Inheriting Controls: Using a Compliant Enclave or Managed Service
You do not have to implement every control yourself. A compliant enclave, a managed service provider, or a cloud platform can satisfy parts of NIST 800-171 on your behalf — if you do the diligence to rely on them.
How inheritance works
When a provider operates a control, you inherit the result but remain accountable for the requirement. The provider’s shared responsibility matrix (or Customer Responsibility Matrix) tells you exactly which controls they cover, which you cover, and which are shared.
Diligence before you rely
- Get the CRM in writing and map every inherited control to it.
- Confirm the service is authorized for CUI (for cloud, FedRAMP Moderate equivalency is the common bar).
- Verify the provider meets the DFARS 7012 flow-down, including incident reporting.
- Keep evidence of the inheritance — your assessor will ask how you know the control is met.
The enclave strategy
Routing all CUI into a purpose-built, compliant enclave lets you inherit a large share of technical controls and keep the rest of your business out of scope. It is more upfront design, but it usually shrinks both the assessment and the long-term maintenance burden.
The Verdict Forum publishes educational guidance, not legal or compliance advice. Confirm requirements against the authoritative sources and your assessor before acting.
Read next
CMMC 101: What the Program Is and Why It Exists
The Cybersecurity Maturity Model Certification in plain language — what it protects, who it applies to, and how it reached your contract.
Do You Need CMMC? Reading the DFARS Clauses in Your Contract
How to spot 252.204-7012, -7019, -7020, and -7021, and what each one actually obligates you to do.
FCI vs. CUI: Knowing What You’re Actually Protecting
The difference between Federal Contract Information and Controlled Unclassified Information — and why it sets your CMMC level.