One of the biggest decisions you need to make when you’re planning a CMMC implementation is which strategy you’re going to use. Your options are enterprise-wide security or an enclave strategy.
Now, we’ve talked about these two options before. Rather than a general guide, though, today we want to look at the factor most likely to drive your decision: costs.
For many organizations, the financial bottom line for any implementation is one of the biggest considerations, and can guide strategy more than it probably should. The more expensive an implementation, the harder it is to earn approval from leadership, and the more difficult it can be to implement properly.
Which option is more cost-effective, and where are the savings? Let’s dig in.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontChoose enterprise-wide security or an enclave strategy. An enclave limits CUI to a separate network segment, so license, audit, train, and remediation costs fall for most staff and systems, but boundary control, productivity loss, vendor certification, and missed contract chances add hidden costs. Enterprise scope cuts design and policy work but raises seat fees, assessor fees, cost to train staff, and system upgrade bills. Enclave suits clear, small CUI footprints.
Defining Enterprise vs Enclave Implementation
First, quickly, a recap.
CMMC is a security framework meant to be used by the defense industrial base and supply chain, all federal contractors working with either the Department of Defense specifically or with any contractors who are themselves working with the DoD, and so on down the chain.
Specifically, the CMMC framework exists to protect Controlled Unclassified Information, Federal Contract Information, Covered Defense Information, and similar kinds of sensitive but not classified information.
If your business intends to be a contractor somewhere in the DoD supply line, you need to evaluate whether or not you touch any of these kinds of information. If you do not, you’re good to operate as normal. If you do, no matter how briefly or how little you handle it, you need CMMC.
CMMC has a lot of security controls and rules. Level 2, the most common for the greatest number of organizations, has 110 security controls you’ll need to implement.
Imagine, for a moment, that you’re a relatively small business, with a couple of hundred employees and a network of business systems providing your services to customers. You want to work with a client, but that client is part of the DoD supply chain, so you would briefly touch CUI.
Do you implement CMMC to earn that client, or do you pass on their contract? It can be a lot of work and a lot of expense to implement CMMC across your organization. A single contract may not be worthwhile. Multiple could, or a significant contract could, but that’s a tricky cost-benefit analysis to perform.
One possible solution is the enclave solution.
An enclave is a subset of your network, staff, and operations that is dedicated to your government contracts. It is segmented and separated from the rest of your operations. Only authorized people can access it, only specific systems take part in it, and critically, only those in-scope aspects of your business need to be secured under CMMC. Everything else can continue as normal.
The limited scope has many benefits, but it’s also tricky to build and maintain, especially if your existing operations are tangled and messy. For many businesses, it’s a significant savings and opens up contracts that would otherwise not be financially viable.
If an enclave strategy is cheaper across the board, why isn’t it the default choice? Are there tradeoffs to consider? Nothing in life is ever simple, so let’s dig into the details.
Direct Costs and Scope Tradeoffs for an Enclave CMMC Strategy
First, let’s look at the direct costs.
Costs that Drop with Enterprise Scoping
We’ll start with the costs that tend to be lower when you’re just blanketing your entire organization with security and aren’t worrying about scoping.
First of all, you have the scoping itself. It’s easy enough to handle scoping when you use an enterprise-wide strategy. “If it’s part of the business, it’s in scope.” On the other hand, designing your enclave strategy will cost more. You need people to spend time and expertise on planning, defining boundaries, retooling networks and systems, and more.
This cost is largely focused on the salaries of the experts doing the work, but can also extend to a few other areas. The timeline, for example, can extend; it’s design and planning you don’t have to do with an enterprise strategy.
A second cost that tends to be lower with enterprise-wide scoping is policy and procedure development. You don’t need to maintain multiple sets of policies, procedures, and compliance checks for different parts of your organization when all of your organization is under the same rules and regulations.
Using an enclave strategy allows each individual policy to be more specific and cover a smaller group of people. But, you will have more of them, they will need to be appropriately enforced (which can mean more compliance officers), and you will need additional documentation for boundary control. The paperwork can escalate rapidly, and enforcement cannot be taken lightly.
Third, though this one is only possibly cheaper, is the cost of infrastructure. When you’re securing all of your systems, you still only have the one business operation, just secured now. With enclave, you may need to spin up new hardware, new software, new networks, and more. All of this can add to costs, though, since it’s somewhat decreasing the burden on your non-CMMC systems, those may be able to be slightly reduced to compensate.
It’s not a strict 1:1 cost increase for added systems, but it does add up over time.
Costs that Rise with Enterprise Scoping
Now let’s look at the other side of the coin: the costs that ramp up when you’re securing your entire enterprise, versus keeping the scope limited.
One of the big ones is licensing and seats. As you likely know, many business apps and pieces of software you use have per-user costs associated with them. The more user seats you need in an app, the more expensive it is. Some are simple per-seat costs, while others use tiers.
