One of our country’s more important assets is its information. The U.S. IT infrastructure carries private information covering things like financial information, private information, defense and military information or information that is critical to the operation of government agencies. Some information is classified, and some, while not deemed sensitive enough to classify, are protected as Controlled Unclassified Information, or CUI.
CUI is protected under government regulation, which means that if your business wants to work with federal or defense agencies, it must meet regulations to participate.
What is an Enclave in Cybersecurity?
There is no 100% secure system. This is the premise that cybersecurity is built on. One of the reasons that security as a practice is so difficult is that software is both incredibly complex and prone to vulnerabilities (probably due to this complexity).
To address these limitations, security experts and regulators rely on several different ways to protect the information, based on potential attack surfaces:
- Software encryption: Probably the most well-known and lowest-cost method of data protection is using an encryption algorithm to obfuscate data either during transit (like Transport Layer Security, or TLS) or at rest in a server (like AES-256). Encryption can make it so that stolen data cannot be read by the thief, rendering it basically useless.
- Hardware encryption, aka Hardware Security Modules (HSMs): These modules use physical sources of entropy (randomness) to generate encryption services for specific applications in a system, including additional areas like boot sectors, biometric key storage or other physical systems.
The former is always required by almost every compliance framework. However, there is a limit to where you can encrypt data. For example, data that moves through your systems, even if encrypted, implicates employees and systems as part of necessary compliance standards. That is, even if data is encrypted if your people contact it, they (and their systems) must undergo audits under regulations.
That’s why some security firms are turning to what’s called an “Enclave”, where software and hardware are configured to create a clear separation between people who are authorized to access data and those that are not. This includes protective security tools, hardware controls and data management tools to direct how CUI moves through the system.
Even better, these enclaves can be deployed permanently or temporarily as part of a contract. In the former case, you can maintain separation internally, while in the latter you can create compliant ways to interact with third parties and vendors that can be then destroyed after the fact.
How Does CMMC Impact Handling CUI?
Controlled Unclassified Information (CUI) is data that hasn’t been classified for national security purposes but that requires special security safeguards to control dissemination, maintain privacy and ensure security. This information designation is most often used in defense contracting with contractors or subcontractors working with Department of War (DoW) agencies or specific Executive Branch agencies. The collective of agencies, contractors and subcontractors is called the Defense Industrial Base (DIB).
The Cybersecurity Maturity Model Certification (CMMC) framework is the newest governing security framework for the handling of CUI. CMMC is broken down into levels that outline the capabilities and practices that an organization must have to meet that level and, thus, handle specific kinds of data for defense agencies.
To handle CUI, your business must meet CMMC Level 3 at a minimum. At this level, your organization must maintain “Good” cyber hygiene as defined in NIST SP 800-171 and DFARS alongside the ability to create, implement, maintain, manage and resource plan for organization-wide security systems.
At Level 3, your organization has implemented several types of security controls that include:
- Implementing DNS filtering services
- Analyzing and prioritizing security events and their resolution and remediation
- Completing regular and secured data backups of all CUI
- Deploying spam protection, anti-malware software, and firewall controls
- Utilizing encryption for all CUI at rest and in transit
- Endpoint security for mobile devices, including encryption
- Collecting audit log information and performing audit reviews
- Using multi factor authentication
And others. All told, CMMC Level 3 has 58 required practices you must meet before handling CUI. This is true for all systems and all employees in your organization.
What are the Advantages and Disadvantages of Using an Enclave Approach?
The more systems and people that interact with CUI, the more complex your compliance efforts are going to get. That’s where the enclave approach supports more effective compliance. This can get even more troublesome if you are considering using a public or private cloud solution.
For example, commercial Microsoft products are not CMMC compliant. Microsoft offers what they call the GCC High to help contractors meet DoD contracting requirements. However, this approach includes a costly migration to Microsoft servers, and these servers will house your entire IT infrastructure.
And that means the entire infrastructure: all employees, all databases, everything.
The enclave approach can, when configured correctly, provide advantages over complex compliance upgrades or third-party migrations. In fact, according to CMMC regulations, the deployment of a secure enclave can mitigate the need to secure an entire infrastructure, so long as that enclave meets CMMC Level 3 requirements.
Handling CUI isn’t the only place where you can take advantage of enclaves. For example, handling classified data through networks like the Secret Internet Protocol Router Network (SIPRNet) that carries classified information securely.
In both cases, you can sequester CUI or classified data in specific locations with tightly controlled access and security measures that minimize who must be trained and audited in your organization.
Conclusion
Managing government data appropriately is a tall order, which is why government frameworks like CMMC are so exacting. Translating those guidelines across an entire organization can be a huge challenge for anybody, not to mention expensive.
If you find yourself or your organization ready to step into DoD contracting or the handling of CUI or classified information, work with security partners that can automate compliance and minimize your compliance footprint with advanced technologies.
Lazarus Alliance is a certified C3PAO that offers full-service risk assessment and risk management services helping enterprise businesses and SMBS sustain a proactive cybersecurity and compliance strategy that meets requirements for frameworks including CMMC, FedRAMP and HIPAA. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help you as an authorized CMMC C3PAO.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts