Cloud-only vs. hybrid environments

The shape of your enclave depends heavily on whether you have CUI that lives only in digital systems or whether you also have physical CUI such as manufacturing specifications on a shop floor, controlled technical documents on secure printers, or CNC machines running export-controlled programs.

Cloud-only enclaves keep everything in a FedRAMP-authorized cloud environment, and users access CUI through virtual desktops or managed devices. Physical endpoints stay out of scope, there’s no on-premises infrastructure to secure and document, and the cloud provider’s FedRAMP SSP covers a large portion of shared controls. This is the fastest path to compliance and the simplest to maintain, and it's the right choice for most knowledge workers and office-based teams.

Hybrid (bridged) enclaves connect a cloud enclave to on-premises systems via a site-to-site VPN. This brings your physical site into CMMC scope, which means physical access controls, network segmentation at the facility level, and a larger documentation burden. It's the right choice when you must handle physical CUI that can't be moved to the cloud. For example, you operate CNC machines, 3D printers, or other manufacturing equipment that processes export-controlled technical data, you have a secure print environment for CUI documents, or you run lab equipment or test systems with CUI data that can't be moved to the cloud. 

In a hybrid model, you'd typically designate a single secure room or facility area as the physical enclave boundary (rather than the entire building). Intune or your MDM solution extends from the cloud enclave to manage physical workstations within that boundary. Physical access controls, visitor logs, and clean desk policies become part of your compliance program.

The tradeoff is real: every piece of physical infrastructure within the boundary must meet CMMC requirements and be documented in your SSP. 

Step 2: Choosing your cloud platform

Once you've mapped your CUI and decided on your enclave model, you need a cloud foundation. For CMMC Level 2 that means a FedRAMP-authorized environment that meets the security requirements for handling CUI. Two platforms are well-suited to this are:

Microsoft 365 GCC High + Azure Government

Microsoft 365 GCC High is the most widely deployed platform for CMMC-compliant enclaves. It's specifically designed for organizations subject to DFARS 252.204-7012, ITAR, EAR, and CMMC, and it runs on infrastructure that's physically separate from Microsoft's commercial cloud.

With GCC High:

• Data is stored exclusively in US-based data centers staffed by US persons
• The environment is FedRAMP High authorized
• It inherits Microsoft's FedRAMP High System Security Plan, which covers a significant portion of your shared responsibility
• It includes Exchange Online, SharePoint, OneDrive, and Teams within the GCC High boundary
• It's the only Microsoft environment that supports ITAR/EAR data

A complete GCC High enclave stack typically includes:

• Microsoft 365 GCC High for email, collaboration, and document storage
• Azure Government subscription (separate from commercial Azure) for infrastructure, compute, and services
• Azure Virtual Desktop (AVD) for virtual workstations
• Azure Premium Firewall for network perimeter protection
• Microsoft Sentinel for SIEM and log management 
• Microsoft Defender suite for endpoint, identity, and cloud security
• Entra ID (Azure AD) for identity management, conditional access, and MFA
• Microsoft Intune for device management and compliance policies
• Microsoft Purview for data loss prevention, sensitivity labels, and data classification

One critical note on Microsoft licensing: GCC High runs on E3 or E5 licensing, which is more expensive than commercial M365 plans. For organizations evaluating cost, GCC High licensing is typically a significant line item. E5 licensing adds advanced security capabilities (Defender, Sentinel, Purview) that satisfy many CMMC controls out of the box, which often makes it cost-effective when you factor in what you'd otherwise spend on third-party tools.

If you're currently on GCC (not GCC High) and you have any ITAR data or think you might in the future, start on GCC High. Migrating from GCC to GCC High after the fact is a significant undertaking.

Google Workspace for Government

Google Workspace for Government (GWS) is a strong option for contractors already operating in Google-native environments or on Google Cloud Platform. It's FedRAMP High authorized, meaning it already meets the security baseline required for handling CUI.

GWS offers:

• Gmail, Drive, Docs, Meet, and the broader Workspace suite within a FedRAMP High boundary
• US-only data residency
• Strong identity management via Google Identity and support for third-party MFA
• Native integration with Google Cloud Platform for organizations running infrastructure on GCP

For organizations that have built workflows around Google tools and want to minimize migration overhead, GWS can serve as the cloud foundation for a CMMC enclave. You'll still need to configure the additional controls required by NIST SP 800-171, including SIEM, endpoint management, DLP, and boundary protection, but the FedRAMP High authorization provides a solid compliance starting point.