With an enterprise-wide strategy, your number of seats is equal to the number of employees you have that would be using such a system. You can’t skirt around this, either; part of CMMC is strict access control rules, so tricks like account sharing are prohibited.
With an enclave strategy, only the people within the enclave will need seats at the table, and that means fewer accounts, often dramatically. The difference between paying for 200 seats versus 10 seats is immense.
This adds up fast, especially when you consider it’s not likely to be one or two programs with this scaling cost; it could be a dozen or more, including government security-specific tools.
Another significant cost is the cost of C3PAO assessments. CMMC needs to be validated by a certified third-party assessment organization, which means hiring a firm to come in and do a thorough review of your systems, testing against all of the relevant security controls at your level.
While a lot of this can be done automatically and with machine-readable documentation, not all of it is so simple. The larger your scope, the more people and the more systems are in scope, and the more it takes to review them. Even just something as simple as reviewing employee training means conducting interviews, and the larger the roster you have to have trained, the more interviews are necessary to check for compliance.
More auditors, more time, more systems and people in scope, all mean more costs for the audit.
Speaking of employee training, that’s another area where costs escalate. There’s a huge world of difference between setting up CMMC compliance classes for 20-50 employees versus doing it for 500 employees, or 1,000, or more. The more people you have in scope, the greater the costs of that training and the validation of that training.
Remember, too, that the more people you have with access to controlled systems, the greater your burden is for auditing, for logging, for review, and for compliance. Every added person on the list of those with access is a potential liability, so if you’re blanket training your entire staff even though most of them have no need of it, you’re opening yourself up to a lot of potential vectors for failure or unauthorized access.
There are also remediation costs to consider. If your business has been around for a while, there’s a decent chance that some of your systems are out of date, running on old software, or are otherwise not kept as updated as they should be. The greater the breadth of legacy systems you’re using, the more it will cost to update them and remediate potential risks across them. This gets exponentially worse if you rely on legacy systems for your operations, which can simply be incompatible with CMMC without a lot of custom engineering.
As you can see, broadly speaking, enclave operations are going to be cheaper for the bottom line.
Indirect Costs for Enclave CMMC Scoping
There are also some indirect costs to consider with enclave scoping. It can be difficult to pin these down and assign dollar values, but they can add up over time.
These include:
- Costs of monitoring for boundary drift. Boundaries must be firm, but they can change over time, so you have to pay special attention to make sure they don’t drift out of compliance.
- Productivity hits and operational friction. The added burden of training and segmented systems means employees working within the boundary often have added friction and lower productivity than those without, and cross-communication can be tricky. Collaboration, as well, can be difficult.
- Shared responsibility and trickle-down security. A big part of CMMC is ensuring CUI is secured all the way down the supply line. If you work with vendors or suppliers for your operations, and you need them for your enclave, they have to be CMMC-certified as well. If they aren’t, you’re in a bind.
- Opportunity costs. While an enclave strategy can be effective, it’s not universally accepted. Some DoD contractors and subcontractors are increasingly moving to full enterprise-security models in their expectations. You might be removed from consideration for using an enclave strategy if your clients want or expect full-organization security.
You can also consider other aspects of business that need adjusting. Each time you lose an employee and need to hire a new one within the scope, you have added training and onboarding costs over the norm. Each time a system changes, you need to evaluate the boundary and scope. The burden increases with each decision that needs to be made when it didn’t need to be made before.
When Does Enclave Scoping Make Sense?
Enclave scoping makes sense for many organizations where a scope can be cleanly and clearly defined. If you have a small number of systems where CUI would live, and the border between those systems and the rest of your operations is firm, it’s easy to define the enclave.
Enclave can also make more sense if you’re in a position where the individual costs for things like software licensing and employee training are disproportionate. The added costs of keeping unnecessary people and systems in scope add up quickly.
On the other hand, enclave scoping can be a naturally limiting factor for your operations. If your business relies on free-flowing responsibility and operations throughout your business, the boundary can be a huge detriment. It’s also simply easier to do enterprise-wide CMMC implementations rather than defining scope and retooling systems, though leaving your organization messy and poorly documented has other repercussions.
And, of course, if you expect to grow in the DoD supply chain and end up in a position where contracts require enterprise-wide security, doing an enclave early can be a lot of “wasted” work.
Whichever avenue you choose, we’re here for you. The Ignyte Assurance Platform is an easily in-scope system that helps you maintain all of your records, logs, and tracking for controls and tasks throughout your compliance efforts. Whether you’re going for an enclave strategy and need firm documentation of your policies, or you’re implementing enterprise-wide security and need full logs accessible, our platform can do it for you.
To see how the Ignyte Assurance Platform can help with your specific situation, reach out and book a demo today. We’ll show you first-hand the value you can get from our platform, and we’re sure you’ll find it useful.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.