What is the Cuick Trac Managed Enclave?

The Cuick Trac Managed Enclave (CTME), at its core, is a Cloud Service Offering (CSO) that achieved FedRAMP Moderate Equivalency from a FedRAMP-recognized 3PAO. The Cuick Trac Managed Enclave is pre-configured and fully managed, and satisfies the technical requirements of NIST SP 800-171 Rev 2. Because Cuick Trac is a virtual enclave with defined technical boundaries, it allows for control of CUI data flows, as CUI never touches the OSC's (organization seeking certification) network or device. Cuick Trac's technology and compliance advisory support guides you towards compliance with DFARS 252.205-7012, NIST 800-171, and the CMMC 2.0 requirements. Cuick Trac was purpose built for businesses who lack the bandwidth and resources to implement and manage the required technical and security controls, required by the Federal Government for protecting CUI. The Defense Industrial Base (DIB) needs solutions that are affordable, practical and secure by default, that can also be implemented in a shorter amount of time.

How does the Cuick Trac Managed Enclave help me?

The purpose of Cuick Trac is to help businesses who currently work with, or want to do work with, the Department of Defense (DoD) and federal government to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), per the requirements in their contracts. Cuick Trac takes responsibility for 78% of the assessment objectives within NIST 800-171A/CMMC Level 2 assessment guides, and our team of compliance advisors guide our customers through the remaining 22%. This significantly decreases your Plan of Action and Milestones (POA&M) and internal responsibility burden for our customers.

Does Cuick Trac replace my MSP provider or internal IT team?

No. With CTME, our goal is to always work with as much of your current business processes that are already in place, including your current MSP or internal IT team. Disruption to your business is detrimental, thus a collaborative approach will be key in regard to how CUI data is collected, stored and accessed. As a FedRAMP Moderate Equivalent Cloud Service Offering (CSO) from a Cloud Service Provider (CSP), your MSP or internal IT team can leverage the CTME for your CUI program, lower the burden internally.

Is Cuick Trac another tool or software application?

No, Cuick Trac is not a software. Cuick Trac is a Cloud Service Offering (CSO) that is a fully managed virtual enclave/controlled environment on U.S. soil, managed only by U.S. persons. CTME has everything you need from a technology standpoint, to meet the requirements such as a SIEM, encryption at rest, encryption in transit (email and file transfer), patch management, secure back-ups, MFA and more. Unlike a single application or tool that does one or two of those requirements, Cuick Trac meets ALL technical controls for NIST 800-171 and CMMC Level 2.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces 'sensitive but unclassified' and other similar control markings. To learn more, download our ebook or see examples of CUI.

What is DFARS, NIST 800-171 and CMMC?

The DFARS 252.204-7012 clause says that if you handle Controlled Unclassified Information, you should have implemented NIST SP 800-171 no later than Dec 31, 2017. Since this deadline has passed and many defense organizations don't meet this current requirement, the DoD developed CMMC. Organizations within the DoD supply chain need a risk-based approach to become compliant, and more importantly, secure their environments where CUI is processed, stored and transmitted. NIST SP 800-171 is the National Institute of Standards & Technology (NIST) special publication providing 110 recommended security controls for protecting the confidentiality of CUI (Controlled Unclassified Information – a subset of CDI). The Cybersecurity Maturity Model Certification (CMMC) is the standard the Department of Defense (DoD) is using to verify the members of the Defense Industrial Base (DIB) fully meet their cybersecurity requirements, prior to contract awards.

What is an SPRS score, and how do I get one?

In September, 2020, the DoD released a new interim rule, approved by the Office of Management and Budget (OMB), that requires all contractors subject to DFARS 252.204-7012 within the DoD supply chain, to have an accurate assessment on record, prior to award. The interim rule becomes a bridge between the self-assessment process of DFARS 252.204-7012/NIST 800-171 and the CMMC certification process. The Supplier Performance Risk System (SPRS) is the official DoD system for recording these assessments. Your SPRS score is a numerical representation of your compliance status with NIST 800-171. The maximum score is 110, and a lower score indicates more controls are not yet implemented. You get one by completing a self-assessment and submitting it to the SPRS website.

Do I need a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) Before Utilizing Cuick Trac?

