CUI Enclave Architecture. On-Premise Alternative to GCC High.
Most defense contractors do not need every employee in GCC High. They need a bounded enclave that protects CUI workflows and the OT that handles them — without an all-org Microsoft migration. Here is how an on-premise enclave compares, when it wins, and how to deploy it in 3-6 weeks.
You are evaluating how to protect Controlled Unclassified Information for CMMC Level 2. The default answer in 2026 is GCC High — Microsoft's government cloud tenant. For some contractors, that is the right call. For most, it is overkill. GCC High forces every CUI-touching user into a separate Microsoft tenant with separate licenses, separate identity, and a migration project that takes 9-18 months. And it does not cover the legacy OT, PLCs, CNCs, or specialized assets that produce or consume CUI on the shop floor.
The alternative — an on-premise CUI enclave — protects CUI workflows where they actually live: in your engineering systems, your OT segments, your CAD/CAM applications. The enclave is bounded by network controls, identity gates, and audit logging. It covers what GCC High covers (NIST 800-171 controls), adds what GCC High does not (OT, specialized assets), and deploys in weeks instead of months.
Per user / month GCC High
GCC High G5 license. Multiply by every user who handles CUI — even occasionally. For 200-user contractors, that is $120k-$216k/year before professional services.
GCC High migration timeline
Tenant procurement, license negotiation, identity migration, mailbox migration, application rehost. The October 2026 CMMC enforcement deadline is non-negotiable.
Of OT covered by GCC High
GCC High is an IT productivity stack. It does not cover PLCs, HMIs, CNCs, SCADA, or any specialized asset on the production floor. Those still need a separate solution.
The ten dimensions that matter at the architecture decision
| Dimension | GCC High | On-Premise Enclave | Edge |
|---|---|---|---|
| Time to deploy | 9-18 months (tenant procurement, license negotiation, identity migration, app rehost) | 3-6 weeks (appliance install, network integration, policy config) | ON-PREMISE |
| License cost (per user, annual) | $50-90 per user / month for G5 GCC High suite | Flat annual subscription per appliance, no per-seat fees | ON-PREMISE |
| OT and specialized asset coverage | Limited — designed for IT productivity, not industrial control systems | Native — protects PLCs, HMIs, CNCs, SCADA at the network layer | ON-PREMISE |
| Identity backbone | Entra ID (Azure AD) only — single vendor lock | Entra, Okta, AD on-prem, or local — bring your IdP | ON-PREMISE |
| CUI control coverage (NIST 800-171) | ~80% of 110 controls via M365 + GCC High services | ~87% via network enforcement + audit-ready evidence packs | EVEN |
| Email and collaboration | Native — Exchange, Teams, SharePoint, OneDrive in CUI-compliant tenant | Not provided — use existing IT email if CUI flows are bounded by enclave | GCC HIGH |
| Compatibility with existing IT | Forces all CUI users into the GCC High tenant — migration of email, identity, files | Coexists with existing M365 commercial — only the CUI flows traverse the enclave | ON-PREMISE |
| Air-gap / disconnected deployment | Cloud-dependent — requires persistent internet to Azure GCC High region | Air-gap supported — appliance runs locally, no outbound cloud calls required | ON-PREMISE |
| FCI vs CUI scope flexibility | All-or-nothing — once in GCC High, all org IT flows through it | Enclave-scoped — protect only the CUI workflows, leave the rest in commercial | ON-PREMISE |
| C3PAO assessment evidence | Microsoft shared responsibility matrix + customer SSP | Per-session logs, policy configs, segmentation baselines — all auditor-ready | EVEN |
9-18 months (tenant procurement, license negotiation, identity migration, app rehost)
3-6 weeks (appliance install, network integration, policy config)
$50-90 per user / month for G5 GCC High suite
Flat annual subscription per appliance, no per-seat fees
Limited — designed for IT productivity, not industrial control systems
Native — protects PLCs, HMIs, CNCs, SCADA at the network layer
Entra ID (Azure AD) only — single vendor lock
Entra, Okta, AD on-prem, or local — bring your IdP
~80% of 110 controls via M365 + GCC High services
~87% via network enforcement + audit-ready evidence packs
Native — Exchange, Teams, SharePoint, OneDrive in CUI-compliant tenant
Not provided — use existing IT email if CUI flows are bounded by enclave
Forces all CUI users into the GCC High tenant — migration of email, identity, files
Coexists with existing M365 commercial — only the CUI flows traverse the enclave
Cloud-dependent — requires persistent internet to Azure GCC High region
Air-gap supported — appliance runs locally, no outbound cloud calls required
All-or-nothing — once in GCC High, all org IT flows through it
Enclave-scoped — protect only the CUI workflows, leave the rest in commercial
Microsoft shared responsibility matrix + customer SSP
Per-session logs, policy configs, segmentation baselines — all auditor-ready
Dimensions where on-prem wins
GCC High wins on email/collab and shared responsibility maturity. On-premise wins on speed, cost, OT coverage, identity flexibility, scope efficiency, and deployment topology. For most small-to-mid defense contractors, on-premise is the better starting architecture. For very large primes, the hybrid model is increasingly the answer.
