Skip to main content
Specialized Service Β· Built on Our Cloud Platform

Authorize Your Security Once. Every System Inherits It.

A Secure Cloud Enclave is a dedicated, hardened boundary we build inside the GovDataHosting Cloud Platform β€” our FedRAMP-certified platform, running on your choice of GovDataHosting or AWS GovCloud as the underlying IaaS. One overarching set of security controls is implemented and authorized at the enclave level β€” then every system you run inside it inherits that baseline. The result: one security controls baseline enforced consistently across all your workloads, and dramatically lower compliance cost per system.

Start Here

What Is a Secure Cloud Enclave?

If your organization runs more than one system in the cloud, an enclave is the most efficient way to secure all of them under a single, consistent compliance boundary.

en·clave /ˈen-klāv/

A Secure Cloud Enclave is a logically isolated, security-hardened environment that GovDataHosting builds for a single customer inside the GovDataHosting Cloud Platform β€” our FedRAMP-certified platform, which runs on a choice of underlying IaaS: GovDataHosting's own infrastructure or AWS GovCloud. The enclave carries one overarching set of security controls β€” boundary protection, identity and access management, encryption, logging, vulnerability scanning, and continuous monitoring β€” implemented and authorized once at the enclave level. Every system the customer hosts inside the enclave then inherits that control baseline rather than rebuilding it. New systems join an environment that is already secured and already authorized, so the same security controls baseline is enforced the same way everywhere and the cost of compliance is shared across the whole portfolio instead of repeated system by system.

The Inherit-Once Model

One Boundary, Many Systems, Shared Controls

The enclave is the common-control provider for everything inside it. Implement the hard parts once at the boundary; let each system stand up faster on top of an environment that is already secured and authorized.

GovDataHosting Cloud Platform β€” FedRAMP certified, on GovDataHosting or AWS GovCloud IaaS

Your Secure Cloud Enclave

Security Operations Center (SOC)
24/7 monitoring, detection & response
Security Documentation
SSP narratives & inheritance artifacts
Overarching security controls β€” authorized once, enforced for every system
Boundary & network segmentation Managed firewall Identity, access & MFA Encryption at rest & in transit Centralized logging & SIEM Vulnerability & configuration scanning Hardened Windows / Linux images Continuous monitoring (ConMon) Centralized anti-virus / anti-malware Incident response Backup & recovery
Each system below inherits the controls above
Case Management App
Web application
Inherits enclave baseline
Data Warehouse
Analytics / reporting
Inherits enclave baseline
Public Portal
Citizen-facing site
Inherits enclave baseline
API Services
Integration layer
Inherits enclave baseline
Dev / Test Sandbox
Non-prod
Inherits enclave baseline
Add a new system
Joins pre-secured
Secured on day one

The enclave decomposes a complex portfolio into a single authorized boundary plus a set of systems inside it β€” the system / subsystem and common-control inheritance pattern described in NIST SP 800-37. The boundary owns the shared controls; each system owns only what is specific to it.

Why an Enclave

Three Things a Shared Boundary Buys You

An enclave is not just isolation for its own sake. It changes the economics and the consistency of how you secure a portfolio of systems.

Cost-Effectiveness

The expensive, shared controls β€” boundary protection, logging, monitoring, scanning, IR β€” are built and paid for once at the enclave level, then amortized across every system inside it. Each additional system avoids standing up its own full security stack, so the marginal cost of adding a workload drops sharply.

Consistent Control Enforcement

Every system inherits the same control implementation, so each security control and policy is enforced identically across the whole environment. There is no drift between teams, no "this app does logging differently," and one place to update when a control requirement changes β€” which is exactly what auditors and assessors want to see.

Isolation & Control

The enclave is a single-tenant boundary dedicated to your organization. Your systems share a trusted internal environment with each other while staying segmented from everyone else β€” appropriate for sensitive, high-impact, and tightly scoped workloads.

Who Handles What

The Enclave Provides. Each System Inherits.

Inheritance does not erase a system's own responsibilities β€” it removes the duplicated ones. Here is how the line is typically drawn.

Control Area
Enclave Provides (Inherited)
System Still Owns
Network, boundary & firewall
Perimeter, segmentation, managed firewall, traffic inspection
App-level network rules within its segment
Identity & access management
Directory, MFA, privileged access, central policy
Application roles and user entitlements
Encryption & key management
FIPS-validated encryption, managed keys, TLS
Classifying and tagging its own data
Logging, monitoring & SIEM
Centralized log pipeline, SIEM, alerting, continuous monitoring (ConMon)
Emitting meaningful application audit events
Vulnerability management
Infra/OS scanning, patch baseline, reporting
Remediating app and code-level findings
Hardening & baseline images (DISA STIG)
STIG-hardened, pre-configured Windows/Linux images, compliance scanning, drift reporting
Hardening app-specific configuration and settings
Anti-virus / anti-malware
Centrally managed AV/anti-malware agents, signature updates, alerting
Responding to application-level detections
Incident response
Detection, IR runbooks, coordination, escalation
App-specific impact assessment and recovery
Backup & recovery
Enclave backup schedules, retention, and restore testing
Validating app data restores and RPO/RTO needs
Security operations (SOC)
24/7 SOC monitoring, threat detection, analyst triage and response
Acting on app-specific alerts and tickets raised to your team
Security documentation
SSP control narratives, inheritance language, and compliance artifacts for inherited controls
System-specific SSP sections and the authorization package itself
Where Your Enclave Lives

One Platform. Your Choice of Underlying IaaS.

