Home β€Ί CMMC FAQs β€Ί Scoping
Scoping β€” Official DoD FAQ

Must Enterprise Networking Components Outside My Enclave Be in CMMC Scope?

πŸ’Ό
Want to design an enclave that reduces your CMMC scope? Jun Cyber specializes in assessment boundary architecture.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (F-Q4)

No. So long as the enclave is otherwise logically separated from the greater enterprise network, the transmission of properly encrypted CUI data does not incur an extension of the CMMC Assessment Scope to include the enterprise networking components.

In-Depth Analysis

Enclave Scoping: Good News for Complex Networks

If you've properly architected your CUI enclave with logical separation from your enterprise network, the enterprise components do not need to be in your CMMC assessment scope β€” even if encrypted CUI data traverses them.

Requirements for This Exception

  • Logical separation: The enclave must be properly segmented from the enterprise network (firewalls, VLANs, ACLs)
  • Proper encryption: CUI data must be encrypted before leaving the enclave (FIPS 140-2/140-3 validated)
  • No CUI processing: Enterprise components must not process, store, or access CUI in unencrypted form

Practical Example

Your company has a dedicated CUI enclave with its own firewall. CUI data traverses your corporate WAN (encrypted via VPN) to reach another CUI enclave at a different site. The corporate WAN routers and switches do not need to be in your CMMC assessment scope, as long as the enclave is logically separated and CUI is encrypted in transit.

Why This Matters

This allows organizations to keep their CMMC assessment scope manageable. Without this provision, every piece of networking infrastructure between sites could be drawn into scope, making assessments prohibitively expensive and complex. Proper enclave design is one of the most effective CMMC scope reduction strategies.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

Scoping

Can Encryption Alone Create Logical Separation for CMMC?

β†’ Scoping

Are VDI Endpoints In Scope for CMMC Assessments?

β†’ Assessments

Are CMMC Assessments Required for Classified Systems?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’