CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
The Truth About CMMC Enclaves: Pros, Cons, and Compliance Risks
Submit any questions you would like answered on the podcast!
Thinking about building an enclave for CMMC compliance? Not so fast.
In this episode of the CMMC Compliance Guide Podcast, Austin and Brooke from Justice IT Consulting break down:
- What an enclave actually is (in plain English)
- When an enclave makes sense (and saves you money)
- When it can hurt your compliance efforts
- What assessors will really be looking for in your audit
If you’ve ever asked, “Do I need an enclave for CMMC?”, this episode is your roadmap to making the right call for your business.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there, and welcome to the CMMC Compliance Guide Podcast. I'm Austin. And I'm Brooke. From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's topic is one we hear about constantly. Do I need an enclave for CMMC. We're going to break it down when an enclave makes sense and when it might actually create problems for yourself. All right, Brooke, let's start at the beginning. What exactly is an enclave?
SPEAKER_02:An enclave is a place where you put something separate from the rest of your network. So take all your data and you separate it from the rest of your network. That's That's really all an enclave is. It can take lots of forms, but the idea is that an enclave lives by itself inside your network or beside your network or whatever, but it does not touch the rest of the network and vice versa. The rest of the network does not touch it. You can do this physically. You can do it virtually. You can do it with cloud resources. It can be a hybrid of one, two, or all three or whatever, but there's lots of solutions, lots of ways to achieve it. You just have to protect that data from the rest of the network.
SPEAKER_01:So, Brooke, when does an enclave make the most sense for a defense contractor?
SPEAKER_02:Sure. So, and I might clarify from the last question, of course, we're talking about an enclave for CUI, Controlled Unclassified Information. You don't have to put FCI necessarily in that enclave. What makes sense is if only part of your people handle CUI, then it makes sense to have an enclave to separate it out. You've got to be able to clearly identify that CUI, and you should do that from the very beginning and figure out what kind of CUI you have, figure out where it all flows, all that kind of fun stuff, and how many people handle it. How many people need to handle it? Does the HR person really need access to that CUI? Unless you're a tiny organization, my guess is probably not. Just because the HR person doesn't need access to that CUI, do you need an enclave or not? How many of Those people in your organization need that access to that CUI. You might look and see how much business you have that is DOD work, that you get CUI from. If it's 25%, it may make sense to make a CUI enclave. If your company is very small, for instance, and most of your people handle CUI, then maybe it doesn't make sense. If a limited number of people handle CUI, if a limited number of your contracts are from the DOD that you get CUI from, those instances would be good candidates for an enclave. The other thing, you can save money, of course, by just restricting the enclave to a smaller subset of your company. Sometimes it'll save you some real money, sometimes it won't. Budget is definitely a consideration there, so you need to take a look at that and see what it looks like to have an enclave versus scoping in absolutely everything. Another thing is how you do business, how that enclave looks, and if that enclave makes sense for you. What is your process flow. Can it be changed? Small companies may not fit really well. If you need compliance fast, you've got to do it quickly. I'd be very wary of CMMC compliance in a box, but there are some enclave solutions that you can deploy rather quickly and get your documentation in order, and you can do that rather quickly. Depending on how fast you can move on documentation and verifying everything and rolling that out, making sure that all your physical spaces are secured as well, because that is also part of your enclave. If you need to move fast, you might look at one of those enclave solutions solutions. You might say CMMC in a box, I guess, but it's not really. My last note here is that you need to clearly define where CUI lives. We've already kind of talked about that, but that is utmost importance, not only for this, but just CMMC in general. You've got to know what CUI you have, where it is, and what in the world is CUI in your environment. You've got to know all that, figure that out, figure out anything with any of your policies, anything else with CMMC, but you also need to figure that out definitely for an enclave.
SPEAKER_01:Yeah, so I think we just in invested in some upgrades to the studio, maybe we should also get one of those counters like where you have how many days since accident. But this for our podcast, it'll be how many days since we mentioned scope, documentation, or your CUI data flow diagram. It's constantly going to be zero days since.
SPEAKER_02:It will. It will. That'll stay at zero.
