The CUI Enclave, SSP, POAM, SPRS, and DFARS 7012 stack we deploy for defense contractors
A reference architecture for CMMC Level 1, Level 2, and Level 3 readiness. Petronella Technology Group ships a documented CUI enclave, NIST SP 800-171 control implementation evidence across all 110 controls, an SSP and POAM authoring service, an SPRS scoring uplift workflow, a DFARS 7012 incident reporting playbook, and a Shared Responsibility Matrix that survives prime-sub flow-down.
What a CMMC-ready federal contractor environment actually contains
CMMC and NIST SP 800-171 do not name products. They name capabilities. The deliverable below is the capability stack we ship, mapped to the 14 NIST SP 800-171 Rev 2 control families and forward-traceable to the Rev 3 restructuring. Each capability is documented in the SSP with an explicit implementation statement, a test procedure, and an evidence artifact a C3PAO can verify.
Identity, MFA, and Privileged Access
Entra ID (Azure AD) tenant scoped to the CUI enclave, phishing-resistant MFA (FIDO2 keys or platform authenticators), conditional access policies enforcing device compliance and U.S.-only network locations, and a Privileged Identity Management workflow with just-in-time elevation. Maps to NIST SP 800-171 Rev 2 families 3.1 (AC), 3.5 (IA).
- FIDO2 hardware MFA for all privileged accounts
- Conditional access blocking non-U.S. sign-ins
- Quarterly access reviews with documented attestation
- PIM eligible-role workflow for all elevated permissions
Hardened Endpoints + Configuration Baseline
Microsoft Defender for Endpoint (or equivalent EDR/XDR), Intune managed enrollment with CIS benchmark baselines, BitLocker FIPS-validated encryption, Windows Hello biometric login, and a documented configuration baseline reviewed quarterly. Maps to 3.4 (CM), 3.13 (SC), 3.14 (SI).
- EDR/XDR with 24/7 SOC alerting
- FIPS 140-2/140-3 validated cryptography
- CIS Level 1 baseline with documented exceptions
- Quarterly configuration drift report
CUI Enclave Network Boundary
Separate Microsoft 365 GCC High tenant (or equivalent FedRAMP Moderate/High cloud) for CUI workloads, segregated VNet/VLAN with documented egress filtering, U.S.-only geo-IP enforcement at the firewall and identity layer, and DLP egress controls preventing CUI from leaving the boundary. Maps to 3.13 (SC).
- FedRAMP Moderate or High cloud tenant for CUI
- Documented network boundary diagram in the SSP
- Geo-IP egress block at perimeter and identity layer
- DLP policies tagging and blocking CUI exfiltration
Audit, SIEM, and Continuous Monitoring
Centralized log collection from endpoints, identity, network, and cloud control plane into a SIEM (Microsoft Sentinel or equivalent), 90-day hot retention plus 12-month cold retention, daily log review with documented evidence, and continuous control monitoring against the SSP. Maps to 3.3 (AU).
- Centralized SIEM with U.S.-located data residency
- 90-day hot + 12-month cold log retention
- Daily SOC review with timestamped evidence
- Continuous control monitoring dashboard
Insider Threat, Training, Personnel Screening
Annual NIST SP 800-181 NICE-aligned training, role-based privileged user training, insider threat program documentation, U.S.-person-only attestation for CUI-touching staff, and onboarding/offboarding workflow integrated with HR and IT for documented evidence. Maps to 3.2 (AT), 3.9 (PS).
- Annual general security training + phishing simulation
- Role-based training for privileged users
- U.S.-person-only attestation for CUI access
- Documented offboarding evidence within 24 hours
DFARS 7012 IR Workflow + DIBNet
Documented incident response plan exercised annually via tabletop, DIBNet enrollment with active medium-assurance certificate, 72-hour reporting workflow with pre-staged narrative templates, 90-day media preservation playbook, and forensic readiness with chain-of-custody procedures honored by an NC-licensed Digital Forensic Examiner. Maps to 3.6 (IR). Forensics service
- DIBNet medium-assurance cert enrolled and tested
- 72-hour ICR template pre-staged for sub-scenarios
- 90-day forensic media preservation runbook
- Annual tabletop exercise with documented findings
CUI Enclave Reference Architecture
The enclave below is the architecture pattern we deploy for the typical Tier 2 or Tier 3 defense subcontractor. It minimizes CMMC assessment scope, separates CUI from commercial workloads, and produces the boundary diagram and data-flow documentation a C3PAO assessor needs in the SSP.
