Defense contractors handling Controlled Unclassified Information now face a choice that shapes their entire compliance budget: lock down the whole organization, or draw a tight boundary around CUI and protect only that. The second path is kown as the CMMC enclave. For many companies in the Defense Industrial Base, it is the faster, more affordable, and more operationally sensible route to certification, but only if it is scoped and implemented correctly. This article explains what a CMMC enclave is, how it differs from enterprise-wide compliance, and what it takes to build one that will actually hold up under assessment. What Is a CMMC Enclave? A CMMC enclave is a logically or physically isolated segment of your IT environment where all CUI is processed, stored, and transmitted. Everything inside the enclave boundary is in scope for a CMMC assessment. Everything outside is not. Think of your company as a building. The enclave is a locked, monitored room inside it. Only specific people are authorized to enter, all activity within the room is logged, and the security controls governing the room are documented and continuously enforced. The rest of the building operates normally, unaffected by the rigorous controls applied inside. The concept is explicitly supported by DoD guidance. The CMMC Level 2 Scoping Guide states that organizations “may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain.” That isolation can be achieved through physical separation, logical separation, or a combination of both. How a CMMC Enclave Differs from Enterprise-Wide Compliance Enterprise-wide compliance means applying all 110 NIST SP 800-171 controls across your entire organization: every endpoint, every user account, every application that touches any part of your network. That is the default interpretation many contractors start with, and it is expensive. A larger scope means more assets to harden, more users to train, more systems to document, and a bigger, more complex assessment. An enclave approach inverts the logic. Instead of bringing the whole organization up to CMMC Level 2 standards, you identify the minimum set of systems and users that genuinely need to touch CUI — and you apply full controls to only that subset. The result is a smaller, focused compliance footprint. The financial difference is real. Published case studies show that well-scoped enclaves reduce CMMC implementation costs by 20 to 45 percent compared to enterprise-wide approaches. A 40-person manufacturer, for example, reduced its projected CMMC implementation cost from $140,000 to $78,000 by migrating CUI into a cloud-based enclave. The savings compound: fewer assets to secure, fewer people to train, a smaller assessment scope, and lower ongoing maintenance costs year after year. Physical Separation vs. Logical Separation in a CMMC Enclave The DoD’s own scoping guidance is clear that security domains may use physical separation, logical separation, or a combination of both. Understanding the difference matters because your choice affects architecture, cost, and how an assessor will evaluate your boundary. Physical separation means CUI assets live on dedicated hardware, in a separate room or cage, disconnected from general-purpose networks at the cable level. It is the most defensible form of separation, but it also carries higher hardware costs and operational overhead. For some regulated environments — particularly those subject to Level 3 requirements or handling the most sensitive categories of CUI — physical separation may be necessary. Logical separation uses network segmentation, firewall rules, VLANs, and access controls to isolate CUI assets within a shared physical infrastructure. It is cheaper, faster to implement, and the more common approach for CMMC Level 2 enclaves — but it requires architectural rigor. A VLAN boundary that is not technically enforced, or a firewall rule that permits general IT traffic to reach CUI systems, will not hold up during assessment. A critical point the DoD has reinforced in its updated FAQ guidance: logical separation must be provable and documented. Saying you have logical separation is not enough. You need enforceable architecture, tested configurations, and the documentation to demonstrate both. Important: A common mistake is treating logical separation as a policy statement rather than an architectural fact. Assessors will test your boundary controls, not just read your System Security Plan. If traffic can flow between your corporate network and your CUI enclave — even indirectly — the enterprise network may be pulled into scope. Why CMMC Scoping Matters Before Choosing an Enclave Approach Scoping is the decision that determines everything downstream: which systems you secure, which employees you train, how much the assessment costs, and how confident you can be that you will pass. Getting it wrong in either direction creates problems. Over-scoping wastes money. If your compliance boundary includes systems that never touch CUI, you are paying to harden infrastructure that does not need it. Under-scoping is worse: if CUI flows through systems outside your declared enclave — shared email servers, unmanaged endpoints, a consumer file-sharing tool someone uses informally — your boundary is invalid and your assessment will fail. NIST SP 800-171 offers a useful framing: organizations “will not