SPEAKER_01:That jogs my memory just of a conversation I was having yesterday with a defense contractor in terms of Enclave We're CMMC in a box. It is generally in good practice to try and limit your exposure to CUI as much as possible. Absolutely. If you're wanting to decrease your risk profile, Enclave is a way to do that. Sometimes when it doesn't make sense is when you're a manufacturer. For example, I was talking to this one company yesterday. They've done a really good job of really trying to restrict things. In a way, it's kind of an Enclave, but just kind of keep it basically data flowing or CUI from their customers. and going directly into their vendor that is for COI. The problem is, and I helped them figure out yesterday, is that it traverses the computer to do that. And they didn't realize that now their computers are in scope and they thought they were completely out of scope. Whether it's their clipboard, your copy-paste your clipboard, or it's just you needing to get it into some G-code onto a machine or something, it traverses the computer and the computer is then in scope from that. So you need to be careful because sometimes an enclave, it works great, but you don't want to put a square peg in a round hole is what I'm trying to say.
SPEAKER_02:You know, the one thing I might remind everybody of when we said this very frequently also, but it's not just where CUI is stored. Everybody falls back to that. Where is the CUI stored? It's not just where it's stored. It's where it's processed, where it's stored, and where it's transmitted, PST, right? For us, a PST is an Outlook-related thing, Outlook email-related thing, but PST, you've Got to remember that. Where's CUI processed, stored, and transmitted? If it's stored in the cloud, but you connect to the cloud with a laptop to view it, to look at it, to send it somewhere, guess what? That laptop, unless you have, well... Very strict controls on the... There are some... There's one or two instances where that might not be, and that's VDI, virtual desktop infrastructure, but something like that. But otherwise, that computer is in... connects and processes that for transmission or whatever it is, that would be in scope, yes.
SPEAKER_01:It's more or less directly interacting with that data, even though it's a website or something. So
SPEAKER_02:when you design your scope, you've got to think about how do you get that data out of that enclave to a CNC machine? How do you get that data to a printer? Is the printer and the computer in the environment? Do you connect to it? How do you get the data into that environment? How do you get it out of the environment to to vendors or to your shop floor, whatever it might be. You absolutely have to think about all that. And scope. I mean, again, that's all just scope. You're scoping your environment. But you've got to think about processing, storing, and transmitting CUI. All three of those.
SPEAKER_01:Yeah, so it's a great tool in the tool belt, but you don't want to use a hammer for a screw. Use it whenever it makes sense. But that leads to a great segue to the next question. When an enclave makes sense, that's great. When does it not make sense? When can it hurt you when it When is some bad scenarios? I know we already kind of mentioned a few.
SPEAKER_02:Really, an enclave can hurt you whenever you don't take those design considerations into account. When you put this enclave in and you don't really think about what is your business process, what is the data flow. Us as IT guys, we can say, hey, this is great. You can put this in. This is how it works. And you can use it like this. And then if Charlie over here on the CNC machine brings his laptop over and plugs it into the network and into the enclave network and gets the data out and and then walks it over and then plugs it into the other network. Whatever it might be, then you just pierce that enclave with that laptop or a USB stick or whatever it might be, and you just expanded the scope of that. So you've got to think about that. We talk to our clients about this, and we try to make sure not just the decision makers are on the initial calls with us, but some of the people who actually do the work, you know, department managers or whatever it might be, that they're They actually can be part of that because the CEO might say, yeah, this is the way we do things. And Charlie comes over and says, actually, this is the way we do things. So it really helps to have that whole view of what the business process is. So you can change the business process or you could modify your scope to better suit how business is done. Talking about this, I kind of oversimplified or generalized really, but to put it in more concrete terms that get your mind wrapped around this, if you say we've got GCC High for a subset of our users and all of our information is in GCC High. Great. That's wonderful. How do you get it in and out of that environment to vendors or customers and how do you get it in and out of that environment to are there any other internal systems that goes to are you a manufacturer and you need to pull it out of there and get it to the to a CNC machine same thing with something like Prevail you know it's a fine solution you can use that but it's the same thing if you how do you use that how do you use Prevail how does it go in and out of that system where all does it go and that is that truly where all the data all the CUI really is you know and not just where it's stored again but where it's processed stored or transmitted
SPEAKER_01:okay so So let's say you're a defense contractor and you decided to go the enclave route and keep your COI within it. What are assessors, which is really what matters? I talk about this all the time is, you know, we can have all these arguments or philosophical discussions, but nothing really matters except for what the assessor says. He's the one giving you the same approval. Yeah. So what will assessors be looking for during a CMMC audit or assessment when you have an enclave?