The right answer depends on your size, your OT footprint, and your existing Microsoft posture.
Small-to-mid defense contractor
10-500 employees, holding 1-5 DoD contracts with CUI. Currently on M365 commercial. Cannot afford the all-org migration to GCC High.
Recommended: On-premise enclaveNext step
Scope the enclave to the engineering/project teams that handle CUI. Leave the rest of the org in commercial M365. 90% cost reduction vs full GCC High migration.
Defense manufacturer with legacy OT
Job-shop CNCs, PLCs, HMIs that handle CUI drawings and production files. GCC High does not cover any of these — wrong product category.
Recommended: On-premise enclaveNext step
Enclave wraps the OT segment plus the engineering workstations that push files to it. CUI never leaves the on-premise boundary. CMMC Level 2 path is enclave-only — no GCC High needed.
Large prime contractor
5,000+ employees, dozens of CUI-handling teams across multiple subsidiaries. Already on GCC High or migrating. Email/collab needs are real.
Recommended: HybridNext step
GCC High for collaboration. On-premise enclave for OT and specialized assets that GCC High cannot cover. Each handles what it's designed for — no architectural compromise.
Air-gap / classified-adjacent operator
Sites that operate offline by policy — naval shipyards, research labs, certain defense plants. Cannot maintain persistent cloud connection.
Recommended: On-premise onlyNext step
GCC High is structurally incompatible. On-premise enclave is the only option that meets both CUI protection and operational reality.
Enclave deployed, C3PAO-ready evidence.
Week 1: asset discovery + scope confirmation. Week 2: install + identity. Week 3: policies + audit logging. Evidence packs delivered every week.
3-6 weeks to enclave-live
Compare to 9-18 months for a GCC High tenant migration with identity and mailbox migration overhead. The October 2026 deadline is not negotiable.
Covers what GCC High cannot
PLCs, HMIs, CNCs, SCADA, and any specialized asset on the shop floor. GCC High is an IT productivity stack — it does not reach the production network.
Building toward CMMC Level 2 certification?
The on-premise enclave is one piece of a CMMC L2 architecture. See our CMMC compliance for defense manufacturers with legacy OT for the broader solution, the Respect Your Elders manufacturing-specific landing, and what is CMMC compliance for the framework primer.
CUI enclave architecture
NIST 800-171 controls covered
A CUI enclave is a logically separated environment within an organization's network that contains all systems and data subject to NIST SP 800-171 control requirements. The enclave is bounded by network controls, identity controls, and audit logging — only authorized users and processes can enter, and all traffic is recorded. The rest of the organization's IT environment can remain on commercial-grade infrastructure. The enclave approach is recognized in DoD CMMC guidance as a valid scope-reduction strategy: instead of treating the entire org as CUI-handling, you treat only the enclave that way.
GCC High is Microsoft's government-cloud tenant for Department of Defense contractors. It runs M365 (Exchange, Teams, SharePoint, OneDrive) in a dedicated infrastructure that meets DFARS 7012 and supports CUI workflows. It became the default CMMC path because it solves the email/collaboration side of CUI handling — but it forces the entire CUI user population into the GCC High tenant, with license, identity, and operational consequences that many small-to-mid contractors find prohibitive.
Four scenarios. (1) When your CUI flows include OT, PLCs, CNCs, or specialized assets that GCC High does not cover. (2) When most of your organization does not handle CUI — paying GCC High licenses for hundreds of non-CUI users is wasted budget. (3) When you operate disconnected or air-gapped sites that cannot maintain cloud connectivity. (4) When the migration cost and timeline to GCC High is incompatible with the contract deadline driving CMMC certification.
Yes — and for many large primes this is the practical answer. GCC High handles email, Teams, and collaboration for the CUI-handling user population. The on-premise enclave handles OT, specialized assets, and CUI flows that originate or terminate outside of M365 productivity tools. The two architectures coexist; the C3PAO assesses each scope against the relevant controls. This is increasingly the dominant architecture for primes with both modern IT and traditional manufacturing footprints.
Access Gate enforces ~87 of the 110 controls directly at the network layer: access control (AC), audit and accountability (AU), identification and authentication (IA), system and communications protection (SC), system integrity (SI). The remaining ~23 controls require organizational measures (personnel security, physical, training) or customer-owned process controls. Every covered control generates auditor-ready evidence on demand — session logs, policy configurations, segmentation baselines, denied-access records.
3-6 weeks for a single-site enclave. Week 1: asset discovery and scope confirmation (which workflows, which users, which OT assets are in scope). Week 2: appliance installation and network integration, identity provider connection. Week 3: policy configuration, MFA enforcement, audit logging activation. Week 4: evidence package generation, SSP draft alignment, internal review. Weeks 5-6: remediation cycles and pre-C3PAO walkthrough. Compare to 9-18 months for a GCC High tenant migration with identity and data migration overhead.