Introducing the L2 CUI Enclave Package
CMMC Level 2 self-assessment — right-sized for small defense contractors. No enterprise IT. No C3PAO fees. Built on Google Workspace for Government or Microsoft 365 GCC High.
We Heard You. Level 2 Is Now in Scope.
Since launching the L1 Turnkey package, one question has come up more than any other: "We handle CUI. Does Overwatch Tools have something for Level 2?"
For a long time, the honest answer was: not yet. The L2 compliance space is dominated by enterprise-scale solutions built for large organizations with dedicated IT departments, full-time security staff, and budgets to match. Small contractors handling modest amounts of CUI — a few people, a focused scope, a DoD contract that doesn't justify a $50,000+ C3PAO engagement — were largely left to figure it out on their own.
That changes today.
We're launching the L2 CUI Enclave Package — a complete CMMC Level 2 self-assessment solution built specifically for small defense contractors with limited CUI needs. Same philosophy as the L1 Turnkey: every artifact defined, every session with a purpose, platform-specific rather than generic. Just built for the depth and scope that Level 2 requires.
⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. Not sure which applies to you? The free 30-minute consultation is the right first step.
Ready to talk about Level 2?
Schedule a free 30-minute intro call. We'll look at your contract, your CUI scope, and your program eligibility — and give you a straight answer on which package fits.
Schedule Your Free 30-Minute Consultation →Who the L2 CUI Enclave Package Is Built For
Before we get into what's included, it's worth being specific about who this is — and isn't — designed for. Level 2 is a bigger undertaking than Level 1, and the right-fit matters.
This package is right for you if:
- Your DoD contract requires handling Controlled Unclassified Information (CUI)
- Your program is eligible for annual self-assessment — not C3PAO-required
- You have limited CUI needs — a defined, focused scope rather than organization-wide CUI handling
- You're running Google Workspace for Government or Microsoft 365 GCC High (or ready to move to one)
- You don't have — and don't want to build — enterprise IT infrastructure like Active Directory or a SIEM
- You want expert consulting and defined artifacts, not a blank compliance framework to fill in yourself
This package is not right for you if:
- ✗ Your program requires a C3PAO assessment — self-assessment eligibility is a prerequisite for this package
- ✗ Your CUI handling is broad and organization-wide — this package is designed for a dedicated enclave scope
- ✗ You only handle FCI (Federal Contract Information) — in that case, Level 1 is what you need
Still not sure which level applies? That's more common than you'd think, and it's exactly what the free consultation is designed to sort out.
What Is a CUI Enclave — and Why Does It Matter?
A CUI enclave is a defined, isolated environment where all Controlled Unclassified Information is created, stored, processed, and transmitted. Instead of trying to apply CMMC Level 2 controls across your entire organization — every device, every user, every system — an enclave approach lets you draw a boundary around the CUI-handling environment and apply controls within that boundary.
For small contractors, this is the difference between a manageable compliance project and an enterprise-scale IT overhaul. You don't need to make every laptop, every phone, and every system in your business CMMC Level 2 compliant. You need to build and operate a secure, documented enclave where CUI lives — and keep everything else outside of it.
The L2 CUI Enclave Package is built around a dedicated CUI environment on either Google Workspace for Government or Microsoft 365 GCC High — your choice. CUI-only devices (dedicated Windows laptops or Chromebooks) access the enclave. Non-CUI work stays on separate systems. The enclave is configured, documented, and assessed as a defined scope. We provide the configuration guides — clients implement.
This is not a workaround or a shortcut. It's the correct approach for organizations with limited CUI needs, and it's how the DoD's own guidance expects small contractors to structure their compliance. The L2 CUI Enclave Package gives you every artifact, template, and configuration guide to build and document this enclave correctly.
What's Included in the L2 CUI Enclave Package
⚠️ Self-Assessment Programs Only. Scoped for CMMC Level 2 programs eligible for annual self-assessment. C3PAO-required programs are not in scope.
A complete, right-sized CUI Enclave compliance package for limited CUI needs. No Active Directory, no SIEM, no full-time IT staff required. You choose your platform; we provide the templates, configuration guides, and expert consulting to get you across the finish line.
