Go Back Up

Where You Store Your CUI Data Matters More Than You Think

Jun 9, 2026 5:05:30 PM Wesley Reinhart 14 min read

Your CMMC provider may be quietly holding your defense contracts hostage, and there is a decent chance you signed the paperwork agreeing to it.

There is a question that almost never gets asked during a CMMC vendor selection process, and it is the most important one on the entire list: Who actually owns the environment where my Controlled Unclassified Information lives?

In this article 

 

Most small and mid-sized defense contractors are so consumed with passing their CMMC Level 2 assessment that they never stop to interrogate the fine print of how their compliance provider structures their enclave. The result is a growing population of manufacturers and defense contractors who believe they are CMMC-ready, when in reality they have handed the keys to their most sensitive data to a third party, paid recurring fees for the privilege, and locked themselves into a vendor relationship they cannot easily exit. Some of those contractors are currently living out the worst-case version of that scenario in real time.

This is not a hypothetical risk. It happened in May 2026, and it happened overnight.

The NeoSystems Collapse: A Cautionary Tale the Industry Cannot Ignore

On May 1, 2026, NeoSystems terminated its entire CMMC workforce over email with zero advance warning and no transition plan. Hundreds of government contractors were left completely stranded.

The central product at the heart of the crisis was called NeoEnclave, a proprietary hosting environment where NeoSystems stored and processed CUI on behalf of its clients. Clients paid to live inside NeoSystems' compliance infrastructure. They did not own the environment. They did not control the credentials. And when NeoSystems ceased operations, their access to critical data was at risk of vanishing in hours.

The cybersecurity, CMMC compliance hosting, and cloud infrastructure divisions were not acquired by any buyer. There was no transition plan for those clients, and only the back-office accounting division was sold, leaving CMMC hosting clients without a clear path forward.

Here is what makes this particularly stinging: just 14 months before the shutdown, NeoSystems had achieved a perfect 110/110 score on a CMMC Level 2 assessment. By every visible metric, this was a credentialed, competent provider. A perfect score. New leadership. Public announcements of growth. And then, gone.

The lesson is not that NeoSystems was uniquely bad. The lesson is that the proprietary enclave model (where your CUI lives on someone else's systems) is structurally dangerous regardless of how good the vendor looks today.

What Is a CUI Enclave, and Why Does Scope Change Everything?

Before unpacking the ownership question, it helps to understand what an enclave actually does for you from a compliance cost standpoint.

A CUI enclave is a logically or physically isolated portion of your IT environment where all systems that store, process, or transmit CUI are confined. Think of it as drawing a hard boundary around the specific systems, devices, and people that actually handle sensitive defense data, so the rest of your business does not have to meet the same stringent CMMC requirements.

This boundary is the single most powerful cost-reduction lever available to a defense contractor pursuing CMMC Level 2 certification. A well-defined CUI boundary reduces your CMMC assessment scope, lowers compliance overhead, and gives your C3PAO a clean enclave to evaluate. Done poorly, it derails the assessment before it starts and forces expensive remediation on a compressed timeline.

The numbers bear this out. A defined CUI enclave can cut compliance costs 40 to 60 percent compared to trying to harden your entire network. For a 50-person manufacturer pursuing Level 2 certification, realistic first-year costs run between $120,000 and $350,000 when you factor in gap assessment, remediation, documentation, and C3PAO fees. The enclave is how you stay toward the lower end of that range.

A defined CUI enclave can cut compliance costs 40 to 60 percent compared to trying to harden your entire network.

 

The total cost of audit and compliance will also vary based on the size, maturity, and complexity of the CUI enclave scope. Smaller scope, lower cost. The math is simple. The implementation, however, is where the decisions you make today will determine what your invoice looks like at certification.

Proprietary Versus Customer-Owned Enclaves: The Question That Changes Everything

Not all enclaves are created equal. There are two fundamentally different models, and they carry very different financial and operational implications.

The proprietary enclave model is what NeoSystems sold. The MSP builds and maintains a compliant hosting environment, and your CUI lives inside their infrastructure. You pay a recurring monthly fee to access it. On paper, this looks like a low-friction path to compliance: the environment is pre-configured, the documentation is handled, and the operational overhead stays on the vendor.

What is not in the brochure is what this arrangement actually means:

  • Your CUI lives on their servers, not yours.
  • If the MSP's infrastructure touches CUI (patch management, endpoint protection, identity systems), that provider's environment is part of your audit scope. Your C3PAO will want to assess it.
  • You must understand who controls administrative access to your managed environment, and how that access transfers if the MSP relationship ends.
  • If your MSP dissolves or you need to switch providers, you may need a brand-new CMMC assessment, because your environment has fundamentally changed.
  • Where does my CUI physically reside: on my cloud tenancy or yours?
  • What happens to my System Security Plan and compliance documentation if we part ways?
  • Who holds administrative credentials to the environment, and how does that transfer if needed?
  • Does my audit scope expand because of how you have structured the hosting?
  • What is the offboarding process, and is it explicitly defined in our contract?