want to spend money on cybersecurity beyond what it requires for protecting its missions, operations, and assets.” Scoping is how you align security investment with actual risk. Every asset you can legitimately keep out of scope is a saving. How to Scope a CMMC Enclave Scoping starts with a single question: where does CUI actually go in your environment? The answer is usually more distributed than people expect. CUI flows through email. It lands in shared drives, project management tools, collaboration platforms, and sometimes personal devices. Before you can define an enclave, you need to map all of it. The DoD scoping process works through asset categories: CUI Assets (systems that directly process, store, or transmit CUI), Security Protection Assets (systems that enforce security functions for CUI assets), Contractor Risk Managed Assets, Specialized Assets (IoT, OT, test equipment), and Out-of-Scope Assets. Only Out-of-Scope Assets can be excluded from assessment — and to qualify, they must be provably isolated from CUI flows. The key
Around the year 2019, The DoD found a problem. Contractors were self-attesting to NIST SP 800-171 compliance, signing off on security postures that, in many cases, existed only on paper. Sensitive defense information was leaving the supply chain through vulnerabilities that everyone had technically promised to close. That failure gave rise to CMMC, and understanding how these two frameworks relate, where they overlap, and where they diverge is now a contractual necessity for every organization in the Defense Industrial Base. This guide cuts through the confusion and provides a precise, current account of how CMMC 2.0 and NIST SP 800-171 compare and coexist. What Is NIST SP 800-171? NIST Special Publication 800-171 is a set of cybersecurity requirements developed by the National Institute of Standards and Technology for the protection of Controlled Unclassified Information (CUI) in non-federal information systems and organizations. It was first published in 2015 and most recently updated with Revision 3 in May 2024. The framework covers 14 families of security requirements in its current Revision 2 form, spanning access control, audit and accountability, incident response, configuration management, identification and authentication, and more. Revision 3 restructures this into 17 families, reducing the number of top-level requirements from 110 to 97 while introducing three new domains: Planning, System and Services Acquisition, and Supply Chain Risk Management. Do not let the lower requirement count mislead you. According to NIST, Revision 3 increases the number of determination statements, the specific verification actions required during an assessment, by 32 percent. NIST 800-171 is not a certification. It is a compliance standard built on a self-assessment model. Organizations determine their own score, document it in their System Security Plan (SSP), and report it to the DoD’s Supplier Performance Risk System (SPRS). That self-reporting architecture is precisely what CMMC was designed to fix. Worth Knowing: NIST SP 800-171 applies broadly across federal contracting, not just the DoD. Any non-federal organization handling CUI in support of a federal agency, including NASA, GSA, and others, may be required to comply. CMMC, by contrast, is exclusively a DoD program. What Is CMMC 2.0? The Cybersecurity Maturity Model Certification is the Department of Defense’s formal certification program for cybersecurity compliance across the Defense Industrial Base. CMMC 2.0 was finalized in October 2024 and became effective December 16, 2024, with enforcement rolling out in phases through 2028. Where NIST 800-171 describes what security controls an organization should implement, CMMC adds a verification layer: it requires that compliance be independently confirmed before a contract is awarded. CMMC uses a three-level maturity model, with each level corresponding to the sensitivity of the data handled and the rigor of the required assessment. CMMC is enforced through DFARS clause 252.204-7021. Phase 1 of the rollout began November 10, 2025, and the DoD estimates that approximately 65 percent of the Defense Industrial Base will be affected. Major primes including Lockheed Martin and Boeing have already issued directives requiring CMMC documentation from their supply chains, in some cases ahead of official DoD deadlines. How CMMC and NIST 800-171 Connect CMMC 2.0 does not replace NIST 800-171. It is built on top of it. CMMC Level 2, the level most defense contractors will encounter, directly mirrors the 110 requirements in NIST SP 800-171 Revision 2. CMMC Level 3 extends that baseline by adding 24 enhanced requirements drawn from NIST SP 800-172. Think of it this way: NIST 800-171 is the technical standard, and CMMC is the auditing and enforcement mechanism. Implementing 800-171 is a prerequisite for CMMC Level 2 certification. The critical difference is that 800-171 compliance is self-declared, while CMMC compliance is independently verified. Both frameworks require a System Security Plan and a Plan of Action and Milestones (POA&M) for identified gaps. Assessment results from third-party or government-led CMMC assessments are recorded in eMASS, the DoD’s Enterprise Mission Assurance Support Service, while self-assessment results continue to be recorded in SPRS. Key Differences