Boundary Definition
The enclave perimeter is drawn around the people, systems, and data that touch Controlled Unclassified Information. Everything outside the boundary is "commercial" and out of CMMC scope. The boundary is documented in the SSP with a network diagram, an asset inventory, and a data-flow map. We typically draw it around: a dedicated Microsoft 365 GCC High tenant; a segregated cloud subscription (Azure Government, AWS GovCloud, or equivalent); a small set of physical endpoints used only by U.S.-person CUI handlers; and the connecting links between them.
Data Classification Labels
Microsoft Purview (or equivalent) sensitivity labels enforce CUI handling automatically. Labels we configure:
CUI//SP-PRVCY:CUI with privacy specified categoryCUI//SP-PROP:proprietary business informationCUI//SP-EXPT:export-controlled (ITAR/EAR overlay)CUI//BASIC:general CUI without specified categoryFCI:Federal Contract Information (Level 1 boundary)COMMERCIAL:out-of-scope, default label
Conditional Access Policies
Identity-layer enforcement that blocks non-compliant access patterns before authentication completes:
- U.S.-only sign-in for CUI-labeled resources (geo-IP block at identity)
- Compliant-device requirement (Intune-managed, attested boot, healthy)
- Phishing-resistant MFA required for all CUI-tagged app access
- No legacy authentication protocols (SMTP basic, IMAP, POP3 disabled)
- Session control via Defender for Cloud Apps for download blocking
DLP Egress Controls
Data loss prevention policies inspect content for CUI markings and metadata, blocking egress on outbound email, web upload, USB, cloud storage, and chat. Override requires documented business justification, a privileged-user role, and a logged audit event. Quarterly egress-event review feeds the continuous monitoring evidence.
FedRAMP-Aligned Cloud Baselines
Where the enclave touches a cloud service, the service must be FedRAMP Moderate or High authorized, and the customer-side configuration (the part the contractor owns under the Shared Responsibility Matrix) must inherit the FedRAMP baseline. We configure to the CIS Microsoft 365 Foundations Benchmark, the CIS Azure Foundations Benchmark, or the equivalent for AWS GovCloud, document deviations in the SSP, and track them on the POAM.
Deliverables per CMMC level (1, 2, and 3)
CMMC 2.0 has three levels and the deliverable scope changes meaningfully at each one. Below is the explicit deliverable matrix we ship per level. Petronella Technology Group supports readiness for all three; Level 3 work is rare but real.
Basic FCI safeguarding, annual self-assessment
- 17 FAR 52.204-21 practice implementations
- FCI boundary documentation (lighter than CUI enclave)
- Annual self-assessment workbook with evidence index
- SPRS posting + executive affirmation in SAM.gov
- Basic awareness training for FCI-handling staff
- POAM tracking for any open practices
110 NIST 800-171 controls, C3PAO assessment
- Full NIST SP 800-171 Rev 2 SSP across all 14 families
- Implementation evidence per control (110 entries)
- POAM with realistic milestones for partial controls
- SPRS scoring conservative defensible answer
- Continuous control monitoring + quarterly drift report
- C3PAO pre-assessment readiness review (mock audit)
- Triennial C3PAO assessment coordination + remediation
- Annual executive affirmation between assessments
NIST 800-172 enhanced, DIBCAC government assessment
- Foundation: full Level 2 program in place
- Selected NIST SP 800-172 enhanced security requirements
- Advanced threat hunting + intrusion deception controls
- Cyber resiliency testing (red-team-against-controls)
- Supply chain risk management documentation
- DIBCAC pre-engagement scoping support
- Government-led assessment evidence preparation
- Triennial DIBCAC assessment cycle support
The artifact set a C3PAO actually asks for
CMMC assessment is an evidence exercise. Below are the document and artifact deliverables we author and maintain. Each one ties back to specific NIST SP 800-171 Rev 2 controls and is referenced in the SSP implementation statements.
Authored to NIST SP 800-18 structure, one implementation statement per control across all 110 NIST SP 800-171 Rev 2 requirements with explicit Rev 3 traceability annotations. Reviewed quarterly.
One row per partial or unimplemented control with realistic milestone date, owner, resource estimate, and SPRS-impact value. Reviewed monthly with the contractor's compliance lead.
Internal SAR documenting the pre-C3PAO mock assessment results, control-family scores, identified deficiencies, and remediation evidence. Auditors review it during their pre-engagement read-in.
Visio (or equivalent) diagram showing the CUI enclave perimeter, identity boundary, data flows in and out, and connection points to commercial systems. Included as an SSP appendix.
