Sharetru and CUI Enclaves: Control the Edge, Control the Scope

2 weeks ago, we launched a set of controls designed to keep files inside a defined boundary — view-only access, dynamic watermarking, and granular folder permissions. At the end of that post, we introduced a term you may be (or may not be) familiar with: CUI enclave.

If you’re a DoD contractor, or an IT/Security leader trying to get your arms around controlled unclassified information, this post is the deeper dive you’ve been waiting for with some helpful hints on where Sharetru fits in.

First, Let’s Define CUI

Controlled Unclassified Information (CUI) lives in that frustrating middle ground: it’s not "classified," but it’s also not “safe to email around." Formally, CUI is information that "requires safeguarding or dissemination controls" under applicable law, regulation, or government-wide policy — but is not classified under Executive Order 13526 or the Atomic Energy Act of 1954 (as amended).

To bring consistency to what used to be a patchwork of agency labels (FOUO, SBU, etc.), the federal government established the CUI Program through Executive Order 13556. The Order applies across the Executive Branch and designates the National Archives and Records Administration (NARA) as the Executive Agent responsible for implementation and oversight. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

ISOO then issued 32 CFR Part 2002 to put the CUI Program into enforceable policy—covering how agencies designate, safeguard, disseminate, mark, decontrol, and dispose of CUI, plus self-inspection and oversight requirements. And this isn’t “just a federal agency problem”: the rule impacts any organization that handles, possesses, uses, shares, or receives CUI—or that operates, uses, or has access to federal information and information systems on behalf of an agency.

How you know something is CUI in practice?

Think of it as a 3-part test:

1. Is it in scope for the CUI program?
   It’s government information (created/possessed by the government), or information your organization holds for/on behalf of the government.
2. Does it match an approved CUI category?
   CUI markings are only supposed to be used for information types/categories that appear in the CUI Registry (and those registry entries tie back to the legal/policy “authority” that makes it CUI).
3. Has it been designated/identified as CUI by the right party?
   In the real world, you typically “know” it’s CUI because it’s marked (banner/footer + designation block) or otherwise identified in the contract / task order / data deliverables instructions.

For DoD contractors specifically (the CDI overlap)

If you’re in the defense supply chain, you often encounter CUI through the lens of Covered Defense Information (CDI) under DFARS 252.204-7012 — which references information described in the CUI Registry and that is marked or otherwise identified in the contract.

What is a CUI Enclave?

A CUI enclave is a defined, bounded environment where CUI is stored, processed, and shared — and where the controls governing that environment are well-documented, consistently enforced, and scoped specifically for CUI handling.

The word “enclave” is doing a lot of work here. It’s not just a metaphor for “a secure folder.” In the CMMC and NIST SP 800-171 context, an enclave represents a deliberate architectural decision: you’re drawing a hard line around the systems and services that handle CUI, and you’re applying a specific set of controls to everything inside that line.

Why does that matter? Two reasons:

Scope reduction. Every system that touches CUI is in scope for CMMC assessment. If CUI sprawls freely across your environment — in email, in file shares, on laptops, in personal cloud drives — your entire organization becomes the assessment boundary. That dramatically increases the complexity, cost, and risk of your CMMC program. An enclave lets you draw the line around a limited, well-controlled environment and defend that boundary instead of the whole enterprise. Defensible oversight. When CUI lives inside a bounded enclave, you can point to specific technical controls and demonstrate exactly how handling is governed. That’s the difference between “we think it’s secure” and “here’s our documented control surface.” Auditors, assessors, and authorizing officials need the latter.

What Controls Define an Enclave?

A CUI enclave isn’t just a label you apply to a server room or a SaaS folder. It’s a set of enforceable properties that the environment must actually demonstrate. While the exact requirements depend on your specific regulatory framework, a functional CUI enclave generally needs:

Why Most Organizations Don’t Have One (Yet)

The uncomfortable reality for most defense contractors and federal supply chain participants is that CUI is everywhere in their environment and nowhere is actually controlled.