Between CMMC and NIST 800-171 Attribute NIST SP 800-171 CMMC 2.0 Purpose Technical standard for CUI protection Certification program verifying CUI protection Who It Applies To Any non-federal entity handling CUI DoD contractors and subcontractors handling FCI or CUI Maturity Levels None, flat set of 110 requirements Three levels (Foundational, Advanced, Expert) Assessment Model Self-assessment and self-attestation Self-assessment (L1), C3PAO (L2), DIBCAC (L3) Where Results Are Recorded SPRS SPRS (self-assessments), eMASS (C3PAO/DIBCAC) POA&M Restrictions No closure deadline or item limit Limited open items; must close within 180 days Contract Consequence Contractually required; limited enforcement mechanism Required for contract award; False Claims Act exposure Current Revision in Use Rev. 2 (CMMC use); Rev. 3 published May 2024 Aligned to Rev. 2 for Level 2 assessments Cloud Requirements FedRAMP Moderate equivalent minimum FedRAMP Moderate (L2); FedRAMP High (L3) Applies to Non-DoD Agencies? Yes No, DoD only Is Compliance Mandatory? Both frameworks are contractually required for DoD contractors handling CUI through the DFARS 252.204-7012 clause. The critical difference is consequence. NIST 800-171 compliance has been contractually required for years, but the self-attestation model created minimal accountability. CMMC adds teeth: without the required certification level, organizations cannot be awarded or retain DoD contracts. Under the False Claims Act, falsely certifying CMMC compliance can expose both the organization and signing individuals to treble damages. Does It Use a Maturity Model? NIST SP 800-171 does not use a maturity model. It presents a flat set of requirements that either are or are not implemented. CMMC structures compliance into three ascending levels, with each level carrying specific assessment requirements and targeting a different category of sensitive information. Does It Require a Third-Party Assessor? NIST 800-171 is self-assessed. CMMC Level 1 is also self-assessed annually. For CMMC Level 2, the picture is more complex: some contracts allow self-assessment, but most high-priority contracts require assessment by a Certified Third-Party Assessment Organization (C3PAO). CMMC Level 3 requires a direct audit by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government body. Scope: What Data Does Each Framework Protect? Both frameworks center on CUI protection, but there is an
The CMMC is vast in coverage and can easily become overwhelming. It includes 110 security controls for each level, excluding level 1, which has only 15, with many encryption controls required throughout. This guide breaks down exactly what the four core encryption controls demand, how they apply across certification levels, and where assessors consistently find gaps that could have been caught months earlier. Whilst most of these controls are straightforward, one stands out on the Defense Industrial Base Cybersecurity Assessment Center’s list of most commonly failed controls: SC.L2-3.13.11, which mandates FIPS-validated cryptography for protecting Controlled Unclassified Information (CUI). This is not because it is technically complex. It is because most contractors misunderstand what it truly requires. The mistake is almost always the same: assuming that using AES-256 is enough. It is not. CMMC encryption requirements are about validated modules, not algorithms, and that distinction is what fails organisations that believed they were ready. What Are the CMMC Encryption Requirements? CMMC 2.0 is the Department of Defense’s framework for verifying that contractors protect sensitive defense information. It operates on three certification levels: Level 1, Basic protection of Federal Contract Information (FCI) Level 2, Protection of CUI in alignment with NIST SP 800-171 Level 3, Protection of the most sensitive CUI against advanced persistent threats Encryption requirements live primarily at Level 2 and above. With CMMC, the requirement for FIPS 140 validation now applies to every member of the Defense Industrial Base (DIB), an estimated 215,000 companies, that handles CUI. Every system that performs encryption and touches CUI must use FIPS-validated cryptography. That is a significant shift: previously, FIPS validation was largely reserved for vendors selling directly to federal agencies. The timeline is active. The CMMC Acquisition Rule became effective November 10, 2025, with Phase 2, mandatory C3PAO assessments for Level 2 contracts, beginning November 10, 2026. The 4 Core CMMC Encryption Controls Explained Three controls form the backbone of CMMC’s encryption requirements. Understanding each one separately matters, because failing any of them has direct consequences on your assessment score. Control Name What It Requires Applies To SC.L2-3.13.11 FIPS-Validated Cryptography Cryptographic modules must hold a valid NIST CMVP certificate Any system that handles CUI SC.L2-3.13.8 CUI in Transit Cryptographic mechanisms must protect CUI across all transmission channels Networks, email, file transfers, APIs SC.L2-3.13.16 CUI at Rest CUI stored on any system must be encrypted Servers, workstations, databases, backups SC.L2-3.13.10 Cryptographic Key Management Keys must be generated, stored, and revoked in a controlled, documented process All systems using encryption to protect CUI MP.L2-3.8.7. CUI on Media