For defense contractors, the best way to protect sensitive information is to keep a tight lid on access.
As defense industry suppliers work to meet new rigorous Department of Defense (DoD) cybersecurity requirements, maintaining a tight lid can be accomplished by taking an “enclave” approach to digital data management. Having enclave infrastructure means protecting controlled unclassified information (CUI) and other data by limiting the number of employees with access to a discrete channel of communication. Think of it as need-to-know networking.
Embracing enclave architecture will help companies meet the DoD’s Cybersecurity Maturity Model Certification (CMMC) 2.0 requirements, said MxD Cybersecurity Analyst Famous Jefferson. “It’s all about safeguarding information,” he said.
Many small and midsized manufacturers (SMMs) in the defense industrial base will struggle to meet CMMC’s seemingly complex demands for protecting digital data, but Jefferson said going with an enclave approach makes the challenges more manageable.
Jefferson said MxD can provide general advice to SMMs as they consider whether an enclave is appropriate to help them meet CMMC requirements. “This is an organization-by-organization choice,” Jefferson said.
Also, because an enclave, or sequestered, data system is typically cloud-based, the work can be outsourced to a managed security service provider (MSSP) that specializes in working with the defense industrial base. These providers understand CMMC requirements and how to secure enclaves, eliminating much of individual manufacturers’ responsibility for managing computer networks that help keep CUI secure.
We recently asked Jefferson more about adopting the enclave approach to cybersecurity. (Interview edited for space). Here are his insights:
Q: What is an enclave approach?
FJ: An enclave is a cloud-based environment that is highly secured and locked down. All data network traffic is controlled so that when you’re receiving CUI or proprietary information, only people who have permission can access it. For example, regardless of the size of your corporate environment, with an enclave you can limit the employee access and authorization to a subset of the full staff. This will enable you to say to the DoD, “I have this many users. Here’s how access is controlled. This is how we’re securing the infrastructure and ensuring no one is getting information out of it or intercepting any of it.”
Q: The key is separation, right?
FJ: Yes. If your organization were to get hacked, the enclave information would be secure because it would be separate, or air gapped. Nothing can touch it from outside.
Q: Does the DoD require using enclaves to meet CMMC 2.0 requirements?
FJ: No. All it cares about is that if you’re Level One, you’re doing basic cybersecurity hygiene. If you’re Level Two, they want you doing elevated hygiene, and if you’re Level Three, you’re doing advanced hygiene. You want to ensure that the information that the DoD or a prime contractor or subcontractor is sharing with you is secure and protected from anyone stealing it. You can do it on site, or you can do it in an enclave.
Q: When it comes to meeting CMMC requirements, what is the biggest advantage of an enclave?
FJ: It gives you a way to say for your assessment, “We’ve eliminated the physical controls by using the cloud.” Also, if you choose to go with an MSSP, the benefit is you are not managing it yourself — it’s your information and you still own it — but you are hiring a third party to be responsible for making sure the infrastructure is working as intended, versus doing it yourself and risking a mistake.
Q: How do you get started?
FJ: As an organization, the first thing to ask is, “What are we trying to accomplish?” Say it’s, “I want to create a secure infrastructure to communicate and receive information from the DoD or the military or whoever, for contract purposes.” Then: “Where are we at right now? Are we a cloud-based organization, an on-premises organization, or a hybrid organization?” You may decide it’s going to cost too much to build on-premises infrastructure, so you choose to go enclave. If you’re already cloud-based, opting for an enclave usually means you may need to add a second solution that connects to your existing cloud base. It’s about where you are and where you want to be.
Q: Do you need a consultant?
FJ: No. But you need the right conversations with the right organizations. You want to find a contractor like C3 Integrated Solutions or Redspin or Summit 7. Talk to them, meet with them, and see what they’re going to charge to spin up an environment.
Q: What is the biggest challenge?
FJ: Figuring out how much it’s going to cost. The most expensive part of this process is the amount of data you’re going to store. You need to ask, “What’s my return on investment?” If you spend $25,000 to $90,000 a year, the return on your investment is the ability to bid on DoD contracts or receive funding from DoD contracts. So, if you want to be on DoD contracts, it’s beneficial. If you don’t care about DoD contracts, don’t do it.
More resources on enclaves:
- Understanding Compliance Between Commercial, Government, DoD & Secret Offerings – July 2025 Update | Microsoft Community Hub
- CMMC Compliance for Manufacturers: Should You Build a Secure Enclave?
- DFARS – Compliance | Google Cloud
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.