CMMC Technical Architecture & Audit-Ready Deliverables

The single biggest decision in a CMMC Level 2 engagement is whether to harden the entire corporate network to 800-171 or to fence Controlled Unclassified Information into an enclave. The enclave pattern reduces the CMMC assessment boundary by 40 to 60 percent in most engagements Petronella has scoped, which compresses both the remediation budget and the C3PAO assessment hours.

What the enclave actually looks like

A CMMC CUI enclave is a logically isolated workspace where every user who touches CUI does the work. The enclave has its own identity boundary, its own device baseline, its own logging, its own network egress controls, and its own physical or virtual perimeter. Two architectures dominate.

Pattern A. Virtual desktop infrastructure on GCC High

Users access CUI through Windows 365 Cloud PC or Azure Virtual Desktop hosted in GCC High. Endpoints are kept clean. CUI never lands on the corporate laptop. Cost lands in the $300 to $700 per user per month range for the underlying Microsoft licensing and infrastructure, before Petronella professional services.

Pattern B. Dedicated physical or virtual workstations

A small CUI team gets dedicated GCC High workstations that never leave the enclave. Useful when a specific engineering function (CAD, weapons-system data, ITAR technical data) needs local compute and the VDI latency is unacceptable. Higher per-user capex, lower ongoing licensing.

Why GCC High and not GCC or commercial

Commercial M365 cannot legally hold DoD CUI under DFARS 252.204-7012 in most scopes because of data-sovereignty and personnel-screening requirements. Government Community Cloud (GCC) is closer but still does not satisfy ITAR. Government Community Cloud High (GCC High) is the cloud Microsoft purpose-built for the defense industrial base with US-citizen personnel, sovereign data residency, and FedRAMP High plus DoD IL4 and IL5 baselines. For most regulated defense suppliers, the GCC High decision is binary.

What we hand to the C3PAO

• An assessment-boundary diagram with the enclave clearly delineated
• The Conditional Access policy set scoped to the enclave
• The Intune device baselines (CIS or DoD STIG aligned)
• The Defender for Endpoint device-onboarding evidence
• Network egress logs showing the enclave is not exfiltrating CUI to the corporate side
• A CUI flow narrative inside the SSP that the assessor can validate against system behavior

CMMC is not a one-time project. The certification is valid for three years, but the evidence underneath has to keep flowing. Petronella offers two operating models after Stage 3 (Evidence) wraps and your C3PAO assessment is on the calendar.

Model 1. Co-managed CMMC operations

Your internal IT or compliance lead owns the day-to-day. Petronella owns the architecture, the SSP, the POA&M, the SIEM tuning, and the quarterly evidence reviews. Best fit when you have a security-aware internal team and want to retain control of operational decisions.

• Quarterly evidence-quality review (4 hours)
• Quarterly POA&M reconciliation
• Annual SSP refresh, semi-annual tabletop drill
• SIEM analytics-rule tuning, monthly
• Incident-response on-call (4-hour acknowledgement SLA)

Model 2. Fully managed CMMC operations

Petronella runs the regulated stack end-to-end. Your team focuses on delivering the contract; we keep the controls alive. Best fit for sub-50-person defense suppliers who do not have the headcount for a dedicated security engineer.

• 24x7 monitored SIEM with hybrid AI plus human analyst tiers
• Identity and Conditional Access policy ownership
• Intune baseline ownership and quarterly drift reviews
• Evidence collection automation; assessor-ready repository at all times
• Incident response retainer with DFARS 252.204-7012 reporting integration

Service-level commitments

• Incident acknowledgement: 30 minutes for SIEM-detected critical events, 4 hours for client-reported events.
• DFARS 72-hour reporting: incident assessment, DC3 reporting evidence, and contract-officer notification packaged within the 72-hour clock.
• SSP and POA&M turnaround: initial revision within 5 business days of a request, annual full refresh.
• Evidence-repository freshness: control evidence updated quarterly or after any qualifying environment change.
• Recertification window: readiness review 6 months before three-year certification expiry, full reassessment support included.

For organizations that also want documentation-platform tooling alongside Petronella's deployment, see how ComplianceArmor automates SSP, POA&M, and policy-set generation against the same control library.

The integration pattern keeps inference, vector storage, retrieval, and prompt logs entirely inside the CMMC assessment boundary. No public API calls. No CUI sent to a vendor. Audit logging into the same Sentinel workspace the C3PAO will review. Identity tied to the same Entra ID and Conditional Access that gate the rest of the enclave.

Components we wire in

• On-prem or sovereign-cloud GPU inference (NVIDIA reference channels through approved partner programs)
• Vector store with CUI-aware access control inheriting from SharePoint or Purview labels
• Retrieval pipeline that respects document labels and refuses to surface labeled CUI to unauthorized users
• Full prompt and completion logging to the SIEM, tagged for AU.L2-3.3.x evidence

For the broader AI services lineup, see our private AI hub or the deliverable-level AI services hub. For how AI fits the rest of the security program, see our cybersecurity services.