Encryption must extend to physical and removable media USB drives, external disks, backup tapes, laptops SC.L2-3.13.11: Employ FIPS-Validated Cryptography to Protect CUI This is the headline control and the most misunderstood. A common mistake is confusing cryptographic algorithms with cryptographic modules. The CMMC requirement is about the module, not just the algorithm. You can run AES-256 across your entire environment. If the module implementing it has not been validated through NIST’s Cryptographic Module Validation Program (CMVP), you are not compliant. The algorithm is not the certificate. Pro Tip During an assessment, you will be asked to provide the FIPS certificate number for each product that handles CUI, not a vendor’s claim that they “support AES-256.” Have those certificate numbers documented before the assessment starts. SC.L2-3.13.8 and SC.L2-3.13.16: CUI in Transit and at Rest SC.L2-3.13.8 requires cryptographic mechanisms to protect CUI during transmission, covering all communication channels: network connections, email, file transfers, and API communications. SC.L2-3.13.16 requires protection of CUI at rest. Neither control names a specific algorithm, but the FIPS validation requirement from 3.13.11 applies across both. SC.L2-3.13.10: Establish and Manage Cryptographic Keys Encryption without key management is security theatre. This control requires that keys be generated, stored, and revoked in a controlled, documented way. A compromised key renders all your encryption irrelevant regardless of algorithm strength. MP.L2-3.8.7: Control Access to CUI on Media This control extends encryption requirements to physical and removable media. CUI stored on a USB drive, an external hard disk, or a backup tape must be protected. Contractors who focus on network-level encryption and forget about the laptop bag sitting in a car park consistently fail this one. CMMC Encryption Requirements by Certification Level Level 1 covers organisations handling only FCI. The controls are foundational and do not explicitly mandate encryption, though it remains a recommended practice. This changes sharply at Level 2. Under the CMMC scoring methodology: 5 points deducted if no cryptography is employed 3 points deducted if cryptography is present but not FIPS-validated Maximum score: 110 | Minimum passing threshold: 88 Getting SC.L2-3.13.11 wrong costs points you cannot afford to lose. Level 3 introduces additional requirements aligned with NIST SP 800-172, including enhanced key management controls, stricter access controls on cryptographic infrastructure, and greater scrutiny of the supply chain around cryptographic tools. Pro Tip According to research by Merrill Research and CyberSheath, only 4% of defense contractors are fully prepared for CMMC certification based on third-party assessment criteria, while 75% believe they are compliant based on self-assessment. The gap is widest in technical controls, with encryption and key management among the most common failure points. What Is FIPS-Validated Cryptography and Why Does It Matter? FIPS stands for Federal Information Processing Standards. FIPS 140, developed by NIST, sets the benchmark for cryptographic modules intended to protect sensitive information. It requires that cryptographic modules be tested by accredited third-party laboratories and certified by NIST, a process managed through the Cryptographic Module Validation Program (CMVP). FIPS 140-2 vs. FIPS 140-3 FIPS 140-3 is the newer standard, published March 22, 2019, and aligns with the international ISO/IEC 19790:2012(E) standard. Both remain acceptable under current CMMC requirements. FIPS 140-3 introduces stricter requirements around physical security, key management, and testing methodologies, and will likely become the primary standard as the framework evolves. If your vendor holds a current FIPS 140-2 certificate and that module remains on NIST’s active modules list, you are covered for now, but plan your migration path. Acceptable Encryption
If you work with the U.S. Department of Defense in any capacity, CMMC compliance is not optional. It is the price of admission. And if you are not prepared, it could cost you your contracts, your reputation, and your seat at the table in the defense industrial base. This guide breaks down everything you need to know about CMMC compliance clearly, honestly, and without the jargon overload. What Is CMMC Compliance? CMMC stands for Cybersecurity Maturity Model Certification. It is a framework developed by the U.S. Department of Defense (DoD) to ensure that defense contractors and subcontractors adequately protect sensitive government information from cyber threats. In plain terms: if you handle federal data, especially sensitive technical or operational information, the DoD wants proof that your cybersecurity practices are up to standard. Not a promise. Actual, verified proof. CMMC compliance means meeting a defined set of cybersecurity practices and, depending on your level, having those practices certified by an accredited third-party assessor, also known as a C3PAO (Certified Third-Party Assessment Organization). It is structured, tiered, and increasingly enforced, particularly since the final CMMC rule was formally codified into federal acquisition regulations in December 2024. Why CMMC Compliance Matters for Defense Contractors The defense sector is one of the most targeted industries for cyberattacks. