How MSPs can build a scalable CMMC Level 2 Azure Virtual Desktop enclave before Phase 2

The numbers are stark, and the opportunity is real 

The Defense Industrial Base includes more than 220,000-300,000 companies, and DoD estimates indicate that roughly 80,000 will need CMMC Level 2 certification. As of early 2026, fewer than 1100 organizations had achieved final Level 2 certification, and only 103 certified third-party assessment organizations (C3PAOs) were authorized to conduct those assessments as of the time of this writing. C3PAOs are already booking 6–9 months out, with some projecting backlogs stretching to 2027 and beyond. 

That math is your business case. 

Phase 2 enforcement begins November 10, 2026. Beginning in Phase 2, DoD intends to require Level 2 C3PAO certification for applicable solicitations and contracts involving CUI, although the required assessment type is specified in each solicitation and DoD may delay some certification requirements to an option period. If a solicitation requires Level 2 C3PAO status and a contractor lacks the required current CMMC status and affirmation in SPRS, they are not eligible for award. For MSPs who serve the Defense Industrial Base, this is the most concrete, deadline-driven compliance opportunity in years. 

Why CMMC has been hard to build a practice around... until now 

CMMC was announced in 2019. It was revised, delayed, and re-announced so many times that “CMMC is finally happening” became a running joke. That changed on November 10, 2025, when the DFARS final rule took effect. CMMC can now appear as a contractual award condition in active solicitations and contracts. The contractors who were watching and waiting are now scrambling. 

This matters for your practice-building calculus. Prior CMMC pushes lacked a forcing function. This one has a hard date, a specific enforcement mechanism, and a finite number of assessment slots—which means your clients can’t wait, even if they want to. 

The architecture: why AVD is the cleanest CMMC path

The DoD’s CMMC Scoping Guide states this explicitly: An endpoint hosting a VDI client configured to not allow any local processing, storage, or transmission of CUI is considered an out-of-scope asset. 

If an endpoint doesn’t touch CUI—because all CUI handling happens inside an AVD session—it’s out of scope for the assessment. That’s not a workaround. It’s designed into the scoping guidance. But it only applies when the endpoint is specifically configured and documented to prevent local CUI handling: no local drive redirection, no clipboard transfer, no USB storage path, no local print or export. An endpoint running AVD isn’t automatically out of scope, but it must be locked down and verified. Instead of hardening every laptop and workstation in your client’s environment, you concentrate all CUI into a controlled AVD enclave deployed in Azure Government, and you harden the enclave boundary itself.  

Endpoints become dumb terminals. The compliance surface shrinks dramatically. A well-scoped CUI enclave can reduce the number of assets, users, and systems in an assessment scope, which can materially reduce remediation and assessment effort compared with hardening an entire enterprise network. 

What the architecture actually looks like 

A CMMC-compliant AVD enclave on Azure Government Cloud typically includes: 

Core enclave layer 

• AVD deployed in Azure Government, paired with Microsoft 365 GCC High for sensitive CUI scenarios (GCC suitability depends on specific data type, contract requirements, and customer configuration) 
• Azure Virtual Desktop session hosts as the only path to CUI 
• All CUI stored and processed within the AVD environment—no local data transfer to endpoints 
• Endpoints configured to block USB redirection, clipboard transfer, and local drive mapping 

Identity and access 

• Azure Active Directory with Conditional Access enforcing MFA and compliant device policies 
• Role-based access control limiting CUI access to authorized users only 
• Privileged Identity Management for admin-level access 

Monitoring and logging 

• Microsoft Defender for Endpoint deployed on session hosts 
• Azure Monitor and Log Analytics capturing audit logs 
• SIEM integration for continuous monitoring 

Policy enforcement 

• Group Policy or Intune enforcing CIS Hardened Configuration Baselines on AVD session hosts 
• Application allowlisting to prevent unauthorized software execution 
• Regular vulnerability scanning and patch management on session hosts 

This architecture provides significant technical control support across many of the 110 CMMC Level 2 controls—the Azure Government and Microsoft security stack can provide inheritable evidence across a substantial portion of requirements. The exact control coverage depends on architecture, configuration, and operational procedures. Your job as the MSP is deploying, maintaining, documenting, and keeping it running consistently across clients. 

The operational problem that kills most CMMC practices 

Here’s where most CMMC MSP efforts break down: The architecture works for one client. It becomes tricky at three, and it becomes unsustainable at ten. The reason is manual configuration. Building a CMMC-compliant AVD enclave from scratch takes weeks of engineering work per client. If every engagement is a custom build, you can’t scale. Engineers become the bottleneck, policy drift creeps in, and documentation falls behind. This is the operational problem Nerdio solves. 

How Nerdio fits into the CMMC enclave practice 

Nerdio Manager is the management and automation layer that sits on top of Azure Virtual Desktop. It’s not a security product—the compliance architecture lives in Azure Government and AVD. Nerdio is what makes that architecture operationally sustainable for an MSP running it across multiple clients. 

• Standardized image and policy deployment: Build your CMMC enclave reference architecture once and deploy it consistently across every new client. No custom scripting. No one-off builds. 
• Multi-client management: Manage host pools, session hosts, policies, and auto-scaling across your entire client base from one console. 
• Dramatically faster onboarding: C3 Integrated Solutions expects up to 80% faster onboarding for new CMMC enclave environments with Nerdio. 
• Auto-Scaling and cost management: Session hosts spin up when users need them and wind down when they don’t, keeping Azure Gov costs predictable. 
• Documentation support: Centralized management provides auditable configuration evidence that C3PAOs need to see. 

What MSPs should be doing right now 

• Identify which of your existing clients are DIB-adjacent—subcontractor requirements flow down. 
• Build your reference architecture before you sell it. Don’t build a client’s enclave while selling it simultaneously. 
• Get your own house in order. MSPs serving DIB clients may have CMMC obligations themselves. 
• Move your C3PAO conversations now. Assessment slots are already scarce—waiting until Q3 2026 is too late. 
• Target MSPs already building CMMC practices. The MSP Collective’s ESP Directory lists 43+ certified MSPs who are your highest-value prospects. 

The competitive window is now 

Every CMMC push before 2025 lacked a forcing function. That’s over. The MSPs who establish a repeatable, AVD-based CMMC enclave practice in the next six months will own this market through Phase 2 and beyond. The top AOS-Gs in this space relies on Nerdio to deliver enclaves to their DIB customers. Every one of them admits that there are too many customers to satisfy and invite others to join them, but recommend you still need to have the right knowledge and tools to do this work. Nerdio is proud to support any MSP’s journey into CMMC compliance. 

If you’re ready to start building or scaling your CMMC practice, schedule a 30-minute conversation with us for a practical walkthrough of how Nerdio powers CMMC enclave environments. 

Disclaimer: The architecture described here is designed to support CMMC scoping and control implementation. Final assessment scope, control inheritance, and certification outcomes depend on the specific customer environment, configuration, and the judgment of the assigned C3PAO assessor. This content does not constitute legal or compliance advice.