Certify Your Whole Company or Just a CUI Enclave? The CMMC L2 Scope Decision | Overwatch Tools

📋 CMMC: THE L2 DECISION SERIES — PART 5 OF 6

Certify Your Whole Company or Just Create a CUI Enclave?

The Scope Decision That Changes Your Compliance Cost Entirely

By Overwatch Tools | CMMC Compliance Specialists

CMMC Level 2 doesn't have to apply to your whole company. For most small contractors with a limited CUI footprint, it shouldn't.

This is the question that gets skipped in most CMMC conversations — and it's the one that matters most to your bottom line. Where you draw the compliance boundary determines what Level 2 costs you, how long it takes to implement, and whether it's manageable for a small business or a multi-year enterprise project.

The answer, for the majority of small contractors handling Controlled Unclassified Information (CUI) under a DoD contract, is the enclave approach: isolate CUI to a dedicated, separate environment — dedicated devices and a government-tier cloud platform — and scope your CMMC Level 2 compliance to that enclave only.

Let's walk through how that decision works, what each path actually costs, and how to know which one fits your situation.

Not Sure Which Approach Fits Your Situation?

Before you read the whole framework — if you'd rather talk through your specific contracts and CUI handling, book a free 30-minute scope review. We'll help you figure out whether the enclave approach is the right fit.

📅 Book a Free Scope Review View Our Packages

What "Scope" Actually Means in CMMC

In CMMC, your assessment scope is the boundary you draw around the systems, devices, and platforms that process, store, or transmit CUI. Everything inside the boundary must meet Level 2 requirements. Everything outside the boundary doesn't.

This matters enormously because Level 2 has 110 practices mapped to 182 defined artifacts — policies, procedures, configuration guides, evidence records, a System Security Plan, and more. Applying all of that to your entire company is a fundamentally different undertaking than applying it to a scoped, isolated enclave.

Scoping isn't a workaround or a shortcut. It's the strategy the CMMC framework is designed to support. The DoD wants contractors to protect CUI. Scoping is how you limit what "protecting CUI" touches — and by extension, what it costs.

The Key Principle

Your CMMC Level 2 compliance boundary should match your CUI boundary — not your whole company. If CUI only touches specific projects, specific people, and specific systems, those are the things that need Level 2. The rest of your business runs on CMMC Level 1.

The Two Approaches: Side by Side

There are two fundamental paths to CMMC Level 2 compliance. Here's what each one looks like in practice.

✅ Recommended for Most Small Contractors

The Enclave Approach

CUI lives in a dedicated, isolated environment
Separate devices for CUI work (dedicated Windows laptops or Chromebooks)
Isolated platform tier: Google Workspace for Government or Microsoft 365 GCC High
Clear boundary — your main business operations stay on L1
No Active Directory, no SIEM, no enterprise IT required
Right-sized for small businesses with limited CUI exposure
110 practices → 182 artifacts scoped to the enclave only
Implementable part-time with time estimates on every task

⚠️ For Organizations Where CUI Touches Everything

The Full-Company L2 Approach

Level 2 requirements applied across the entire organization
All devices, all platforms, all personnel in scope
Enterprise IT infrastructure typically required
Active Directory, SIEM, and dedicated IT staff common
Significantly higher implementation and ongoing cost
Appropriate for large contractors where CUI is pervasive
Enterprise consulting engagements often run $50K–$200K+
Multi-year implementation timelines common

For a small defense contractor with a handful of CUI-related contracts and a small team, the enclave approach isn't just cheaper — it's the correct architectural answer. You're not cutting corners; you're implementing compliance at the right scope.

What the Enclave Approach Actually Looks Like

A CUI enclave is a dedicated, isolated environment — separate from your general business operations — where all CUI is processed, stored, and transmitted. Think of it as a compliance perimeter. Inside: CUI and everything it touches. Outside: your regular business, running on Level 1 compliance.

In practice, a right-sized CUI enclave for a small contractor typically means:

What a Small-Contractor CUI Enclave Looks Like
Dedicated devices: Specific Windows laptops or Chromebooks used only for CUI work — not your general business machines
Isolated platform: A separate tenant on Google Workspace for Government or Microsoft 365 GCC High — not your general business Google Workspace or commercial M365
Defined users: Only the people who actually need to access CUI have accounts in the enclave platform
Clear data handling procedures: Written policies defining what goes into the enclave, how it moves, and how it's protected
Documented configuration: Every setting on every device and platform configured and recorded per L2 requirements
Evidence locker: Ongoing records demonstrating the enclave is operating as documented

Your general business operations — email, proposals, billing, HR, general communications — continue on your existing platform (Level 1 compliant). The CUI enclave is the additional layer that handles the sensitive DoD work.

"The enclave doesn't replace your Level 1 compliance. It adds the Level 2 layer for the specific systems where CUI lives. Your main business continues on L1. Together, you have full compliance coverage for both your FCI and CUI obligations."

When Does Full-Company L2 Apply? (Probably Not Your Situation)

Full-company Level 2 compliance is appropriate when CUI is so pervasive throughout an organization that isolating it into an enclave isn't architecturally realistic. Think of a large defense prime where hundreds of employees across dozens of systems all regularly handle CUI as part of their daily work. You can't enclave that — it's everywhere.

That's not most small contractors. If you're a 5-person shop with two CUI-related contracts, or a 15-person firm where only 4 people regularly touch CUI documents, the enclave approach is almost certainly the right fit.

⚠️ Signs You Might Need Full-Company L2 (Rare for Small Contractors)

CUI is routinely accessed by a large majority of your employees as part of their normal daily work
Your existing IT infrastructure is deeply integrated with CUI handling in ways that can't be isolated
Your contract language or DoD program office has specifically directed a full-company assessment scope
You already have enterprise IT (Active Directory, SIEM, dedicated IT staff) managing CUI access across all systems

If this describes your situation, a consultation is the right starting point — these cases require a custom scoping conversation.