- 12 bi-weekly expert consulting sessions — a deeper, structured program to match L2's expanded scope across 110 practices
- Your choice of platform: Google Workspace for Government or Microsoft 365 GCC High — we specialize in both
- 110 practices → 182 defined artifacts — every CMMC Level 2 requirement mapped to a specific deliverable
- Dedicated CUI enclave configuration guides — step-by-step setup for your chosen platform, built for the enclave scope
- System Security Plan (SSP) — pre-filled template tailored to your enclave environment
- POAM framework, Risk Register & evidence checklist — everything required for the self-assessment package
- Time estimates for every task — the entire program is designed to be implementable part-time, without a full-time IT resource
- SPRS scoring & self-assessment documentation — packaged, date-stamped, and ready for submission
- Free 30-minute kickoff consultation — before you commit to anything
110 Practices. 182 Artifacts. What That Actually Means.
CMMC Level 2 is based on NIST SP 800-171 and covers 110 security practices across 14 domains: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity.
That's a significant scope — and the reason most small contractors either avoid Level 2 entirely or hand it off to an expensive consultant who hands them back a stack of generic documents that don't reflect their actual environment.
The L2 CUI Enclave Package maps every one of those 110 practices to a specific, defined artifact — 182 total. Not "create a policy for this domain." A defined deliverable for each requirement: the specific policy, the specific configuration screenshot, the specific procedure document, the specific evidence item. You know exactly what you're building at every step.
Most compliance frameworks tell you what to satisfy. We tell you what to produce. For every one of the 182 artifacts in the L2 package, you get a template or configuration guide, a description of what it should contain, and a time estimate for completing it. No interpretation required.
Why Platform Specificity Matters at Level 2
CMMC Level 2 introduces requirements that go well beyond Level 1 — audit logging, configuration management, system protection controls, and more. The way you satisfy these requirements looks fundamentally different depending on whether your enclave runs on Google Workspace for Government or Microsoft 365 GCC High.
Generic compliance documents — the kind that say "configure your email platform to retain audit logs" without telling you which setting to click in which admin console — fail at Level 2. The requirements are too specific, and the verification too granular, for platform-agnostic guidance to hold up.
The L2 CUI Enclave Package is built around your chosen platform from the ground up. Configuration guides are written for the specific admin consoles, settings, and capabilities of Google Workspace for Government and M365 GCC High. You're not translating enterprise documentation into something that applies to your environment. It starts in your environment.
| Consideration | Google Workspace for Government | Microsoft 365 GCC High |
|---|---|---|
| Best for | Teams already on Google, Chromebook-friendly workflows | Teams already on Microsoft, Windows-native workflows |
| CUI device | Dedicated Chromebook (CUI-only) | Dedicated Windows laptop (CUI-only) |
| Audit logging | Google Admin audit logs, Workspace alerts | Microsoft Purview, Defender for M365 |
| Config management | Google Admin Console, Chrome Enterprise | Intune, Conditional Access, Defender |
| Included guides | ✓ Google Workspace for Gov configuration guide | ✓ M365 GCC High configuration guide |
Not sure which platform is the right fit? We'll help you work through that in the kickoff consultation. Both are fully supported — the choice is yours.
No Enterprise IT Required. Seriously.
One of the most persistent myths about CMMC Level 2 is that you need enterprise IT infrastructure to comply. Active Directory. A SIEM. A full-time security engineer. A dedicated compliance team. For large defense contractors, that might be true. For small contractors with a defined CUI enclave, it's not.
The L2 CUI Enclave Package is explicitly designed for organizations without enterprise IT. Here's what that means in practice:
- No Active Directory required — identity management through Google Workspace for Government or M365 GCC High admin consoles
- No SIEM required — audit logging handled through platform-native tools (Google Admin audit logs or Microsoft Purview)
- No full-time IT staff required — time estimates on every task are designed for a part-time IT point person
- No enterprise hardware required — CUI-only dedicated laptops or Chromebooks; we provide the config guides, not the hardware
- No security team required — the Owner/Manager, an IT point person, and your CUI users are the three roles the program is built around
This doesn't mean Level 2 is simple. It means it's achievable for small organizations with a focused CUI scope — which is exactly what the enclave approach is designed to enable.