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach reached $4.45 million in 2023, and breaches involving government data carry consequences far beyond the financial hit. Foreign adversaries, particularly nation-state actors, have been systematically targeting defense contractors to steal intellectual property, weapons designs, and operational intelligence. The DoD created CMMC specifically to close the gaps in the Defense Industrial Base (DIB) cybersecurity posture. For defense contractors, CMMC compliance matters for three hard reasons: Contract eligibility. CMMC requirements are embedded directly into DoD contract solicitations. If you do not meet the required CMMC level, you cannot bid. Full stop. Legal and regulatory liability. Under the False Claims Act, misrepresenting your cybersecurity compliance when submitting to a federal contract can result in significant legal exposure, treble damages, and penalties. Supply chain trust. Even if you are a subcontractor, your prime contractor is responsible for ensuring your compliance. Failure on your part puts their contracts at risk too. The History and Evolution of CMMC From CMMC 1.0 to CMMC 2.0: What Changed? CMMC was first introduced in 2020 as CMMC 1.0, a five-level model that drew heavily from existing NIST frameworks. It was ambitious but widely criticized for being overly complex, expensive to implement, and difficult to scale, especially for small and medium-sized businesses in the defense supply chain. In response to industry feedback, the DoD released CMMC 2.0 in November 2021, streamlining the model significantly. The five levels were reduced to three. The most notable change was the elimination of unique CMMC-specific practices, bringing the framework into direct alignment with NIST SP 800-171 and NIST SP 800-172. CMMC 2.0 also introduced a critical flexibility provision: certain Level 2 contractors may be permitted to perform annual self-assessments rather than requiring a third-party audit, depending on the sensitivity of the information they handle. The final CMMC rule was published in the Federal Register in December 2024, officially codifying CMMC 2.0 into the Defense Federal Acquisition Regulation Supplement (DFARS). How CMMC Relates to NIST SP 800-171 and DFARS NIST SP 800-171 is the foundational document underpinning CMMC Level 2. It outlines 110 security practices across 14 control families designed to protect Controlled Unclassified Information (CUI) in non-federal systems. DFARS clause 252.204-7012 has long required defense contractors to comply with NIST SP 800-171 on a self-attestation basis. The core problem? Self-attestation created significant inconsistency and allowed non-compliant contractors to fly under the radar. CMMC changes that by adding mandatory third-party verification for a large portion of the DIB, bringing real accountability into the equation for the first time. The Three Levels of CMMC 2.0 Explained CMMC 2.0 organizes compliance into three progressive levels. Each level corresponds to the type of information your organization handles and the sophistication of threats you may face. CMMC Level 1: Foundational Who it applies to: Contractors who handle Federal Contract Information (FCI) but not CUI. Requirements: 17 basic cybersecurity practices drawn from FAR clause 52.204-21. Assessment method: Annual self-assessment with an executive affirmation submitted to the Supplier Performance Risk System (SPRS). Level 1 is the baseline. Think good cyber hygiene, things like using antivirus software, controlling who has access to systems, and keeping your software updated. Not glamorous, but non-negotiable. CMMC Level 2: Advanced Who it applies to: Contractors who handle Controlled Unclassified Information (CUI). Requirements: All 110 practices from NIST SP 800-171, organized across 14 domains. Assessment method: Either triennial third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) or annual self-assessment, depending on contract criticality. This is where the majority of the defense contractor community lands, and where most of the compliance effort (and cost) is concentrated. If your organization touches CUI in any meaningful way, Level 2 is almost certainly your target. CMMC Level 3: Expert Who it applies to: Contractors supporting the DoD’s most critical programs, handling CUI that presents higher-risk threat vectors, often involving advanced persistent threats (APTs). Requirements: 110+ practices from NIST SP 800-171 plus select practices from NIST SP 800-172. Assessment method: Government-led assessment conducted by the Defense Contract Management Agency (DCMA). Level 3 is the top tier. If you are here, you already know what you are dealing with, and so do your adversaries. CMMC Level Information Type Practices Required Assessment Type Level 1: Foundational FCI 17 (FAR 52.204-21) Annual self-assessment Level 2: Advanced CUI 110 (NIST SP 800-171) C3PAO or self-assessment Level 3: Expert CUI (high-value) 110+ (NIST SP 800-172) Government-led (DCMA) Who Needs to Be CMMC Compliant? Prime Contractors Any organization that holds a DoD contract involving FCI or CUI must comply with the applicable CMMC level. Prime contractors are typically well-resourced enough to navigate the process, but that does not make them exempt from the hard work, or from the