GWS doesn't have a native virtual desktop offering equivalent to Azure Virtual Desktop. Organizations choosing GWS will typically rely on an MDM solution for endpoint management or a third-party VDI tool for virtual workstations.

For most CMMC programs, native O365 retention won't be sufficient. SharePoint's built-in restore options are limited to item-level version history and a 14-day site collection restore window that requires a Microsoft support ticket, and the native Microsoft 365 Backup service available in commercial cloud isn't offered in GCC High. 

You'll need a third-party backup solution that's FedRAMP authorized, hosts data in US government data centers, and supports your required recovery point objectives (RPOs) and recovery time objectives (RTOs). Verify that any backup vendor you consider has FedRAMP Moderate authorization at minimum and FedRAMP High for ITAR data.

Step 4: Define your endpoint protection strategy

How your users access CUI determines whether their physical devices end up in your CMMC assessment scope. This is one of the highest-leverage decisions in your enclave architecture, and it can dramatically reduce the number of assets you have to harden, document, and maintain.

You have two primary options: virtual desktops and mobile device management. Understanding what each one does, what it doesn't do, and when to use each is essential.

Virtual Desktops (VDI)

Azure Virtual Desktop (AVD) is Microsoft's hosted virtual desktop service, running inside Azure Government. Instead of working on their local laptop, a user opens a Remote Desktop client  and connects to a full Windows desktop that lives entirely in the cloud. The session runs on the virtual machine and the user's local laptop is just a display.

For endpoints to stay out of scope, your Azure Virtual Desktop configuration must enforce the following settings:

• Disable clipboard redirection: Users cannot copy content from the virtual desktop to their local machine
• Disable drive redirection: Users cannot save files from the virtual desktop to local disk
• Disable printer redirection: Unless printing to a FIPS 800-171-compliant print system
• Disable USB redirection: No USB devices can be passed through to the virtual session
• Disable folder redirection: No local folder syncing
• Enable screen capture protection: Prevents screenshots of the virtual desktop session. 
• Require MFA on every session: Authentication can't be bypassed between sessions

One important caveat on client support: based on current Microsoft documentation, screen capture protection works automatically on Windows and macOS using the Windows App or Remote Desktop client. iOS/iPadOS and Android devices are also supported but require additional configuration, specifically, an Intune MAM app protection policy set to block screen capture (minimum Windows App version 11.2.4 for iOS, 11.0.0.94 for Android). Web browsers cannot connect at all when screen capture protection is enabled.

If your CUI users access Azure Virtual Desktop from mobile devices without the required MAM configuration in place, their devices cannot be used to keep physical endpoints out of scope. Verify your Intune configuration carefully before treating mobile users as out of scope.

Host pool configurations:

When you deploy virtual desktops in AVD, you configure what's called a host pool: a group of virtual machines that users connect to when they log in. You'll configure either pooled (N:1, load-balanced, where multiple users share virtual machines) or personal (1:1, where each user gets a dedicated virtual machine) pools. For most office productivity use cases, pooled is appropriate. For GPU-intensive work like CAD or simulation, you'll need personal pools with NV-series GPU-optimized virtual machines.

Keep one base image per host pool to ensure consistent security configurations: different images on different hosts means users could get different security settings on different logins. The number of users per virtual machine is set at pool creation and cannot be changed later, so size carefully.

User profile management:

One practical challenge with pooled virtual desktops is that users may connect to a different virtual machine each time they log in. Without a way to persist their settings and files, they'd start fresh every session. 

AVD solves this with a tool called FSLogix, which stores each user's profile settings, desktop preferences, and application data in a separate container on Azure file storage. When a user logs in, their profile loads automatically regardless of which virtual machine they're assigned to. This allows users to roam between session hosts without losing their settings. Profiles are stored on Azure file shares or Azure NetApp Files (higher performance). Configure storage access controls so only the relevant user and admins can access each profile container.

Azure prerequisites before deploying Azure Virtual Desktops

Before you provision your virtual desktop environment, a few things must already be in place and documented. Don’t skip these steps and try to configure them retroactively.

• Azure Key Vault configured for secrets and encryption key management
• Azure Firewall deployed and configured
• Network Security Groups applied to all subnets
• Microsoft Sentinel connected and receiving logs
• Storage accounts secured with appropriate access controls
• Subscription-level security configurations applied (Defender for Cloud, security policies)

These aren't just prerequisites for Azure Virtual Desktops, they're also CMMC controls that assessors will evaluate. Having them in place before deployment means your environment is compliant from day one rather than you trying to play catch-up later.