The customer-owned enclave model is the alternative, and it is where CompassMSP operates. Instead of moving your CUI into our infrastructure, we build the enclave inside your own government cloud instance. The environment belongs to you from day one. You hold the credentials. You own the System Security Plan. If you ever change providers, your enclave travels with you, and your CMMC certification posture is not at the mercy of anyone else's balance sheet.

The recurring fees and vendor lock-in associated with proprietary hosting are not abstract concerns. They are features of the model, built in by design. When a provider says they will store and process your CUI on their systems, they have just made themselves permanent infrastructure in your compliance program. Every renewal is a negotiation from a position of dependency.

The True Cost of Getting This Wrong

The DFARS acquisition rule took effect November 10, 2025, enabling the DoD to include CMMC requirements in applicable solicitations and contracts.

CMMC 2.0 is no longer a future obligation. The DFARS acquisition rule took effect November 10, 2025, enabling the DoD to include CMMC requirements in applicable solicitations and contracts. Phase 2 enforcement, which brings C3PAO requirements directly into contracts, began in Q1 2026, and the requirement is already appearing in solicitations. The November 2026 deadline for broader Phase 2 compliance is not a soft target.

Consider what it costs when the enclave model fails you:

Audit scope inflation. When your CUI environment is hosted by a third party, the auditors do not stop at your front door. The C3PAO will need to evaluate your MSP's infrastructure as part of your assessment scope. More systems in scope means more controls to document, more evidence to gather, and a longer, more expensive audit.

Compliance continuity risk. When an MSP manages your CMMC-compliant environment, it becomes embedded in your compliance posture. If the provider dissolves, you lose the continuity in the managed program that your next assessment will evaluate. The DoD will not grant extensions because your vendor failed. The NeoSystems clients found this out the hard way.

Data access uncertainty. The Department of Defense will not halt enforcement or grant individual extensions because your vendor failed. Contractors who stored CUI inside NeoEnclave were left scrambling to extract their System Security Plans and compliance documentation under emergency conditions, while simultaneously trying to find a new provider and maintain contract eligibility.

Financial exposure. Vendor lock-in is not a scare tactic; it is a cost structure. When your CUI environment lives on someone else's systems, every price increase, contract renewal, and service change happens on their terms. And if you decide to leave, you are looking at migration costs, potential re-assessment fees, and the operational disruption of rebuilding your compliance posture from the ground up.

How the CompassMSP Enclave Model Is Different

CompassMSP builds your CUI enclave on your own government cloud instance. Not ours. Yours.

This matters in three concrete ways.

You own the environment from day one. The credentials, the configuration, the System Security Plan, and everything lives in an infrastructure you control. There is no vendor lock-in because there is no vendor dependency baked into the architecture.

Your audit scope stays smaller. Because your enclave is built within your own cloud tenancy rather than inside a shared MSP infrastructure, the scope your C3PAO has to evaluate is cleaner and more contained. Enclave-based scoping is the most effective cost-reduction strategy available under CMMC, and a customer-owned enclave maximizes that advantage.

Your compliance posture survives provider changes. If you ever decide CompassMSP is not the right long-term partner, your enclave does not disappear with us. The environment belongs to you, the documentation belongs to you, and the certification you earned belongs to you. That is the only model that treats a defense contractor like a client rather than a captive.

For deeper guidance on selecting the right compliance partner, see our frameworks for choosing an RPO that ensures you pass your CMMC audit and selecting a C3PAO for Level 2 certification. For a comprehensive overview of what CMMC means for smaller manufacturers, our small manufacturers' guide to defense contracts covers the full picture.

Related Article: 9 MSP SLA Metrics for Three-Shift Manufacturing Support

The Question to Ask Every CMMC Provider Before You Sign

There is one question that cuts through every sales conversation: Do I own the enclave, or do you?

If the answer is anything other than a clear, unambiguous "you do," the conversation needs to go a lot deeper before you commit. Ask specifically:

These are not paranoid questions. They are the ones you will wish you had asked if you ever find yourself in the position NeoSystems clients found themselves in on the morning of May 2, 2026.

CompassMSP builds your enclave on your government cloud instance, not ours. Ready to build a CUI enclave you actually own? Let's chat.

Your Vendor Should Not Own the Keys to Your Defense Contracts

The compliance question your CMMC provider hopes you never ask is a simple one: where does my data actually live, and what happens to it if everything goes wrong?

NeoSystems had a perfect CMMC score, a new COO from Microsoft, and public announcements of aggressive growth. What its clients did not have was ownership of their own data environment. When the lights went out on May 1, 2026, the vendor's proprietary enclave went from selling point to liability in a single email.

That is not bad luck. That is the business model working exactly as designed, until the day it stops working entirely.

CompassMSP builds your enclave on your government cloud instance, not ours. You get the audit scope advantage, the cost reduction, and the security of owning the infrastructure your compliance depends on. No recurring fees for access to your own data. No lock-in. No scenario where our business decisions become your crisis.

Ready to build a CUI enclave you actually own? Visit our CMMC Readiness page to talk through your options with our team.