If none of those conditions apply — and for most small contractors, they don't — the enclave approach is both appropriate and more manageable.

Decision Framework: Is the Enclave Approach Right for You?

Use this checklist to assess your fit. The more "yes" answers, the stronger the case for the enclave approach.

📋 Enclave Approach Fit Checklist

☐

Is your CUI limited to specific projects or contracts? If CUI exposure is tied to particular DoD programs rather than pervasive across all your work, the enclave approach is a natural fit. Your CUI work happens in the enclave; everything else stays on L1.

☐

Can you dedicate specific devices to CUI work? The enclave requires dedicated devices — laptops or Chromebooks used exclusively for CUI handling. If you can designate specific machines (even just 1–2 to start), you have what you need.

☐

Are you willing to use Google Workspace for Government or Microsoft 365 GCC High for your CUI environment? These are the government-tier cloud platforms that meet L2 requirements for cloud-based CUI handling. The enclave runs on one of these — not general commercial cloud.

☐

Is your CUI team small, without a large IT department managing CUI access? If the people who handle CUI are a defined subset of your team, the enclave scope is naturally bounded. You don't need enterprise IT infrastructure to build a right-sized enclave.

☐

Does your program qualify for annual self-assessment (vs. requiring a C3PAO)? The enclave approach for Level 2 is specifically designed for self-assessment eligible programs. If your contract is C3PAO-required, that's a different scope conversation. (Not sure? A free consultation can clarify this.)

If you answered yes to most of these, you're a strong candidate for the enclave approach. If there's ambiguity — particularly around self-assessment eligibility — a consultation can confirm your situation before you commit to a compliance path.

A Note on Platform Choice for the Enclave

The CUI enclave runs on a government-tier cloud platform — not your standard commercial Google Workspace or Microsoft 365. This is a key requirement, not an option.

For Level 2, the two supported paths are:

Google Workspace for Government — the government edition of Google Workspace, meeting FedRAMP requirements for CUI
Microsoft 365 GCC High — Microsoft's government cloud tier, meeting requirements for CUI and higher sensitivity DoD data

Both paths are supported in the L2 CUI Enclave Package. You choose your platform; Overwatch Tools provides the configuration guides, templates, and consulting sessions for that specific platform. We provide templates and guides — you implement, with expert support throughout.

Not Sure Which Platform to Choose?

If you don't have a strong existing preference, a consultation will help identify the right fit based on your contract requirements, your team's existing tools, and your budget. Both platforms can support a compliant Level 2 enclave — the choice depends on your specific situation.

The Math: Enclave Approach vs. Full-Scope L2

Here's where the enclave approach creates a dramatically different financial picture.

The Two-Package Approach

Full compliance coverage — L1 for your main business, L2 enclave for your CUI footprint

$2,495

L1 Turnkey Package
Save $500 — Limited Time

$3,495

L2 CUI Enclave Package

$5,990/year

Full L1 + L2 enclave coverage for your main business and CUI operations

vs. enterprise consulting for full-scope L2: commonly $50,000–$200,000+ with no guaranteed scope

What makes $5,990 possible is exactly what we've been discussing: scope. The L2 CUI Enclave Package is designed for a bounded CUI footprint — not an enterprise-wide L2 implementation. The enclave approach is what makes this price point achievable. Full-scope L2 with enterprise consultants is a completely different financial universe.

The L1 Turnkey Package handles your main business — all 15 Level 1 practices mapped to 142 required artifacts. The L2 CUI Enclave Package handles your CUI environment — 110 Level 2 practices mapped to 182 defined artifacts, with a pre-filled SSP, POAM framework, Risk Register, and evidence checklist.

⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope. If you're unsure whether your program qualifies for self-assessment, a free consultation can clarify your specific situation before you commit to a compliance path.

Let's Figure Out the Right Scope for Your Business

Your scope decision depends on your specific contracts, how CUI moves through your organization, and your program's self-assessment eligibility. A free 30-minute consultation gives you a clear answer — not a generic framework.

📅 Schedule Your Free 30 Minutes Explore Our Packages

The Bottom Line

CMMC Level 2 compliance is achievable for small defense contractors — but the path matters enormously. For most small businesses with a limited CUI footprint, the enclave approach is the right answer: scoped to where CUI actually lives, using government-tier cloud platforms, and implemented without enterprise IT complexity.

The full-company L2 approach is real, necessary for some organizations, and financially significant. But it's probably not your situation if you're a small contractor with bounded CUI exposure and a handful of DoD contracts.

The two-package approach — $2,495 for your L1 main business compliance, $3,495 for your L2 CUI enclave — gives you full coverage at a price point that reflects the actual scope of your compliance obligation. That's what right-sized means.

✅ What the Two-Package Approach Gives You

L1 Turnkey Package ($2,495): 15 practices → 142 artifacts, 8 bi-weekly consulting sessions, platform-specific templates for M365 or Google Workspace, evidence locker, SPRS report
L2 CUI Enclave Package ($3,495): 110 practices → 182 artifacts, 12 bi-weekly consulting sessions, dedicated CUI enclave configuration guides for GWS for Government or M365 GCC High, SSP, POAM, Risk Register, time estimates on every task
Together: Complete compliance coverage for both your FCI obligations (L1) and your CUI obligations (L2 enclave)

Scope the enclave right. Build it once. Maintain it as an ongoing part of your contract compliance program. And stop worrying about whether compliance requires overhauling your whole company — for most small contractors, it simply doesn't.