SPEAKER_02:Well, first thing... I should have my favorite shirt on that says documentation, documentation, documentation, right? So we'll talk about that again, and that counter goes back to zero. Yep. But they'll be looking for it to be clearly defined and laid out so they can understand it. It's got to be written so not just that IT person can understand it or that internal CMMC guy, right? It's got to be written so other people understand what's going on. All your employees that have to deal with it have to understand you know, how to use it, what it is, all that kind of fun stuff. They have to be aware of your SSP and your policies. Clear documentation, clearly defined, clearly laid out what it is. The clear separation between that and your non-CMMC, non-CUI network, right? If you have a CUI network and then you say the FCI is in the rest of the network, you can live in the rest of the network. There's got to be clear separation. It's got to be understandable. I heard one webinar with some assessors on it yesterday or the day before. They were talking about this is great to have enclave or these diagrams that show us how things work, but if it's a big diagram full of spaghetti strings, it's going to be really hard to understand. This goes back to you want to make things easy for the assessor, make them happy. You want those assessors to be happy. It's got to be clearly defined and there's got to be a clear separation, clear scope for it.
SPEAKER_01:And not all assessors are technical of nature. So if you're an IT guy or someone who is technical, putting your SSP and POAM together and you're speaking in tech terms or geek speak, that might mess you up.
SPEAKER_02:Right. And I might point out, all of them should be technical to some degree, but a lot of them have been out of the day-to-day IT tech work for quite a while doing these assessments, these types of assessments and assessments for other things and they're involved in security they're involved in tech they're involved in data management and everything but they may not be involved in which is what you're talking about in day-to-day tech work and understand
SPEAKER_01:they're not configuring switches and routers and stuff on a daily basis they
SPEAKER_02:don't care about the specific ip addresses they don't care about you know you need to paint the picture yes yeah yeah so they'll and speaking about network diagrams whatnot that's part of the documentation and they'll want to see those diagrams that's part of explaining and laying the laying the whole picture And, of course, it should go without saying, but your enclave has to meet all 110 controls and 320 assessment objectives.
SPEAKER_01:Absolutely. That's, again, that company I was talking to yesterday, one thing that I was trying to portray to them is that now that those computers are in scope with, you know, because the COI traverses that computer, you know, that just has to meet all 110 controls. have an antivirus doesn't just make it secure like all 110 controls in the nest 800 171 ref 2 right now need to be applied to that computer because it has coi and um sometimes that's a hard-pilled swallow it is but yeah that's um anytime you have coi that's like you're doing with the enclave you're trying to limit how far things go um you you don't realize that you need all all protections on those things so
SPEAKER_02:it's kind of like uh i mean it's The same thing happens in your non-CUI network. We're always talking about shadow IT. Instead of calling IT and trying to get wireless fixed in a certain area, does somebody bring a little wireless router in and plug it in and just connect to that and get their good wireless? We have seen that before where a company didn't want to spend money on redoing their wireless, and so they would just buy it wherever they needed better wire. They just buy a little wireless, not access point, but a router, a wireless router, and go plug it in and plug it into the network and use it where they needed it. And that happened at one time. Alarm bells went off. The SIM alerted us. You know, we, all hands on deck, we're trying to figure out what in the world was phoning back to China, you know? So we narrowed it down, and it turned out it was an off-the-shelf, cheap little wireless access point or wireless router that somebody plugged in, and we're like, you know, You can't do that, especially since you're a CMMC. But yeah, that happens in regular networks. And really, if you really sit back and look at it, there are a couple of onerous things in it. But at least all the NIST 800-171 controls, they're pretty straightforward, pretty right on. good security that you want to have. You know, it doesn't even really go that much in depth into, you know, into really deep, good cybersecurity. And there's a lot of stuff that leaves off, but, um, it's good, basic cybersecurity with, with a couple of owners things in it. But other than that, it's, it's really good. Uh, so it's not even, it's, the bar is not even way high for the state of 171. Um, so, uh, it's a really good, um, really good set of controls to adhere to.