No. While you will need an SSP and POA&M for your CMMC Level 2 assessment, you do not need to have them completed before utilizing Cuick Trac. In fact, many of our customers utilize our compliance advisory services to help them complete their SSP and POA&M after they have deployed the Cuick Trac Managed Enclave. The CTME provides the technical controls and documentation that form the foundation of your SSP and significantly reduces the items on your POA&M.

What happens if I'm not compliant with DFARS/NIST 800-171?

If you are not compliant with DFARS 252.204-7012, you are in breach of contract with the DoD. This can lead to a variety of negative consequences, including the inability to bid on new contracts, loss of current contracts, and potential legal action. The CMMC framework is designed to ensure that all DIB companies are compliant, and non-compliance will eventually result in the inability to work with the DoD.

Who mandates these requirements?

The requirements are mandated by the Department of Defense (DoD) through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which references NIST SP 800-171. The Cybersecurity Maturity Model Certification (CMMC) is the DoD's verification mechanism for ensuring compliance with these requirements.

We don't have a SIEM or any way to monitor events/incidents/breaches, does Cuick Trac do that?

Yes. Cuick Trac is a comprehensive solution that includes a Security Information and Event Management (SIEM) system as part of the managed enclave. The CTME includes everything you need from a technology standpoint to meet the requirements, including monitoring for events, incidents, and breaches, which is a critical control for NIST 800-171 and CMMC Level 2.

The CMMC Level 2 Objectives You Cannot Outsource

March 17, 2026

There is a dangerous misconception in the CMMC market.

That compliance can be fully outsourced.

Managed enclaves.
GRC platforms.
MSPs.

Many imply they can “handle everything.”

They cannot.

CMMC Level 2 is built on NIST SP 800-171. The 110 security requirements in NIST SP 800-171 are evaluated using the assessment objectives defined in NIST SP 800-171A. When fully expanded, those requirements total 320 assessment objectives.

It is at the objective level, not just the control level, where responsibility is measured during an assessment.

In the Cuick Trac Customer Responsibility Matrix, 56 of those 320 NIST assessment objectives require direct customer involvement.

That is 17 percent of the framework.

Even inside a fully managed enclave.

Those 56 break down into two categories:

35 Fully Customer-Owned objectives

21 Shared Responsibility objectives

The difference matters.

Tier 1: The 35 Objectives That Are Fully Customer-Owned

These objectives cannot be inherited.

They cannot be automated.

They cannot be transferred to a provider.

They represent governance, accountability, and organizational decision-making.

Below is the exact list from the CRM.

Access Control Governance

3.1.20[a], 3.1.20[b]
You must identify and document external systems connected to your CUI environment.

3.1.22[a–e]
You must control CUI posted or processed on publicly accessible systems.
This includes identifying authorized posters, reviewing content, and preventing improper disclosure.

No enclave controls your website.

Security Awareness & Training

3.2.1[a–d]
You must identify security risks and ensure managers and users understand applicable policies and procedures.

3.2.2[a–c]
You must define information security roles, assign them, and ensure personnel are trained accordingly.

3.2.3[a–b]
You must train personnel to recognize and report insider threat indicators.

Awareness is cultural. Not technical.

Personnel & Physical Controls

3.9.2[a]
You must ensure system access is terminated when personnel separate.

3.10.6[a–b]
You must define and protect alternate work locations.

Employment decisions and physical site governance remain yours.

Risk Assessment

3.11.1[a–b]
You must define and conduct your risk assessment process.

Tools provide data.
They do not determine risk tolerance.

System Security Plan & POA&M Ownership

This is where most confusion happens.

3.12.1[a–b]
Develop and maintain the System Security Plan.

3.12.2[a–c]
Develop and manage Plans of Action and Milestones.

3.12.3
Update plans as changes occur.

3.12.4[a–h]
Document system boundaries, roles, responsibilities, interconnections, and implementation details.

The SSP describes your system.

It is not your vendor’s document.

Tier 2: The 21 Shared Responsibility Objectives

Shared does not mean outsourced.

It means:

The enclave enforces technical safeguards.

The customer defines governance and intent.

Both sides must demonstrate evidence.

These 21 objectives require active participation from your organization.

User & Role Definition

3.1.1[a]
You identify authorized users. If you encounter a vendor with this AO as “inherited” on their CRM, run. You will fail your assessment. No one can identify who can access your CUI other than YOU.