Authoritative inventory of every endpoint, server, network device, and cloud workload inside the CUI boundary. Auto-refreshed from Intune + cloud control planes; reconciled monthly.
14 control-family-aligned policies plus the supporting procedure documents auditors expect: access control, audit log management, configuration management, incident response, system maintenance, media protection.
Per-employee training completion logs, signed acknowledgments, role-based privileged-user training records, and phishing-simulation results retained for the assessment cycle.
Quarterly control-monitoring dashboard exports, configuration drift reports, vulnerability scan results, log review attestations, and access review attestations indexed by control number.
DFARS 252.204-7012 incident reporting workflow (the 72-hour clock)
DFARS 7012 requires a cyber incident report to DoD via DIBNet within 72 hours of discovery, plus 90-day media preservation. Below is the workflow we deploy and exercise with each contractor.
Detection & Triage
SIEM alert or SOC analyst flags potential CUI compromise. The on-call IR lead runs the documented triage runbook to confirm scope: which CUI, which systems, what timeline, what evidence is at risk.
Forensic Preservation
Affected media is acquired with chain-of-custody documentation by an NC-licensed Digital Forensic Examiner (DFE #604180). Original media plus a working copy are preserved for the full 90-day retention window.
DIBNet Submission
Pre-staged Incident Collection Format (ICF) template is populated with the confirmed incident facts. The DIBNet submission goes to DC3 within the 72-hour clock using the medium-assurance certificate already enrolled and tested.
Prime & Counsel Notification
Parallel notifications to the affected prime contractor (per the flow-down clause) and to the contractor's legal counsel. Notifications are templated and reviewed by counsel before sending; we coordinate but do not own the legal communication.
Containment & Eradication
Network forensics work isolates the attacker's footprint. Network forensics service. Compromised credentials are rotated, malicious infrastructure is blocked, and systems are remediated against the documented attacker TTPs.
Lessons Learned + SSP Update
Within 30 days of containment, we produce a documented lessons-learned report, update the SSP and POAM with new controls, and exercise the updated runbook in a tabletop with the contractor's incident response team.
Prime, subcontractor, and Petronella responsibility split
Flow-down compliance is collapsing under unclear responsibility splits. We publish a Shared Responsibility Matrix at the start of every engagement so the prime knows what they own, the contractor knows what they own, and Petronella Technology Group has explicit ownership of the engineering deliverables. Excerpt below.
| Capability | Prime | Subcontractor | Petronella |
|---|---|---|---|
| Flow-down clause issuance | Owns | Acknowledges | Reviews |
| CUI marking & classification | Owns (source markings) | Owns (handling) | Configures DLP labels |
| SSP authoring | Reviews | Approves | Authors |
| SPRS scoring & posting | Verifies | Owns posting | Calculates & advises |
| POAM management | Reviews | Approves milestones | Maintains |
| CUI enclave engineering | Reviews architecture | Owns business decisions | Builds & operates |
| 72-hour DFARS incident report | Notified | Owns submission | Drafts & supports |
| Forensic preservation (90-day) | Notified | Authorizes | Executes (DFE #604180) |
| C3PAO assessment | Reviews outcome | Engages C3PAO | Prepares + supports |
| Annual executive affirmation | Tracks | Owns affirmation | Provides supporting evidence |
Private AI inference for classified-adjacent CUI workloads
Defense contractors increasingly need AI capability (document summarization, contract review, code assistants, technical search) inside the CUI enclave without sending data to commercial frontier-model APIs that violate the boundary. Petronella Technology Group operates a private AI inference cluster designed to host open-weight models on customer-controlled hardware inside the enclave, so the data never leaves the boundary and the inference call never crosses into a commercial cloud tenant.
The architecture pattern: open-weight LLM (Llama, Qwen, DeepSeek, or similar) running on GPU hardware inside the enclave network, accessed via an OpenAI-compatible API endpoint, with conditional access enforcement at the identity layer. CUI sensitivity labels propagate from the source documents through the inference call, and the audit log captures every prompt and completion for the same retention window as the rest of the enclave evidence. This is the deliverable for contractors who want AI capability without rebuilding their CMMC assessment scope. Private AI cluster.
New to defense contracting? Want the buyer-identity context first?
This page is the deliverable view. If you are still working out which CMMC level applies, what the threat landscape looks like, who the typical defense buyer is, what the regulatory anxiety actually feels like, and how Tier 2/Tier 3 supplier relationships drive the work, the buyer-identity companion page covers that ground. Same firm, business-context layer.
See the defense-contractor identity view →Federal contractor stack questions
What does a CUI enclave actually contain?
