Learn how manufacturers can achieve CMMC compliance by building secure enclaves to protect Controlled Unclassified Information (CUI) and meet DoD requirements efficiently and cost-effectively.
If you’re a manufacturing contractor working with the U.S. Department of Defense (DoD), there’s a good chance you’ve heard acronyms like CMMC and CUI floating around, but what do they actually mean, and why are they suddenly critical to your business?
What’s CMMC, CUI, and Why Should Manufacturers Care?
CUI stands for Controlled Unclassified Information—this is sensitive data related to defense work that doesn’t rise to the level of being classified, but still must be protected under federal law. This can include technical drawings, specifications, contracts, or even emails related to DoD projects.
As a manufacturer, you work most with a type of CUI called Controlled Technical Information (CTI). Here is a brief description of what type of data that is and what would be in scope for CMMC Level 2 requirements:
“Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. The term does not include information that is lawfully publicly available without restrictions.
"Technical Information" means technical data or computer software, as those terms are defined in Defense Federal Acquisition Regulation Supplement clause 252.227-7013, "Rights in Technical Data - Noncommercial Items" (48 CFR 252.227-7013).
"Technical information with military or space application" means any blueprints, drawings, plans, instructions, computer software and documentation that can be used, or be adapted for use, to design, engineer, produce, manufacture, operate, repair, overhaul, or reproduce any military or space equipment or technology concerning such equipment (10 U.S.C. 130).“
Source: https://www.dodcui.mil/Defense/Controlled-Technical-Information/
To safeguard this information, the DoD introduced CMMC, the Cybersecurity Maturity Model Certification. CMMC sets the security standards that contractors must meet if they want to win or keep defense work.
Now here’s the problem: most manufacturers don’t have centralized IT systems designed to isolate and protect sensitive data. That’s where an enclave comes in.
What’s an Enclave?
In plain English, an enclave is a secure, separate part of your IT environment or a digital “room” where only the people and systems who need access to CUI can get in. Think of it as a secure vault for your data and users.
Enclaves can help manufacturers meet CMMC requirements without overhauling their entire business IT infrastructure. Instead of locking down every computer, printer, and shop floor machine, you can isolate just the parts of your business that handle CUI.
But is an enclave right for your business? Let’s dig into that.
Should You Build a Secure Enclave for Your Manufacturing Business?
Not every manufacturer needs an enclave but for many, it’s the most efficient, cost-effective way to get compliant. Here are the key questions to ask:
- Do you know where all your CUI lives?
- Can you isolate that data and its users into a single environment?
- Do fewer than 15% of your employees need access to CUI?
- Can your workflows function inside a separate, secure space?
If the answer to these is yes, or can be yes with a little cleanup, an enclave might be your best path forward.
The Manufacturing-Specific Challenges of CMMC Enclaves
Every industry faces different challenges when building an enclave. In manufacturing, those challenges often include:
1. Engineering Software and Application Compatibility
Tools like AutoCAD, SolidWorks, and ERP systems must run securely inside the enclave often on Azure Virtual Desktops with GPU acceleration.
2. Printed Drawings and Shop Floor Workflows
Most manufacturers rely on printed CUI documents for assembly work. If shop-floor workers don’t have computers, then printers become part of your compliance boundary.
Best Practice: Use FIPS-compliant USB drives to transfer documents securely for printing, or create “staging laptops” that handle the encrypted transfer of files without risking data spillage.
3. Legacy Equipment and Specialized Assets
You might be running CNC machines or other gear on Windows XP or even MS-DOS. These systems can’t be secured with modern controls, but they don’t have to be. The DoD allows for “specialized assets” that fall under different rules as long as you document how you’re mitigating the risk.
Example: One defense manufacturer discovered over 500 CUI files by simply searching for “DOD Distribution Statement” across its systems which was far more than expected. That discovery changed the scope of their enclave dramatically.
4. Physical Site Considerations
If any part of your enclave connects to on-site systems or printers, your physical building may become part of your compliance scope. Some manufacturers are consolidating sensitive work into a few secure facilities or even considering mobile enclave trailers for job sites.
Virtual or Physical? Choosing the Right Model
Virtual Desktop Infrastructure (VDI) is a popular approach to enclaves, especially for sales or back-office staff. But latency issues or engineering app limitations may make physical devices a better fit for your factory floor. You can have a mix based on your need.
Rule of Thumb: If your users are more than 70ms away from your cloud infrastructure, they’re going to have a bad VDI experience. You can test that by running a speed test here: https://www.speedtest.net/
Quick Tips for Manufacturing Enclaves
- Audit your CUI footprint. Use tools in Microsoft 365 or on-prem file servers to scan for DOD keywords, contract numbers, and CUI banners.
- Don’t overscope. Use FIPS-encrypted USBs or secure print rooms instead of pulling entire networks into your CMMC boundary.
- Take advantage of asset categories. Classify OT/ICS gear as “specialized assets” to avoid full compliance requirements on outdated systems.
- Plan for growth. If you start with a 20-user enclave, make sure it can scale if you discover more CUI than expected.
Final Thought: You Don’t Need to Lock Down Everything
CMMC compliance for manufacturers doesn’t mean reengineering your whole company. By isolating CUI into a well-designed enclave, you can reduce risk, simplify assessments, and keep your DoD contracts flowing.
Need help planning or building your enclave? We specialize in helping manufacturers navigate CMMC and set up secure enclaves that work with real-world operations. Contact us today for a tailored assessment.