SPEAKER_01:You might get some hate mail after that comment. The bar's not that high. I might get some hate mail. We'll put your address down here. Right.
SPEAKER_02:So really, it's not the onerous thing really about this whole CMMC thing is documentation. That's one of the big things. You should document everything anyway, but there is a ton, a ton, a ton of documentation that you have to do, which you There's a lot of documentation you should do with your networks anyway that people just don't do. They depend on that one IT guy to keep everything filed away up here in their mind. He's busy fighting fires all day long. Yeah, and they're busy fighting fires. But there's my soapbox about the NIST 800-171. All the technical controls, they're pretty much right in line. You really need to do all those
SPEAKER_01:anyway. Well, your story about the cheap– router um just kind of brings up a point that we talk about um a lot here internally at our company um i don't know that we mentioned a lot on the podcast or or facing um you know out to the public and and that is uh everyone's um gut instinct is to have implemented controls with a technical tool or a piece of software or some um policy you can configure on a certain that prevents something, but at the end of the day, a large amount of the controls and the things that you have to implement are controlling people's actions and people-based and documentation-based. There's no amount of technical control or software that you can buy that can prevent that person from walking in and plugging that thing in. You could even get AI cameras and put them in the parking lot and guess what's in people's pockets. But why do all that whenever you can just have a policy that says, hey, don't do this. Don't click on that. And then train them, you know, because, yeah, don't click on that. Don't bring this in. Don't do that. And then your technical controls, your security implement is more or less designed to be the safety net. So you really need to start with the people, the processes, the documentation, and then you kind of fill it in with the technical controls that you can implement in a reasonable nature that satisfies the objectives and the controls after that. Start with the people, process, documentation first.
SPEAKER_02:Yeah, absolutely. Training is one of those examples. You don't have to have an electronic security awareness training platform You can do your training manually. You can hold a class and do this training and then write it down, document it. At some point you'll have to– I guess you don't have to necessarily. Well, at some point you will. But at some point you'll have to take that piece of paper and you'll have to copy it and upload it for proof that you actually did that training and have people sign off and all that. But the point is you can conduct that training manually if you want to. You don't have to do– have to have an electronic platform to do that. It's a lot easier. Yeah. It's a lot easier to implement and take care of and stay on top of than, you know, Joe Blow having 10 hats that he wears and trying to remember they need to do training again, you know. Right. Before, you know, hold a training class. Yeah. Definitely.
SPEAKER_01:Yeah, there's some places where, you know, I think just like you said, a software system for that makes it much easier. And then on the other side of things, we walked into a defense contractor the other day here locally and you can you have to sign people in especially if you have like ITAR stuff you know and a lot of people go the clipboard route you know and badges and a log it's simple it's reliable it's in the scheme of things pretty cheap or affordable but this place had a real nice fancy camera and iPad system and a printer for badges instant Badges being printed and everything, and it didn't work. We had to heck with trying to get it to end. Anyway, so I've never walked into a defense contractor where the clipboard didn't work. So if you're at home listening to us and you're thinking about pulling the trigger on an enclave, what questions should you ask yourself before proceeding? Do you know what is CUI? Do
SPEAKER_02:you know what CUI you have? You have to define– you have to define and understand what you're trying to protect, what you're trying to make it, what you might want to make an enclave for before you even attempt to, to do that, to think about it. Right. So understand what CUI is, what CUI you have, understand what it is in your environment that is CUI. Right. And that's the first thing you gotta, uh, you gotta kind of figure out. Um, then you gotta think about, uh, how many people, how many people need access to that CUI? How many people truly need access to that CUI?
