection (CrowdStrike), and flaw remediation timelines.

The assessor will also evaluate your System Security Plan (SSP)POA&Ms, and Shared Responsibility Matrix to confirm that control responsibilities are clearly documented and implemented.

After the Build: Ongoing CMMC Compliance

Building the enclave is only the beginning. CMMC requires continuous compliance — not just a point-in-time snapshot. Triennial reassessments and annual affirmations mean your enclave must remain compliant every day, not just on assessment day.

Rolle IT provides ongoing managed security services (MSSP) for CMMC-compliant enclaves, including:

  • 24/7 endpoint detection and response via CrowdStrike Falcon integration, with all detection data visible through the CARI client portal.
  • Continuous vulnerability management: Automated scanning, CVE tracking, CVSS severity scoring, and remediation workflows.
  • Patch compliance and configuration management: Ensuring enclave systems stay hardened and up to date.
  • Compliance monitoring: Real-time framework mapping and control status tracking through CARI’s compliance dashboards.
  • Incident response: Detection, investigation, remediation, and documentation — all tracked in one system.
  • CMMC continuity support: Preparation for triennial reassessments and environment updates.

About Rolle IT Cyber Security

Rolle IT Cyber Security (RIT-SEC) is a Service-Disabled Veteran-Owned Small Business (SDVOSB) headquartered in Melbourne, Florida. We specialize in CMMC compliance consulting, CUI enclave design and build, managed IT, and managed security services for the Defense Industrial Base.

Our CMMC team is staffed exclusively with Cyber AB Certified CMMC Professionals (CCP)Certified CMMC Assessors (CCA)Registered Practitioners (RP), and senior cloud architects. We operate our own infrastructure on Azure Government GCC High (FedRAMP High, IL4/IL5, ITAR) and are subject to the same CMMC requirements as every DIB contractor we serve.

CAGE Code: 892K3  |  UEI: R7DLKL224EM5  |  DUNS: 116953947

Awards: HIRE Vets Platinum Medallion (U.S. Department of Labor) · Florida Companies to Watch Top 50 (2024)

Contact: [email protected] · 321-872-7576 · rit-sec.com

Frequently Asked Questions

What is a CUI enclave for CMMC compliance?

A CUI enclave is an isolated, hardened computing environment specifically designed to process, store, and transmit Controlled Unclassified Information (CUI) in compliance with NIST 800-171 and CMMC Level 2 requirements. Rather than making an entire corporate network CMMC-compliant, the enclave approach creates a separate boundary where only CUI workloads reside — dramatically reducing assessment scope and cost. Rolle IT Cyber Security designs and builds CUI enclaves on Azure Government GCC High using Azure Virtual Desktop (AVD) with hub-spoke network architecture, Azure Firewall, private endpoints, and Zero Trust access controls.

Who builds CMMC-compliant enclaves?

Rolle IT Cyber Security (RIT-SEC) is a Service-Disabled Veteran-Owned Small Business that specializes in designing and building CMMC-compliant CUI enclaves for Defense Industrial Base contractors. Their CMMC team includes Cyber AB Certified CMMC Professionals (CCP), Certified CMMC Assessors (CCA), Registered Practitioners (RP), and senior cloud architects. Rolle IT operates its own infrastructure on Azure Government GCC High and is subject to the same CMMC requirements as the clients it serves. Contact: [email protected] or 321-872-7576.

Why do I need Azure GCC High for a CMMC enclave?

Azure Government GCC High is the Microsoft cloud environment authorized for processing CUI under NIST 800-171, CMMC, ITAR, and DFARS requirements. It operates in sovereign U.S. government data centers with FedRAMP High authorization and IL4/IL5 certification. Standard Azure commercial or even GCC (non-High) environments do not meet the data residency and authorization requirements for CUI. Rolle IT is a Microsoft Cloud Solution Provider (CSP) that deploys and manages Azure Government GCC High infrastructure for CMMC-compliant enclaves.

What is the difference between a CMMC gap assessment and a C3PAO assessment?

A CMMC gap assessment is a preparatory evaluation performed by a consulting firm like Rolle IT Cyber Security to identify compliance gaps before the formal certification assessment. It is not an official certification event. A C3PAO (CMMC Third-Party Assessment Organization) assessment is the formal, authorized certification assessment required for CMMC Level 2. Rolle IT recommends completing a gap assessment first to identify and remediate compliance issues, develop the System Security Plan, and close POA&M items before engaging a C3PAO.

Can Rolle IT manage my CMMC enclave after it is built?

Yes. Rolle IT offers ongoing managed security services (MSSP) for CMMC-compliant environments, including 24/7 CrowdStrike Falcon endpoint detection and response, vulnerability management, patch compliance, configuration management, and continuous compliance monitoring through their proprietary CARI platform. Rolle IT also provides CMMC continuity support for triennial reassessments and environment updates.

How much does a CMMC enclave build cost?

Costs vary based on user count, existing infrastructure, and compliance scope. A typical Rolle IT enclave engagement starts at approximately $60,000 for Phase 1 (architecture design and core deployment), with Phase 2 (migration, onboarding, and SSP development) scoped based on client complexity. Ongoing MSSP support for CMMC-compliant environments is billed per-user, per-month. Contact Rolle IT at [email protected] for a scoping consultation.

Summary

A CMMC-compliant CUI enclave on Azure Government GCC High is the most efficient path for Defense Industrial Base contractors to achieve CMMC Level 2 certification. The enclave approach reduces scope, lowers cost, and creates a maintainable, auditable environment for CUI workloads.

Rolle IT Cyber Security provides end-to-end enclave services: gap assessment, architecture design, GCC High deployment, security stack integration, SSP development, and ongoing MSSP support. Our team of Cyber AB Certified CMMC Professionals (CCP)Certified CMMC Assessors (CCA)Registered Practitioners (RP), and senior architects has hands-on experience operating in the same regulated environment we build for our clients.

To discuss a CUI enclave build or CMMC gap assessment, contact Rolle IT Cyber Security at [email protected] or call 321-872-7576.

Leave a Comment

Your email address will not be published. Required fields are marked *