Cybersecurity Maturity Model Certification (CMMC)
CMMC-Enclave vs Do It Yourself (DIY)
I was given the opportunity to write an opinion piece about using a ‘CMMC Enclave’ strategy vs DIY. That is a bit of an ‘apples and oranges’ comparison. ‘Enclave’ here means you put your Controlled Unclassified Information in one virtual ‘basket,’ possibly with the help of a Managed Service Provider. Then you watch that basket very carefully! Let’s assume DIY means you go enterprise-wide and manage Controlled Unclassified Information (CUI) yourself internally.
Short Answer: Sorry, the non-answer has to be: It depends on your integration of your organization’s size, actual and potential prevalence of FCI (Federal Contractor Information) or CUI) on your network, long term strategy, available manpower & financial resources, and risk appetite. All I can do is list factors and mental frameworks for you to consider.
Long Answer: Personally, I like an ‘Enclave’ strategy for an SMB with limited resources, although it has the risks of leakage. An enterprise-wide strategy involves a lot of planning, training, and resources, and possibly is a great long-term strategy for a major player in the Defense Industrial Base.
For your orientation to make your decision, let’s start with reviewing the January 2026 FAQs from DoW (formerly DoD) on CMMC. This is 14 pages, but it is as quick a current read on CMMC as you are going to get.
https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-FAQsv4.pdf
You also need someone to have read (meaning ‘know!’) the CMMC-Accreditation Body’s CMMC Assessment Process (CAP), version 2.0 (December 2024). That is a 29 page complicated document, and your expert needs to stay current with the updating going on now. They can do this via attendance at CMMC-AB’s monthly Town Halls. You can find the current CAP on the CMMC-AB’s website, https://cyberab.org/ (Resources-Downloads) and get on the Town Hall webinar schedule. The next one is 31 March 2026. Be forewarned: The word ‘enclave’ only appears once in the document and just refers to reporting if you use an enclave approach.
Why am I spending this blog writing about references rather than telling you what to do? Because this decision must be one tailored to you! There is also a ton of information and opinion out there on news feeds, and I am seeing some of it being in my opinion misleading or out-of-date! There are many people just waiting to spend your money, and the CMMC process is complicated and confusing, so use the authoritative resources above. If you ask these people the right questions, and understand their answers in context, you are better positioned in negotiations.
By the way, be very, very careful no subordinate employee ever ‘exaggerates’ in the very slightest on your CMMC rule compliance, especially on self-assessments. There is a thing called the False Claims Act, and it is enforced in federal acquisitions!