UNKNOWN:Um,
SPEAKER_02:can I keep that CUI separate from FCI? Because that'll narrow it down a lot. Your accounting people, they might need access to that FCI to bill and stuff like that, but they don't necessarily need access to the CUI. So can you limit it by the number of people that touch CUI? Or think about how much your business is with the Defense Department. Is it 25%? Is it easily... Can I limit it to certain machines? Can I limit it to certain CNC machines, for instance? Can I limit it to certain computers that have access and not others? Again, that kind of goes back also to how many people access the CUI, but what is your percentage of business? Because even if your percentage of business is 100% DOD, maybe not that many people access the CUI. Maybe your CNC folks and your design folks access it But nobody else does. Percentage also matters, too, because that will also guide you on how many people need access to it as well. Can you support a dual– it's going to end up being a dual setup, right? Because you have to have– and you can argue the definition of that. But what I mean is you're going to have an enclave you have to take care of that is CMMC– needs to stay CMMC compliant. And you can't just– you can't pierce that veil just to make things easy. This is what we talked about a while ago. So you're going to have to maintain two separate environments. How are you going to do that? Are there people that work on CUI DOD work and do those same people work on non-DOD work that's not in Enclave? And how do they do that? Is it the same part with a couple of little different things that's a CUI? So you've got to kind of figure that out. That's your work. workflow, right? There's your process. How are these people working now? How can we leave that unchanged at most? Or how can we leave that most unchanged, right? And you may have to completely change up the way they work, which is fine. Sometimes you just got to upend people and say, hey, here's a new way to do it. This computer is used for all your other work. This computer is used for your DOD work that has CUI, right? So those are the things you can think of so August of 2025 from this point I would say if you're not well on your way to having all your controls and assessment objectives fully met fully implemented then you need to start right now because the likelihood is and we won't get into the whole timeline but the likelihood is that that 48 CFR is going to come out around October It could be September. It could be November. But that's what everybody expects to see. And I know that you can say, yeah, they said that before and blah, blah, blah. But there's a lot of reasons for that. And I really think they're going to come out with it September, October, November, right around that time frame. It aligns with a whole lot of stuff. And they're really pushing. They know they need it. And then it's got four phases to it. The first phase is planning. pretty much what everybody is doing now, uh, except a little more teeth in it and a definite a hundred percent timeline. Um, no more guessing after it drops. Uh, so if it drops in October, uh, you can expect to see a year later and, and, uh, depending on whether they hold to the 60 days, uh, before it fully implements or not, uh, I just kind of thought they would, but I've heard that, uh, several people say that they don't have to, and they might not, uh, because this that wouldn't necessarily impact anybody because they see this as not a significant economic impact. Now that you've fallen over on the floor, you can get back up for a second and listen. Not to everyone I talk to. There's a reason for that. But anyway, the point is they don't necessarily have to wait 60 days. But if they do, you're talking about December of 25 when it goes into effect and then December of 26 when CMMC is required, a Level 2 certification is required to get a contract award. And then... contractors, the prime contractors are already requiring, asking for, not requiring necessarily yet, but they're really pushing heavy to get their subcontractors certified. They're asking, you know, hey, we need you to show us a date when you're scheduled to have your certification assessment, right? And so all that, you know, dialogue to tell you, I wouldn't wait. I would start now and make sure you uh you get everything implemented and you're not rushing at the very end if you do find yourself rushing in the very end then uh you know or or maybe a prime contractor says you know i need to win this contract you got to have that certification in hand and then maybe you do say hey i'm gonna hurry up i'm gonna implement this enclave i'm gonna if it upends the way we do work that's fine but you know so maybe that's a good reason to implement an enclave like right now you know um there's there could be a reason why you have to and why would want to implement it quickly within a few months. If you want to start from zero and get done, a very well-defined enclave would help you do that quickly. But you've got to either make your business fit it or make it fit your business, however you want to phrase that. Generally, that takes a little longer, but if you're going to do it, an enclave will help you do that quicker.
SPEAKER_01:And sum that up in plain English terms, as the late, great Ricky Bobby said, if you ain't first, you're last, and Uncle Sam's trying to be first. They're pushing hard on this thing. They are pushing hard on this thing. They're not kicking the can much longer, they seem.
SPEAKER_02:No, they're not. And the sad thing is you will see some really small companies will fall out most likely because of this. And there may be some other ones that aren't necessarily very small, but they decide that they're going to pass on it because they don't have enough business, they think, to support it. The other thing I'll say there is that since there are going to be people falling off, you can use this to your advantage to win more of those DOD contracts.
SPEAKER_01:As always, thank you, Brooke. We appreciate it. And to the audience, if you have any questions about what we covered, please reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions and we'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, Stay compliant. Stay secure. Please make sure to subscribe.
.jpg)