Mobile Device Management (MDM)

MDM is the endpoint strategy for companies with users who need to access CUI on physical devices. Either virtual desktops don't fit their workflow, they're field-based, or their role involves physical equipment that requires local software.

An MDM solution that's FedRAMP Moderate authorized enforces CMMC-required device configurations automatically when a device is enrolled. This includes:

• Full disk encryption
• OS patching and update management
• Password/PIN policies
• Screen lock and auto-wipe after failed authentication attempts
• Application management and restriction
• Certificate deployment for authentication
• Remote wipe capability

The key word is "automatically." A good MDM solution doesn't require your IT team to manually interpret each NIST control and translate it into a device policy. Configurations are pushed at enrollment and maintained continuously, with drift detection and alerts when a device falls out of compliance.

MDM is generally a lower-cost alternative to virtual desktops, which makes it particularly relevant for smaller subcontractors, manufacturers, and field-based teams. The tradeoff is that enrolled physical devices are in CMMC scope, which means you'll need to document them in your SSP and maintain ongoing evidence of their compliance posture.

Choosing the right endpoint solution

When to choose virtual desktops

Virtual desktops are ideal for remote and hybrid teams, knowledge workers who handle CUI regularly, and organizations that want to keep their physical device fleet entirely out of CMMC scope. They're also a good choice for teams without dedicated IT staff to manage and maintain endpoint hardening across dozens or hundreds of devices.

The primary constraint is latency. VDI experience degrades significantly above roughly 70ms latency. Before deploying, test connection speeds from the worst-case user location: a remote employee on a slow connection is where VDI falls apart, and latency is usually the top user experience complaint. Choose Azure Government data center regions that minimize latency for your team's geography.

When to choose MDM 

MDM is the better fit when your users need to work on physical devices and virtual desktops aren't practical. This includes field engineers and manufacturing staff who operate equipment that requires local software, teams that rely on iOS or Android devices for CUI access (where VDI's screen capture protection requires additional Intune MAM configuration), and organizations where the per-seat cost of virtual desktops doesn't make sense for the number of CUI users involved.

MDM is also the right call if your users are frequently in locations with poor or inconsistent internet connectivity. Latency that would make a virtual desktop session unusable is a non-issue when CUI lives on a hardened physical device.

One requirement to plan around: your MDM solution must be FedRAMP Moderate authorized. Standard commercial MDM tools, even enterprise-grade ones, aren't built to meet federal compliance requirements out of the box. Verify FedRAMP authorization before you commit to a solution, and look for FedRAMP High if you also handle ITAR data.

When to choose a hybrid approach

In practice, many organizations use both. Office workers who handle CUI regularly get virtual desktops. Field engineers or manufacturing staff who can't practically use VDI get MDM-enrolled physical devices. The boundary is maintained in both cases: CUI stays within the enclave and is accessed only through controlled, documented endpoints.

If you're using both approaches, document both clearly in your SSP, including which users use which access method and how the boundary is enforced in each case.

Plan of Action and Milestones (POA&M)

The POA&M documents any controls that aren't yet fully implemented, along with your plan and timeline for addressing them. Having gaps isn't necessarily disqualifying, but those gaps need to be documented honestly and accompanied by specific and realistic remediation timelines.

Your POA&M is directly tied to your SPRS score. The Supplier Performance Risk System (SPRS) is the DoD's scoring system for defense contractor cybersecurity. Your score starts at 110 (one point for each of the 110 NIST SP 800-171 requirements) and is reduced based on gaps. Different requirements carry different point weights depending on their importance, so a single unimplemented requirement can reduce your score by anywhere from one to five points. 

Your SPRS score is self-reported and must be submitted to the DoD's SPRS database. CMMC Level 2 requires a provisional SPRS score of at least 88 before you can proceed to a C3PAO assessment. Understand your score and any gaps before you engage a C3PAO.

Required security policies and procedures

Assessors will ask for written policies covering how your organization manages your enclave. At minimum, you'll need documented policies covering:

• Acceptable Use Policy (AUP) for enclave systems
• Access Control Policy (how access is granted, reviewed, and revoked)
• Incident Response Policy and Plan (specific to your enclave)
• Configuration Management Policy (how changes are managed and documented)
• Audit Log Review procedures
• Media Protection Policy (handling of removable media and printed CUI)
• Personnel Security procedures (user training, background check requirements, account termination)

Assessors will not accept boilerplate policies or generic templates. Make sure your documents describe your specific environment and procedures that reflect your real practices. 

