2026 DoD Secure Enclave Guidance Validates Data-Centric Security for CMMC

For defense contractors pursuing CMMC Level 2 certification, the concept of the "Secure Enclave" is the gold standard. It represents a walled garden where Controlled Unclassified Information (CUI) lives, safe from the open internet and unauthorized users.

But in the Defense Industrial Base (DIB), business doesn’t happen in a vacuum. You have to email partners, share files with subcontractors, and collaborate with government agencies. The challenge has always been: How do you share CUI out of your secure enclave without breaking compliance or expanding your audit scope?

Recent guidance from the Department of Defense (specifically CMMC FAQ Rev 2.2) has provided much-needed clarity on this issue, and it validates a data-centric approach to security — the exact architecture Virtru is built on.

Here is how the new guidance impacts your secure enclave strategy and how Virtru helps you stay compliant. For more detail on how Virtru supports CMMC Level 2 compliance according to these updated standards, download our datasheet, Supporting CMMC Level 2 Certifications with Data-Centric Security.

Clarification from the DoD on Encryption, Scope, and Logical Separation

The recent CMMC FAQ Rev 2.2 reinforces a clear path for secure collaboration. The DoD clarified four major principles regarding CUI data flows:

1. Encrypted CUI is Still CUI: Encryption does not "de-control" data. If a file contains CUI, it remains in scope for assessment, even when encrypted. 
2. Encryption Alone Does Not Equal Separation: You cannot simply encrypt a file and claim it is out of scope. The DoD requires "Logical Separation" to safeguard that data.
3. Logical Separation is the Key: Properly encrypted CUI can traverse systems that are otherwise out-of-scope, provided there is adequate logical separation. This may include access controls, key management, and policy enforcement.
4. The FedRAMP Requirement: If you use cloud services to store or process this CUI, those services must be FedRAMP Moderate authorized (or equivalent). 

How Virtru Extends the Secure Enclave

Virtru allows you to share CUI via email and file transfer while satisfying the DoD’s definition of "Logical Separation." By treating the data object as its own secure enclave (hosted on a FedRAMP authorized cloud, with encryption and granular access control applied), you can allow data to travel outside your network boundaries without losing control.

Here is how Virtru aligns with the new FAQ guidance:

1. FedRAMP Moderate Authorization

The guidance is clear: Cloud services storing CUI must meet FedRAMP Moderate standards. Virtru for Email and Virtru Secure Share utilize a FedRAMP Moderate authorized cloud environment. This satisfies DFARS 252.204-7012 and CMMC requirements for cloud services, meaning you don’t need to implement separate FedRAMP controls for the Virtru environment itself. It’s important to note that there’s a big difference between “FedRAMP equivalent” and “FedRAMP authorized” in terms of how much risk you’re assuming.

Recommended Reading: Feedback From the Front Lines: Where 'FedRAMP Equivalent' Falls Short

2. Split-Knowledge (Zero Trust) Architecture

The DoD requires that you demonstrate adequate protection for CUI at all times. Virtru employs a "Split-Knowledge" architecture. While encrypted CUI files may be stored in Virtru’s FedRAMP cloud, the encryption keys are managed separately.

Recommended Reading: Why We Should Give a $@*# About Secure Cloud Computing

Practical Application: Email and File Sharing

How does this look in practice when your teams are working?

Secure Email (Virtru for Email):

When you send a proposal or schematic via an email attachment, Virtru encrypts the file containing CUI and stores it in the FedRAMP Moderate cloud. The recipient must authenticate (via Google/Microsoft credentials) to view it.

• CMMC Value: This prevents uncontrolled dissemination. CUI never sits unencrypted in a recipient's insecure inbox. Rather, the file remains in a FedRAMP authorized cloud environment where the recipient must securely authenticate with their Google or Microsoft credentials to gain access. This supports NIST SP 800-171 controls regarding Access Control (AC) and System and Communications Protection (SC).

Secure File Transfer (Virtru Secure Share):

For larger files, Secure Share offers a controlled environment for collaboration. Files are encrypted individually, and you retain the ability to revoke access or audit activity at any time.

• CMMC Value: You can collaborate with partners without bringing their systems into your assessment scope. The data remains encrypted and unusable outside of the authorized session, and access controls can limit CUI files from being downloaded or forwarded.

The Ultimate Separation: Private Keystore

For organizations looking to demonstrate the highest level of logical separation — particularly for strict interpretations of the new guidance — there’s Virtru Private Keystore. This allows you to host your own private encryption keys on-premises, in an HSM, or in a private cloud.

• CMMC Value: By physically and logically separating the keys (which you hold) from the encrypted content, you ensure that no request to access data — not even a government subpoena to the cloud provider — can result in data exposure without your involvement.

CMMC Level 2 with Virtru: Maya HTT’s Success Story

Virtru’s CMMC customers are continually passing their C3PAO assessments for CMMC Level 2. One recent example is Maya HTT, a 3D simulation software engineering company that works closely with enterprise customers as well as government agencies in the U.S. and Canada. 

Here’s a clip from a recent conversation with Maya HTT’s CISO, Jonathan Bieber, where he shares about their path to achieving a perfect SPRS score on their first CMMC assessment.

Effective CUI Governance for CMMC

The new DoD guidance affirms that compliance isn't just about where data sits; it must also account for how data is controlled. By combining FedRAMP Moderate authorization with strong, data-centric encryption and split-knowledge key management, Virtru enables you to extend the security of your enclave to wherever your business takes you.

Ready to align your external communication with CMMC Level 2? Book a demo with our team to learn more.