How the 12-Session Program Works
The L2 CUI Enclave Package follows the same session-based structure as the L1 Turnkey — defined focus per session, clear deliverables, bi-weekly cadence — but expanded to 12 sessions to cover Level 2's broader scope.
Program Structure at a Glance
- Sessions 1–2: Kickoff, gap assessment, CUI flow mapping, enclave scoping, action plan
- Sessions 3–4: Access control, authentication, identity management, MFA, account policies
- Sessions 5–6: Device configuration, CUI-only device setup, configuration management baselines
- Sessions 7–8: Platform deep dive — GWS for Gov or M365 GCC High audit logging, enclave configuration, sharing controls
- Sessions 9–10: SSP completion, POAM framework, Risk Register, policy and documentation review
- Session 11: Evidence collection, Evidence Locker organization, pre-assessment dry run across all 110 practices
- Session 12: SPRS scoring, submission documentation, affirmation prep, post-submission support
Sessions are 1 hour each, conducted virtually, every two weeks. Between sessions, you complete implementation work using the 182 defined artifacts, platform configuration guides, SSP template, and POAM framework. Email support is available throughout.
"The entire program is designed with time estimates on every task — so you know going in what you're committing to, and can plan implementation around your existing workload."
L1 Turnkey vs. L2 CUI Enclave: Which One Is Right for You?
If you're not sure which level applies to your situation, this comparison is a good starting point. The key question is whether your DoD contract involves CUI — and if so, whether your program is eligible for self-assessment.
| Feature | L1 Turnkey Package | L2 CUI Enclave Package |
|---|---|---|
| CMMC Level | Level 1 | Level 2 |
| Information type | FCI (Federal Contract Information) | CUI (Controlled Unclassified Information) |
| Assessment type | Annual self-assessment | Annual self-assessment (eligible programs only) |
| Practices | 15 practices | 110 practices |
| Defined artifacts | 142 artifacts | 182 artifacts |
| Consulting sessions | 8 bi-weekly sessions | 12 bi-weekly sessions |
| Platform | Google Workspace or Microsoft 365 | Google Workspace for Gov or M365 GCC High |
| SSP required | No | Yes — pre-filled template included |
| POAM / Risk Register | No | Yes — framework included |
| Enterprise IT needed | No | No |
| Price | $2,495/year (Save $500 limited time) | $3,495/year |
Still not certain? The free consultation is built for this exact question. We'll review your contract requirements and your information environment and tell you directly which level applies and which package fits.
Our Full Product Lineup
- 8 bi-weekly expert consultation sessions (1 hour each)
- All 15 CMMC L1 practices mapped to 142 required artifacts
- Platform-specific templates for Microsoft 365 or Google Workspace
- 8 device & network configuration guides (Windows, Mac, iOS, Android, home/small-office)
- Evidence Locker & SPRS report template
- Self-assessment documentation package — assembled, packaged, date-stamped
- Email support between sessions
- Free 30-minute kickoff consultation
⚠️ Self-Assessment Programs Only. Scoped for CMMC Level 2 programs eligible for annual self-assessment. C3PAO-required programs are not in scope.
- 12 bi-weekly expert consulting sessions
- 110 practices mapped to 182 defined artifacts
- Your choice of platform: Google Workspace for Government or M365 GCC High
- Dedicated CUI enclave configuration guides
- System Security Plan (SSP) — pre-filled template
- POAM framework, Risk Register & evidence checklist
- Time estimates for every task — implementable part-time
- SPRS scoring & self-assessment docs — packaged and date-stamped
- Free 30-minute kickoff consultation
The Overwatch Tools CMMC Assessment Tool is free, takes under 30 minutes, and gives you an instant gap analysis across all 15 CMMC Level 1 practices — plus flags whether Level 2 may apply to your situation. No credit card, no obligation. Start your free assessment →
Ready to Figure Out Where You Stand?
Whether you're handling FCI at Level 1 or CUI at Level 2, the first step is the same — a free 30-minute consultation. We'll review your contract requirements, confirm which level applies, and give you a clear path forward. No pressure, no commitment.
Schedule Your Free 30-Minute Consultation →Learn More at Overwatchtools.com
Overwatch Tools | CMMC Compliance Solutions
Making CMMC Compliance Achievable for Small Defense Contractors
Chesapeake, Virginia | overwatchtools.com | info@overwatchtools.com