Enclave-specific assessment evidence 

Your SSP and policies describe what you do, and evidence proves you do it. Before your assessment, you should be able to produce:

• Configuration exports from your cloud environment (Entra ID policies, firewall rules, MDM configurations)
• Audit logs demonstrating that logging is active and collecting the required events
• Evidence of MFA enrollment for all enclave users
• Patch compliance reports for all in-scope systems
• User access reviews showing current RBAC assignments
• Completed user training records
• Incident response test documentation

Collect this evidence continuously, not as a last-minute scramble before the assessment. Time-stamped, automatically collected evidence is significantly more credible to assessors than manually gathered screenshots that are likely out of date.

Build or buy? Choosing a DIY enclave vs. a managed solution

Now that you have a clearer picture of what goes into a CMMC-compliant enclave, the next question is: should you build and maintain your own enclave, or opt for a managed solution? Let’s take a closer look at each option.  

Building a secure enclave

Building a CMMC enclave from scratch is a substantial IT project. A DIY build requires:

• Azure Government expertise: Setting up a GCC High tenant, configuring Azure infrastructure, deploying virtual desktops, and connecting everything properly requires fluency with Microsoft's government cloud environment, which is meaningfully different from commercial Azure.
• Security engineering: Configuring Sentinel, deploying Defender, setting up conditional access policies, writing NSG rules, and configuring Key Vault correctly takes time and expertise.
• CMMC-specific knowledge: Knowing which Azure configurations satisfy which NIST controls, and how to document them for assessor review, requires familiarity with both technical and compliance requirements.
• Ongoing maintenance: The enclave doesn't maintain itself. Patches, configuration updates, new user provisioning, evidence collection, and drift detection are ongoing responsibilities.
• Documentation: Your SSP, POA&M, and policies need to accurately reflect your live environment at all times. Manual documentation quickly drifts from reality.

For organizations with a dedicated IT security team and strong Microsoft cloud expertise, a DIY build is feasible. For most small and mid-size contractors where IT is one person or a part-time function it's a significant undertaking. A misconfigured enclave creates a false sense of compliance and can fail assessment in ways that are difficult to diagnose and remediate.

Timelines are also a real factor. Building and validating a CMMC enclave from scratch typically takes months of focused effort. If your contracts are tied to specific compliance deadlines, that timeline matters.

Opting for a managed solution

A managed enclave solution like Secureframe Defense handles the infrastructure build and configuration for you, provides compliance automation tooling on top of it, and maintains the environment over time.

• Infrastructure: Your environment is deployed from a pre-configured baseline with the required CMMC security controls enforced from the start, so you're not starting from zero on control implementation.
• Documentation: Your SSP is automatically generated from your live environment, not written from a blank template. Controls are documented based on actual configuration.
• Compliance management: Instead of tracking 110 controls in a spreadsheet and figuring out which requirements apply to you or what to do first, a guided workflow breaks your compliance journey into clear, prioritized steps.
• Drift detection: Continuous monitoring flags deviations from your compliant baseline as they happen, so you can identify and fix any gaps before an assessor does. 
• Assessment readiness: Evidence is automatically collected from your environment and validated so you're ready whenever your C3PAO window opens, not scrambling in the weeks before.

For most small and mid-size contractors — especially those trying to get certified quickly to maintain contract eligibility — the build vs. buy decision usually comes down to time and expertise. For teams without deep cloud security knowledge, a managed approach gets you assessment-ready faster and reduces the risk of costly misconfigurations.

Keeping your enclave compliant over time

Building your enclave isn’t the finish line. CMMC requires continuous compliance, and the compliance posture you demonstrated during your assessment will start to erode the moment you stop actively maintaining it.

Teams get new employees and forget to provision enclave accounts correctly. Software gets updated and firewall rules change. A well-intentioned IT change loosens a security configuration. A new application gets added to the environment without going through the proper change management process. If that drift goes undetected until your next assessment cycle, you’ll have a problem.

Continuous monitoring and drift detection

Configuration drift is what happens when your live environment diverges from your documented compliant baseline. It's almost always unintentional and almost always happens gradually.

Manual periodic audits are not sufficient. By the time you do a quarterly review, the drift has already happened. What you need is automated monitoring of your live environment against your documented baseline, with alerts when something changes.

Change management

Every change to your enclave needs to go through a documented change management process, no matter how small. You’ll need: 

• A defined process for requesting, reviewing, approving, and documenting changes
• Security impact analysis before significant changes are implemented
• Documentation updates that reflect the changed configuration
• Post-change verification that the environment still meets baseline

This process doesn't need to be bureaucratic. For a 50-person contractor, your change management procedure can be a simple Jira ticket or a form-based request. What matters is that it's documented, followed consistently, and that your SSP reflects your current environment.