A documented network perimeter, a separated identity tenant (Microsoft 365 GCC High or equivalent FedRAMP-authorized cloud), a hardened endpoint baseline for the U.S.-person CUI handlers, conditional access policies enforcing the boundary at sign-in, sensitivity labels classifying CUI automatically, DLP policies blocking egress, centralized logging into a SIEM, and the SSP/POAM documentation describing all of the above. The enclave is what minimizes CMMC assessment scope and keeps commercial workloads out of audit.
Can we share an SSP across multiple programs?
Usually no. The SSP describes a specific information system with a specific boundary. Two programs with different CUI types, different authorized users, or different cloud tenants need either two SSPs or one SSP with explicit subsystem partitioning. We tend to recommend separate SSPs because shared SSPs make POAMs harder to manage and break the assessment narrative.
How do you calculate an honest SPRS score?
For each of the 110 NIST SP 800-171 Rev 2 requirements, we evaluate the implementation against the DoD Assessment Methodology and assign one of three values: implemented (no deduction), partially implemented (counts as not implemented for SPRS scoring), or not implemented (subtracts the assigned weight: 1, 3, or 5 points). The starting score is 110; deductions can drive it negative. We do not round up. The score we post matches the evidence, which matches the SSP, which matches what a C3PAO will see.
What is the difference between an SSP and a POAM?
The SSP describes how every required control is implemented. The POAM describes how partially-implemented or not-implemented controls will be brought to full implementation. Every "not implemented" line in the SSP needs a corresponding POAM entry with an owner, a milestone date, and a resource estimate. The POAM is the bridge between current-state and assessment-ready state.
Do you author the SSP for us, or just review what we write?
We author. SSPs written by IT teams without compliance authoring experience usually fail the C3PAO read-through because the implementation statements are too vague, too marketing-flavored, or too disconnected from the evidence. Our SSP authoring service produces 110 implementation statements written to the format C3PAO assessors expect, with explicit pointers to evidence artifacts.
What is FedRAMP and do we need our own authorization?
FedRAMP is the federal program that authorizes commercial cloud services for government use. Defense contractors do not typically need their own FedRAMP authorization unless they are providing a cloud service back to a government customer. What you do need is to use FedRAMP-authorized cloud services (Microsoft 365 GCC High, Azure Government, AWS GovCloud, Google for Government) for your CUI workloads. The customer-side configuration of those services still falls under your CMMC scope; FedRAMP covers the underlying platform.
How do you handle the SPRS scoring for a contractor with negative score?
Honestly. A negative SPRS score with a credible POAM showing realistic remediation milestones is better than a fabricated 110 that cannot survive pre-award due diligence. We help contractors post the honest score, build the POAM that primes will accept as a path forward, and prioritize the technical remediation that closes the highest-value gaps first.
What does CMMC Level 3 readiness add?
Level 3 sits on top of Level 2 and adds a subset of NIST SP 800-172 enhanced security requirements: advanced threat hunting, intrusion deception controls, cyber resiliency testing, and supply chain risk management documentation. The assessment is government-led (DIBCAC) rather than commercial C3PAO. Level 3 is reserved for the most sensitive programs and most contractors will never need it. We support the readiness work for the small but growing number of clients who do.
Can you operate the stack ongoing, not just deploy it?
Yes. Most clients keep us on for ongoing operations: SOC monitoring, SIEM management, continuous control monitoring, quarterly drift reporting, monthly POAM review, annual SSP refresh, and incident response on-call. This is the work that turns a one-time CMMC certification into a year-over-year defensible compliance posture.
Adjacent deliverables
CMMC Compliance Pillar
Programmatic readiness across Levels 1, 2, and 3.
NIST SP 800-171
Rev 2 implementation, Rev 3 transition, control-family detail.
NIST SP 800-53
Federal civilian baseline + FedRAMP-aligned controls.
Data Breach Forensics
DFARS 7012 incident response and 90-day media preservation.
Network Forensics
Lateral-movement reconstruction for DIB intrusions.
Private AI Cluster
Open-weight inference inside the CUI enclave boundary.
Identity View →
The companion page: who buys this and why.
All Industry Stacks
Other vertical deliverable pages.
Bring us your contract clauses and we will scope the technical stack honestly
Forward the DFARS clause, the prime's flow-down requirement, or the SPRS request, and we will reply with the deliverables, the timeline, and the scope assumptions. No inflated scores, no theatre, no scope creep into capability you do not need.
Petronella Technology Group · 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 · CMMC RPO #1449 · NC DFE #604180