The choice between a CUI enclave and full-environment scope is the first real fork in any CMMC project, and it quietly decides most of what comes after. The rule underneath it is simple: CMMC scope follows the CUI. Wherever Controlled Unclassified Information is created, stored, or moves, the 110 controls of NIST SP 800-171 have to reach — and so does the assessor. So the question becomes: how much of your environment do you let CUI touch?
The Enclave Approach
An enclaveanswers “as little as possible.” You deliberately corral CUI into a small, isolated zone — often a compliant cloud workspace, or a tightly controlled set of systems — and you keep it out of everywhere else. Your general office IT, the front desk, the machines that never see a controlled drawing: all of it stays outside the boundary, and outside the assessment. You've shrunk a 200-person problem down to the few systems that actually handle CUI.
The Full-Scope Approach
Full scope answers “all of it.” You bring your whole in-scope environment up to the standard and don't try to wall CUI off. That sounds expensive — and usually is — but it has a virtue: there's no boundary to police and no risk of CUI quietly escaping a zone you declared safe. For some shops, that simplicity is worth the higher cost.
| CUI Enclave | Full Scope | |
|---|---|---|
| What gets assessed | Only the isolated systems that handle CUI | Your whole in-scope environment |
| Typical cost | Lower — scales with a small footprint | Higher — every in-scope system adds cost |
| Best when | CUI lives in a few defined places | CUI is woven through the whole business |
| Main risk | CUI leaking outside the boundary | Cost and effort of securing everything |
| Day-to-day friction | Staff switch into the enclave for CUI work | Controls apply everywhere, all the time |
How to Decide
Start by honestly mapping where CUI actually lives. If it arrives through one email flow and sits in one folder that three engineers touch, an enclave is almost certainly your cheapest defensible path. If half your staff handle CUI in your main line-of-business system every day, isolating it may cost more in friction than it saves — and full scope is cleaner. Most small manufacturers land on the enclave side, which is why it's the backbone of an affordable CMMC approach.
The Catch: An Enclave Has to Actually Hold
The enclave's savings are real, but they come with one non-negotiable condition — CUI has to genuinely stay inside it. The moment a controlled drawing gets emailed to a personal account, dropped on a general shared drive, or opened on an out-of-scope laptop, your real boundary is bigger than your documented one. An assessor will find that gap, and your System Security Plan will no longer describe reality. A working enclave needs the access controls, least-privilegedesign, and user habits to keep CUI where it belongs — that's the part worth getting expert help on.
Get the Scope Right Before Anything Else
Scope is the decision that everything else inherits — cost, documentation, timeline, and how painful the assessment feels. It's worth slowing down to get it right before you spend a dollar on controls. If you're still earlier in the journey, see whether you even need certification in do I need CMMC for my contract?, and how the platform choice interacts with scope in Microsoft GCC High for CMMC.
Start scoping with the CMMC Readiness Check.
Get an indicative read on your level and gaps — the first input to deciding between an enclave and full scope.
Open the readiness checkScope It Right, Spend Less
We help small manufacturers map where CUI really lives and build a tight, defensible enclave — the controls that keep CUI inside the boundary, run as a managed service.
See CMMC Readiness Support