Adding users and changing boundaries

Onboarding a new user who needs CUI access is a compliance event, not just an IT ticket. It requires:

• Provisioning a new enclave account (separate from commercial)
• Assigning appropriate RBAC roles
• Enrolling the user's endpoint in MDM or provisioning a virtual desktop
• Completing user training and documenting completion
• Updating your SSP if the new user's role or access pattern changes your system boundary documentation

Similarly, any change to your enclave boundary (adding a new system, integrating a new application, or connecting a new physical location) requires a formal boundary review and SSP update before the change is implemented.

Collecting evidence between assessments

Your CMMC certification is valid for three years, but you should be collecting evidence continuously, not rebuilding your evidence package from scratch when your next assessment approaches. Continuous evidence collection:

• Reduces assessment preparation time dramatically
• Gives you real-time visibility into your compliance posture
• Provides a documented history that supports your SSP claims
• Makes it easy to respond quickly when your C3PAO requests specific evidence

How Secureframe Defense simplifies the process

The full scope of building and running a defensible CMMC enclave involves complex architecture decisions, configuration requirements, documentation, and ongoing compliance maintenance. It’s a significant undertaking, requiring dedicated time, resources, and technical expertise. 

Secureframe Defense is built to handle CMMC end to end, including a compliant enclave, so you don't have to piece it all together yourself.

Automated cloud provisioning

Secureframe Defense automatically provisions a CMMC-aligned cloud enclave in your choice of Microsoft 365 GCC High or Google Workspace for Government. Logging, monitoring, access control, and network segmentation are enforced from day one. There's no manual Azure configuration, no working through hundreds of pages of Microsoft documentation, and no risk of deploying an environment and then hardening it later.

The enclave is your environment and you own the tenant, but the configuration comes pre-built against CMMC requirements rather than starting from scratch.

Virtual Desktops and Federal MDM

Once your enclave is provisioned, Secureframe Defense enables users to securely access it.

Virtual Desktops are provisioned directly from the Secureframe platform. Each virtual desktop runs in Azure Government and is pre-configured to meet CMMC Level 2 technical requirements. No Azure Government expertise required, no manual configuration of AVD enforcement settings. Your team gets a familiar Windows 11 desktop experience, and their physical devices stay out of CMMC scope.

Secureframe Federal MDM is a FedRAMP Moderate authorized MDM solution for organizations that need to secure physical endpoints. When a device is enrolled, Secureframe automatically pushes all required CMMC Level 2 configurations, including encryption, patching, access controls, and configuration management, with no manual engineering effort. Compliance is continuously enforced, with drift detection and clear remediation guidance when a device falls out of configuration.

Both options tightly control CUI access, log all activity, and feed compliance evidence into your Secureframe Defense environment automatically.

Defense Navigator

Defense Navigator is the guided workflow that takes you from initial scoping to assessment readiness. It walks you through structured scoping questions, applies the relevant CMMC requirements to your specific environment, and breaks the 110 controls into clear, prioritized tasks. Your SPRS score updates in real time as you complete steps, so you always know where you stand.

Guidance is built by former federal assessors with direct CMMC Level 2 certification experience. You're following a proven path, not figuring it out as you go.

Automated Documentation

Once your enclave and integrations are in place, Secureframe generates your SSP, POA&M, and required policies directly from your live environment. Control descriptions and implementation statements are built from actual configuration data, not copied from boilerplate templates that may or may not reflect your real environment.

As your environment evolves, your documentation automatically stays current. Configuration changes are reflected in your SSP, and new and remediated gaps are updated in your POA&M. The documentation your assessor reviews matches the environment they're evaluating.

Continuous Compliance Monitoring

After certification, Secureframe Defense continuously monitors your enclave for configuration drift and compliance gaps. Automated alerts flag deviations before they become assessment findings. Evidence of device compliance, control implementation, and configuration health flows continuously into your compliance record, so your next assessment isn't a rebuild, it's a checkpoint on a program you've been actively managing.

Assessment-ready documentation

When you're ready to bring in a C3PAO, Secureframe exports a complete, properly formatted assessment package: all test evidence, SSP documentation, and the eMASS pre-assessment form. Assessors get everything they need in the format they expect, without back-and-forth or last-minute documentation fixes.

Secureframe is also a Registered Practitioner Organization and among the first organizations to achieve CMMC Level 2 certification, which means our platform is built by people who have been through the process firsthand.

Ready to see it in action? Schedule a demo or visit secureframe.com/cmmc to learn more.