Every enclave is built inside the same FedRAMP-certified GovDataHosting Cloud Platform. What you choose is the infrastructure layer beneath it β€” GovDataHosting's own IaaS or AWS GovCloud β€” based on your mission, your existing investments, and your pricing preference. The platform, the enclave model, and the controls your systems inherit are identical either way.

GovDataHosting IaaS

Our platform on infrastructure we own

Run the GovDataHosting Cloud Platform on infrastructure we own and operate end to end, with 300+ inherited controls and predictable fixed monthly subscription pricing.

  • FedRAMP High and DoD IL2 authorized, top to bottom
  • 300+ controls inherited at the platform layer
  • Predictable fixed monthly subscription
  • Infrastructure compliance guarantee on managed layers

AWS GovCloud (US) IaaS

Our platform on your AWS GovCloud footprint

Run the same GovDataHosting Cloud Platform on AWS GovCloud under our management β€” ideal for teams standardized on AWS or with IL4/IL5 requirements.

  • FedRAMP High region; supports IL4/IL5 workloads
  • Inherit AWS infrastructure controls plus our managed platform and enclave controls
  • Consumption at cost, pass-through, plus fixed support fee
  • We govern and optimize the consumption you would otherwise run ungoverned
A Federal Example of the Same Model

How HHS / CMS Runs Hybrid Cloud

The enclave model is proven at the largest scale in government β€” the Centers for Medicare & Medicaid Services runs its entire hybrid cloud this way. GovDataHosting engineers and operates that same architecture for your organization, end to end.

Reference Architecture

CMS Hybrid Cloud

CMS Hybrid Cloud is CMS's strategic cloud implementation, built on commercial infrastructure from AWS and Microsoft Azure. CMS Cloud maintains and secures the shared environment and offers a catalog of CMS-approved enterprise security tools and services. Individual application teams build inside that environment and retain primary responsibility for their own Authority to Operate (ATO) β€” but they do not rebuild the foundation, because security stacks: an application's security depends on the platform beneath it, and the platform's security depends on the infrastructure beneath that.

Because the underlying environment is already authorized, application teams can treat the provider's controls as common controls in their own ATO package and mark them as inherited. CMS's own guidance frames the payoff plainly: leveraging an authorized environment's controls this way reduces duplication of effort, shortens the time to authorization, and lowers overall cost.

Authorized once

The shared environment carries the heavy, common controls and is secured and monitored centrally.

Inherited by many

Each system inside it inherits those controls instead of re-implementing them, and focuses its effort on what is system-specific.

Cheaper & faster

Less duplicated work, shorter authorization timelines, and lower total cost across the program's systems.

A GovDataHosting Secure Cloud Enclave gives a single organization that same architecture at its own scale: we stand up the authorized, centrally secured boundary inside the GovDataHosting Cloud Platform β€” on GovDataHosting or AWS GovCloud IaaS β€” and your systems inherit it, without your team having to operate the shared services layer yourselves.

Who It's For

When an Enclave Is the Right Move

An enclave pays off the moment you have more than one system to secure under the same compliance regime.

Agencies with multiple FISMA systems

Consolidate several moderate or high-impact systems under one authorized boundary instead of running and assessing each one in isolation.

Prime contractors managing a program portfolio

Host every deliverable system for a contract inside one enclave, so the security posture is uniform and the compliance story to your customer is single and clean.

Defense contractors handling CUI

Keep all CUI-bearing systems inside a controlled boundary that supplies the shared NIST 800-171 / CMMC controls, simplifying scope and assessment evidence.

Organizations scaling system count over time

Add new applications into an environment that is already secured and authorized β€” each one is protected from day one rather than starting its security from scratch.

Common Questions

Secure Cloud Enclaves, Answered

How is an enclave different from just hosting on your platform?

Hosting a single system means that system inherits the platform's controls. An enclave adds a dedicated, customer-specific boundary on top, with its own overarching controls that several of your systems share. It is the difference between one tenant on a platform and a private, multi-system environment built and authorized for you.

Does inheritance mean my systems have no security work to do?

No. Inheritance removes the duplicated, environment-wide controls β€” boundary, logging, encryption, monitoring. Each system still owns what is specific to it: its application roles, its data classification, its code-level findings, and the controls that depend on how the app itself is built.

Can my enclave run on AWS GovCloud?

Yes. Every enclave is built inside the GovDataHosting Cloud Platform, and that platform runs on a choice of underlying IaaS β€” GovDataHosting's own infrastructure or AWS GovCloud. The platform and the inherit-once model are identical either way; what differs is the infrastructure layer beneath and the pricing model β€” a fixed monthly subscription on GovDataHosting IaaS, or consumption-at-cost plus a fixed support fee on AWS GovCloud.

How does an enclave save money as I add systems?

The shared controls are built and operated once for the whole enclave. Every additional system reuses them instead of standing up its own security stack, so the marginal cost and effort of onboarding a new workload is a fraction of what an isolated, fully self-secured system would require.

Does this map to a recognized authorization model?

It follows the system / subsystem decomposition and common-control inheritance pattern described in NIST SP 800-37, the same approach federal programs such as CMS Hybrid Cloud use. Exact control allocation and boundary definitions are confirmed with your assessor; specific control mappings should be reviewed by your security team before authorization.

Is the enclave isolated from other customers?

Yes. An enclave is a single-tenant boundary dedicated to your organization. Your systems share a trusted internal environment with one another while remaining logically segmented from every other customer β€” which is what makes it suitable for sensitive and high-impact workloads.

Design Your Secure Cloud Enclave

Tell us how many systems you run and what they have to comply with. We will map the overarching controls your enclave should carry, show you what each system can inherit, and recommend whether GovDataHosting or AWS GovCloud is the right IaaS beneath your platform.