Want plain-language compliance updates delivered to your inbox every quarter? Subscribe to The Fine Print, CompassMSP's compliance newsletter for small and mid-sized business leaders who need to stay current without drowning in regulatory complexity.

YOU MAY NEED TO KNOW

FAQs: Where You Store Your CUI Data and What It Means for CMMC Compliance

What is Controlled Unclassified Information (CUI) and why does its location matter for CMMC compliance?

CUI refers to sensitive government-related data (engineering specifications, procurement records, export-controlled technical data) that is not classified but still requires protection under DFARS 252.204-7012 and NIST SP 800-171. Where CUI is stored, processed, and transmitted determines your CMMC assessment scope. The broader that footprint, the more systems an auditor must evaluate and the higher your compliance costs will be.

What is a CUI enclave and how does it reduce my CMMC audit scope?

A CUI enclave is a logically or physically isolated portion of your IT environment where all systems that touch CUI are confined. By concentrating your CUI handling into a defined boundary, you limit the number of systems, devices, and users that fall within CMMC scope, which directly reduces the complexity and cost of your C3PAO assessment. Industry guidance indicates that a well-scoped enclave can cut overall compliance costs by 40 to 60 percent compared to hardening your entire network.

What is the difference between a proprietary MSP enclave and a customer-owned enclave?

A proprietary MSP enclave is an environment built and hosted on the provider's own infrastructure. Your CUI lives on their servers, and you pay recurring fees to access it. A customer-owned enclave is built within your own cloud tenancy; you hold the credentials, the documentation, and the environment itself. The distinction has major implications for audit scope, vendor dependency, and what happens to your compliance posture if the provider relationship ends.

Why is storing my CUI on an MSP's servers a compliance risk?

When your CUI environment lives on an MSP's infrastructure, that provider's systems become part of your CMMC assessment scope. Your C3PAO will need to evaluate their environment as part of your certification. If the MSP changes its infrastructure, gets acquired, or shuts down, your compliance posture is at risk of disruption. The NeoSystems closure in May 2026, where hundreds of defense contractors were left without access to their CUI environments overnight, is the clearest recent example of this risk made real.

What happened to NeoSystems clients after the shutdown, and what does it mean for the industry?

NeoSystems terminated its entire CMMC workforce on May 1, 2026, with no advance notice and no transition plan. Clients who stored CUI in the proprietary NeoEnclave were left without a clear path to their data, compliance documentation, or a replacement provider. The cybersecurity and CMMC hosting divisions were not acquired, leaving those contractors in an emergency transition situation with DoD contract deadlines still on the clock. The shutdown illustrated precisely what happens when CUI ownership is in the hands of a vendor rather than the contractor.

How does vendor lock-in work in the context of CMMC hosting, and how do I avoid it?

Vendor lock-in in CMMC hosting occurs when your enclave is built on a provider's proprietary infrastructure rather than your own. Every service renewal, price increase, and contract negotiation happens from a position of dependency. Switching providers means migrating your CUI environment, which can trigger a new CMMC assessment, significant migration costs, and compliance continuity risk. Customer-owned enclaves avoid this entirely because the infrastructure, documentation, and certification belong to you rather than the provider.

Does the CMMC Final Rule require me to disclose how my CUI is hosted?

The CMMC Final Rule (32 CFR Part 170, effective December 16, 2024, with DFARS enforcement active as of November 10, 2025) does not dictate a specific hosting model, but it does require that your System Security Plan accurately describe your security environment, including any external service providers whose infrastructure is in scope. If an MSP hosts your CUI, that relationship and the provider's environment must be accounted for in your SSP and may expand your assessment scope.

How does a customer-owned enclave affect my C3PAO assessment?

A customer-owned enclave gives your C3PAO a clean, well-defined boundary to evaluate. Because the environment lives on your own cloud tenancy rather than inside shared MSP infrastructure, scope is tighter, evidence is easier to gather, and the audit is less likely to surface unexpected dependencies. Smaller, better-defined scope is one of the most consistent factors in lower audit costs and faster certification timelines.

What questions should I ask a CMMC provider before signing an agreement?

The most important questions are: Who owns the enclave environment: you or the vendor? Where does my CUI physically reside? What happens to my System Security Plan and compliance documentation if we end the relationship? Who holds administrative credentials and how do those transfer? Does your hosting model expand my CMMC audit scope? What is the explicitly documented offboarding process? If a provider cannot answer these questions with specificity, that is a material risk before you commit.

What is Phase 2 CMMC enforcement and how does it affect my timeline?

Phase 2 enforcement began in Q1 2026, and CMMC requirements are now appearing directly in DoD solicitations. Contractors who handle CUI must demonstrate the appropriate CMMC level as a condition of contract award. The November 2026 deadline is not a grace period; it is an active enforcement threshold. Defense contractors who have not yet built a defensible, well-scoped CUI enclave should treat the timeline as urgent.

Wesley Reinhart

Wesley is an experienced cybersecurity executive with a focus on Information Technology / Cybersecurity Lifecycle Management, Compliance, and Governance. Wesley leads our CMMC Program at CompassMSP.

Navigate What’s Next

Get new insights, practical guides, and timely resources delivered to your inbox.