Information Flow & Separation of Duties

3.1.3[a], 3.1.3[c–e]
You define CUI flow policies, sources, destinations, and authorization processes. You control where your CUI goes and how it gets there.

3.1.4[a–c]
You define and assign separation of duties for your personnel.

Identification & Authentication Governance

3.5.3[d]
Certain authentication responsibilities require customer involvement.

Incident Response

3.6.1[a–c], 3.6.1[g]
Establish and define your incident handling capability. A CUI incident can happen anywhere, not just where you authorize your CUI to be processed, stored and transmitted. The incident can be on your corporate network, your company LinkedIn page, or in the company mailroom.

3.6.2[a–f]
Track, document, and manage incidents. You are always legally responsible for the CUI provided to you through your contracts. Even when the incident occurs in a CSPs environment, the reporting, tracking and managing of the incident is your responsibility as the data custodian.

3.6.3
Test incident response capability.

Monitoring can be supported.
Escalation authority is yours.

Personnel Screening

3.9.1
Screen individuals prior to granting system access.

Why This 17% Changes the Conversation

Many providers market “fully managed CMMC.”

But the math does not support that claim.

Even in a mature managed enclave:

35 objectives remain entirely yours.

21 more require your governance participation.

56 total require customer involvement.

264 are fully inheritable.

CMMC Level 2 is not only technical enforcement.

It is organizational accountability.

During an assessment, an assessor will not ask:

“What tool do you use?”

They will ask:

Who approves policies?

Who defines authorized users?

Who conducts risk assessments?

Who maintains the SSP?

Who controls public information exposure?

If the answer is “our tool handles that,” you have a problem.

If the answer is:

A named individual

A defined process

Documented governance

Demonstrable participation

You are defensible.

How Cuick Trac Makes the 17% Manageable

Cuick Trac does not claim to eliminate customer responsibility.

We define it clearly before assessment ever begins.

Inside the Cuick Trac Customer Responsibility Matrix:

Fully inheritable objectives are clearly documented.

Shared responsibilities are intentionally structured.

Fully customer-owned requirements are identified early.

Governance boundaries are mapped before certification.

We do not blur the line between technology and accountability.

Because compliance rarely fails due to missing tools.

It fails due to unclear ownership.

The organizations that succeed at CMMC Level 2 are not the ones who try to outsource responsibility.

They are the ones who understand it, structure it, and operate it.

If you want clarity on where your responsibilities truly begin and end inside a managed enclave model, we can walk you through it.

Schedule a Demo

NIST SP 800 171 Compliance Guide: Master NIST Framework

March 23, 2026

Compliance Contractors Guide: Navigating FAR, DFAR, ITAR & EAR

March 15, 2026

The CMMC Level 2 Objectives You Cannot Outsource

Tier 1: The 35 Objectives That Are Fully Customer-Owned

Access Control Governance

Security Awareness & Training

Personnel & Physical Controls

Risk Assessment

System Security Plan & POA&M Ownership

Tier 2: The 21 Shared Responsibility Objectives

User & Role Definition

Information Flow & Separation of Duties

Identification & Authentication Governance

Incident Response

Personnel Screening

Why This 17% Changes the Conversation

How Cuick Trac Makes the 17% Manageable

NIST SP 800 171 Compliance Guide: Master NIST Framework

Compliance Contractors Guide: Navigating FAR, DFAR, ITAR & EAR

Get a 30-Minute Demo From a Cuick Trac Product Expert

Stay Updated. Stay Secure.

Quick Links

Guides

Resources

Socials

The CMMC Level 2 Objectives You Cannot Outsource

Tier 1: The 35 Objectives That Are Fully Customer-Owned

Access Control Governance

Security Awareness & Training

Personnel & Physical Controls

Risk Assessment

System Security Plan & POA&M Ownership

Tier 2: The 21 Shared Responsibility Objectives

User & Role Definition

Information Flow & Separation of Duties

Identification & Authentication Governance

Incident Response

Personnel Screening

Why This 17% Changes the Conversation

How Cuick Trac Makes the 17% Manageable

NIST SP 800 171 Compliance Guide: Master NIST Framework

Compliance Contractors Guide: Navigating FAR, DFAR, ITAR & EAR

Stay Updated. Stay Secure.

🍪 We Use Cookies