CUI arrives in email. It gets saved to a shared drive. Someone downloads it to a laptop. Someone else sends it via a personal account because the file was too big for corporate email. A vendor requests it over a consumer file-sharing service. Before long, you have dozens of untracked copies living in environments with no consistent controls and no audit trail.

This is what the CMMC scoping guidance refers to when it talks about CUI scope expansion. Every system that touches CUI is in scope — and every uncontrolled copy of a CUI document is a system that touched it. If you haven’t drawn a hard boundary around your CUI handling, you’ve implicitly put your entire IT environment in scope for assessment.

A CUI enclave solves this by making the boundary explicit and enforceable. Instead of “CUI lives somewhere in our environment,” you can say “CUI lives here, handled by these specific controls, accessible only to these authorized users.” That’s a statement you can take into an assessment.

How Sharetru Functions as a CUI Enclave

With the release of view-only access, dynamic watermarking, and granular folder permissions, Sharetru now delivers each of the enclave properties described above as a managed, documented control surface.

Here’s how each piece maps:

Constrained Handling: View-Only Access

View-only access in the Sharetru web app means users can read documents without downloading them. View-only share links extend that enforcement to external recipients. No download, no copy, no save. The file stays inside the boundary. This is the single most important control for limiting CUI scope expansion — if files can’t be routinely exported, they can’t routinely end up on uncontrolled endpoints.

CMMC / NIST 800-171 tie-ins:

• AC.L2-3.1.3 – Control CUI Flow (this is the big one)
• AC.L2-3.1.2 – Limit system access to permitted functions (view vs. download is a “permitted function” decision)
• AC.L2-3.1.1 – Authorized access
• Often paired with: AC.L2-3.1.10 / 3.1.11 – Session lock / termination for browser sessions

Dynamic Watermarking

Every document viewed in Sharetru Federal is stamped with a session-unique watermark that includes viewer identity and a traceable token. The placement is randomized, resistant to image-subtraction attacks, and persists in screenshots. If a document appears outside the enclave, you can identify the session it came from. This closes the accountability gap that most view-only implementations leave open.

CMMC / NIST 800-171 tie-ins:

• AU.L2-3.3.2 – User Accountability
• AU.L2-3.3.1 – System Auditing (log + traceability story gets tighter)
• IR.L2-3.6.1 – Incident Handling (detection/analysis/containment benefits from traceability)
• IR.L2-3.6.2 – Incident Reporting (track/document/report with defensible detail)

Access Control: Granular Folder Permissions

Folder-level permissions give administrators precise control over who can create, modify, or delete folders — in addition to who can read or write files. For organizations managing CUI across multiple projects, contracts, or clearance levels, this means the folder structure itself becomes an enforceable access boundary, not just an organizational convention.

CMMC / NIST 800-171 tie-ins:

• AC.L2-3.1.1 – Authorized access
• AC.L2-3.1.2 – Limit permitted functions/transactions
• AC.L2-3.1.5 – Least Privilege
• AC.L2-3.1.4 – Separation of Duties (when roles are split across admin functions)
• AC.L2-3.1.7 – Privileged Functions (prevent non-privileged users from doing admin-grade actions)

Defined Operating Boundary: FedRAMP Authorization

Sharetru Federal operates within a FedRAMP Moderate authorized boundary — a continuously monitored, government-reviewed environment that provides the documented operating foundation an enclave requires. FedRAMP authorization means the environment itself has been assessed against NIST SP 800-53 controls, providing a baseline that maps directly to CMMC and NIST SP 800-171 requirements.

CMMC / NIST 800-171 tie-ins (where FedRAMP help):

• CA.L2-3.12.4 – System Security Plan (boundaries, environment, connections, responsibility split)
• CA.L2-3.12.3 – Security Control Monitoring (continuous monitoring story gets stronger with inherited evidence)
• CA.L2-3.12.1 – Security Control Assessment (ongoing assessment posture)
• Common technical overlap areas (still shared-responsibility): SC.L2-3.13.1 (Boundary Protection), SC.L2-3.13.8 (Data in Transit), SC.L2-3.13.16 (Data at Rest)

The CMMC Scoping Implication

This is where the enclave model pays the most immediate dividend for CMMC Level 2 and Level 3 organizations.

