
Custom CMMC
Enclaves
For the Defense Industrial Base (DIB).
A contract defines what you deliver. Business processes produce it. An enclave enables those processes and meets the LRGWPs that apply to the data it receives.
We capture the current state of your operation, propose the target state, implement it, and advocate for you during assessment.
- 01Business Modeling[Current State]
- 02Enclave Proposal[Target State]
- 03Implementation
- 04Assessment Support
A protected environment with two jobs.
An enclave is the bounded, access-controlled environment you carve out to store, process, and transmit Controlled Unclassified Information (CUI). It is the information systems (technical and biological) and the physical and logical spaces they exist in. It sets the boundaries for where CUI can travel. It is deliberately separated from the rest of your business to reduce the assets that are in scope for your assessment. A good one does two things.
Enable your organization to perform its operational work.
The environment must support the actual business processes required to execute your contracts. This requirement carries equal weight to CUI protection, because an enclave that impedes legitimate work will either be circumvented, exposing your organization to False Claims Act (FCA) liability, or require reassessment to incorporate the needed functionality.
Satisfy CUI protection requirements under NIST SP 800-171 and applicable LRGWPs.
The enclave must implement the security controls required to protect Controlled Unclassified Information (CUI) in accordance with NIST SP 800-171 Revision 2. NIST SP 800-171 represents the baseline requirement for any non-federal system handling CUI. However, additional requirements may be imposed by the specific laws, regulations, or government-wide policies (LRGWPs) applicable to that data.
Not sacrificing business functionality
for compliance.
Many organizations force themselves into a less functional environment because an out-of-the-box solution can greatly simplify the compliance process. These SaaS solutions can, in many cases, be a great option for organizations with a straightforward business use case. However, using pure SaaS can present risks if proper measures are not taken to ensure the solution will fit your business needs.
Input Trace starts by understanding your business requirements first, then builds a solution around how your organization actually operates. Depending on those requirements, the solution may take the form of one of the three architectural patterns outlined below.
Problems that can arise from not understanding your business needs:
- 01 Functionality gaps surface after a SaaS product is procured, and get patched in after the fact.
- 02 Mature internal processes are sacrificed to fit the technical features the tool provides.
SaaS
The provider manages everything and gives your users access to a tenant in their environment (this could be a configurable environment like M365 or an out-of-the-box compliant overlay solution). It is best for lightweight software requirements.
Example requirements- Office Suite
- Lightweight VDI Apps
Cloud
Our specialtyPart of the work needs an application SaaS cannot host. IaaS/PaaS extends the boundary to run it, and the SaaS runs alongside it.
Example requirements- PostgreSQL-Backed App
- Custom Service Integrations
Cloud + On-Prem
Our specialtyPart of the CUI workflow needs to exist onsite. The enclave has to extend to the room where that work happens, which in turn captures many additional device types into the scope of assessment.
Example requirements- CAD
- Real Time Software
- Embedded Firmware Flashing
Input Trace specializes in the Type 02 [Cloud] and Type 03 [Cloud + On-Prem] deployments. As your contract requirements pull you toward more complex environments, we are here to help.
Reduce risk.
Clarity before you implement.
Building a CMMC enclave will affect your workflows, technology, facilities, staffing, and recurring operating costs. Because every organization handles CUI differently, an accurate design, budget, and implementation timeline cannot be responsibly developed before the business is understood.
Input Trace has built our customer engagement around this understanding: we begin with a fixed-price, $5,000 architecture engagement. Through two phases, we model how your organization operates today, define how it must operate within the enclave, and develop a target-state architecture with recommended technologies, projected costs, and an implementation roadmap.
This gives you a clear, defensible plan before you commit to purchasing products or deploying infrastructure.
Understand the full cost before implementation begins.
Enclave costs can extend far beyond the initial technology purchase. Infrastructure, licensing, managed services, facilities, implementation, and ongoing operations must all be considered. Our process identifies these requirements and consolidates them into a transparent cost model.
Design compliance around how your business works.
Selecting a solution before understanding your requirements can create functionality gaps or force mature business processes into tools that do not support them. We model your workflows first so the enclave enables your operations rather than restricting them.
Know what must happen and when.
CMMC readiness can affect your ability to pursue or continue supporting certain contracts. We develop a sequenced implementation roadmap so you can understand the work ahead, plan around business priorities, and prepare for assessment.
- 01
Business Modeling
Map how FCI and CUI enter, move, mutate, and leave the business. Every external organization is enumerated and classified — Subcontractor, ESP, CSP, or Out of Scope.
- Current-state data-flow diagram
- External-org inventory
- In-scope asset list
- 02
Enclave Proposal
Superimpose the data-flow diagram over the network topology and the floor plan to fix the physical and logical boundary, then propose the target state.
- Target Design Package (TDP)
- Shared Responsibility Matrix
- SSP skeleton
- 03
Implementation
Deploy the target state — AVD host pools, FSLogix on Azure Files over Private Link, Log Analytics over AMPLS, GCC High data routing. CAD/CAM stays on the workstation.
- Deployed enclave
- Hardening baselines
- As-built documentation
- 04
Assessment Support
Assemble evidence, walk the mock assessment, and sit with the C3PAO through the actual audit. Every control traces to an artifact produced by an earlier workflow.
- Evidence package
- Mock assessment
- C3PAO audit support
Discipline is what makes the artifacts defensible.
Every workflow produces a named artifact. Every artifact traces to a control. Every control traces to an assessor question. The chain is why our clients pass their assessment on the first try, and why the enclave keeps holding up as the business changes.
- [ 01 ]
Treat the business as an information system.
It takes inputs, transforms them through business processes, and produces deliverables. Every component inside it is the same kind of thing.
- [ 02 ]
Run one set of questions, recursively.
Because every component is an information system, the same questions apply to each one. Follow the data from node to node until you reach a base case.
- [ 03 ]
The data-flow diagram is the artifact.
Roles with CUI access read off the diagram. In-scope networks come from superimposing it over the topology. Physical rooms from the floor plan. External orgs and assets from the same source.
- [ 04 ]
Plan for the contract you have not won yet.
Under 32 CFR 170.19, an architectural or boundary change can trigger reassessment. We build the enclave so in-pattern growth is not a significant change. You scale inside a fixed architecture instead of re-opening your certification.
Plenty of providers say they can take you end to end.
Few actually can.
Getting an Organization Seeking Assessment (OSA) to CMMC Level 2 certification takes a specific stack of capabilities: the regulation, the architecture, and the shop floor. We bring people who have done that work at scale.
- [ 01 ]
Fortune 100 experience
Our security architects have designed and deployed environments at Fortune 100 scale. The discipline required for that complexity gets applied to shops of five to five hundred.
- [ 02 ]
SDVOSB
Service-Disabled Veteran-Owned Small Business. We know what it means to serve. The Defense Industrial Base is the community we come from, not one we recently discovered.
- [ 03 ]
Assessor-defensible by construction
Founder credentials: CCA (Certified CMMC Assessor) and CISSP. FedRAMP Moderate-aware data routing. The methodology is built to hold up under assessment, not just compliant on paper.
- [ CCA ] Certified CMMC Assessor
- [ CISSP ] Certified Information Systems Security Professional
- [ FedRAMP ] Moderate-aware data routing
Ready to map your CUI flow?
A discovery conversation is the fastest way to understand whether Input Trace is a fit. We will walk the current state and scope the engagement from there.