Under the CMMC scoping guidance, the assessment scope includes all assets that store, process, or transmit CUI. If you can demonstrate that CUI is isolated within a defined enclave — and that the enclave enforces constrained handling, access control, and audit logging — you have a credible argument for limiting your assessment scope to that enclave rather than your entire IT environment.

This matters because the alternative — treating your entire enterprise as in-scope — is expensive, operationally complex, and often impractical for small and mid-sized defense contractors. A well-architected enclave strategy lets you meet the requirements where they apply and defend that decision to an assessor.

Sharetru’s control set — view-only enforcement, identity-bound watermarking, granular permissions, access logging, and a FedRAMP-authorized operating environment — is designed precisely to support this scoping conversation. It gives you a platform you can point to and say: “This is where CUI is received, shared, and transferred. This is how it’s handled. These are the controls.”

Where Sharetru fits: the CUI edge, not the collaboration core

In most environments, Sharetru isn’t where CUI gets edited. There’s no real-time coauthoring, no native document collabortion and editing space. So if someone needs to work a file, they’re going to move it somewhere else.

That’s why the clean way to think about Sharetru is as the edge of the boundary — the ingress/egress layer. It’s the place you route CUI through when it needs to cross an organizational line (vendors, customers, subs, auditors), and it’s where you enforce the controls that keep “file sharing” from turning into uncontrolled exfiltration.

In a Microsoft GCC / O365 World

If GCC is where people actually collaborate (SharePoint/OneDrive/Teams), then the workflow is straightforward:

Inbound (external → Sharetru):

1. Vendor uploads to Sharetru through authenticating into the web application, SFTP, or a link.
2. You download the file into GCC storage (SharePoint/OneDrive) for internal work.
3. Sharetru keeps the chain-of-custody clean: who uploaded it, who accessed it, when, from where.

Outbound (Sharetru → external):

1. You produce the deliverable inside GCC (where the editing happens).
2. You push the “final” or “shareable” artifact out through Sharetru.
3. If you don’t want unmanaged copies floating around, Sharetru enforces view-only and dynamic watermarking at the moment of access.

The key idea: GCC is the document collaboration workspace. Sharetru is the controlled transfer surface. You can show the gate CUI passed through to leave or enter.

If you're not on GCC (or you don’t want CUI living in O365)

Same edge concept, but with a different "Core."

• Sharetru still handles external exchange (inbound/outbound).
• CUI moves from Sharetru into whatever your actual enclave workspace is: VDI, an internal file server, a controlled private cloud repo, a PLM/ERP system, etc.

Again: Sharetru isn’t the place people collaborate. It’s the transfer boundary that keeps CUI exchange from becoming inauditbale.

What This Means for Your 2026 Compliance Posture

CMMC enforcement is accelerating. Third-party assessments (C3PAOs) are now a requirement for Level 2 contracts, and the DoD has been clear that self-attestation alone is no longer sufficient for most defense contractors handling CUI.

If you’re preparing for a CMMC Level 2 assessment — or simply trying to get your CUI handling to a defensible standard before enforcement reaches your contracts — the enclave model is the most practical architectural path forward. It lets you:

The Bottom Line

A CUI enclave isn’t a product — it’s an architectural posture. But it requires a platform with the right controls to make it real. View-only access stops unmanaged copies from leaving the boundary. Dynamic watermarking creates accountability at the moment of access. Granular permissions enforce least privilege at the folder level. FedRAMP authorization provides the documented operating foundation.

Together, these become more than just security functionality. They’re the components of a defensible CUI enclave you can take into a CMMC assessment with confidence.

Ready to see Sharetru’s CUI enclave capabilities in action?

If you're a current customer, contact us at support@sharetru.com or visit the Sharetru portal to get started. If you're a new potential customer, click here to meet with us to get started.