Version 5.8.4 | July 2025

This update introduces enhancements to PreVeil Drive’s viewer, allowing some movie file types, as well as text files with a .log extension to be viewed. In the Admin console, entries can now be sorted in the Email Gateway and Trusted Community whitelists. Additionally, various bug fixes improve system stability and administrative functionality, such as trusted device management, Data Export, and Activity Logs

Download Version 5.8.4 here

Version 5.8.3 | June 2025

This release delivers a series of focused improvements and targeted bug fixes designed to enhance user experience and administrative workflows. This update ensures a smoother interaction with Web Viewer capabilities, the Admin Console UI, and overall performance when handling large data sets across Mail and Drive.

Version 5.8.2 | June 2025

This update introduces enhancements to PreVeil Drive, making file management more seamless, alongside improved search capabilities for large collections. Additionally, various bug fixes improve system stability and administrative functionality, such as trusted device management and shared folder renaming.

Version 5.8.1 | May 2025

The latest PreVeil update delivers substantial improvements to Drive functionality with enhanced search capabilities and faster sync performance, while also refining the user interface across Approval Groups and Data Export features. User experience has been significantly enhanced through numerous bug fixes addressing email synchronization, macOS compatibility, and file search reliability, with improved update notifications now appearing for those who have disabled automatic updates.

Version 5.8.0 | April 2025

PreVeil continues to improve the user experience. This latest release includes: easy access to PreVeil via the Windows Start Menu. Within Drive, enhancements include tooltips, loading indicators, and clearer explanations of functions. Admins will see clearer messaging for functionality related to approval groups, recovery groups and user device management. Last, admins can now customize update behavior.

Version 5.7.0 | February 2025

Keeping track of document updates across shared folders can be challenging, especially when collaborating with multiple team members. That’s why we’re excited to introduce Folder Change Notifications in PreVeil Drive 5.7.0, a powerful new feature designed to streamline your collaboration workflow.

Watch Folders and Files That Matter to You

With our new Watch feature, you can select any shared folders or files you have access to and receive automatic notifications when changes occur. Whether someone adds a new document, makes edits, or removes content, you’ll stay informed of all activities in your watched locations.

Flexible Notification Settings

We understand that different users have different needs when it comes to notifications. That’s why we’ve made it easy to:

• Customize notification frequency to match your workflow
• Choose which folders and files to watch
• Turn notifications on or off as needed

Enhanced Change Tracking

The new feature introduces a dedicated changes page in the desktop app that offers:

• A chronological timeline of all modifications to watched items
• Simple management of your watched folders and files through an intuitive interface
• Direct access to modified content with a single click

Getting Started

Folder Change Notifications will be available in PreVeil Drive 5.7.0, which will be released over the next few weeks. Once the update is complete:

1. Select folder or file you want to monitor & click the “Watch” option from the menu
2. Customize your notification preferences

This new capability integrates seamlessly with PreVeil’s existing sharing features, making it easier than ever to collaborate effectively with your team while staying on top of important changes.

We’re confident that Folder Change Notifications will enhance your productivity and help your team work together more efficiently. Try it out today and let us know what you think!

The post What’s New in PreVeil: Product Updates appeared first on PreVeil.

The Market Reality: Comply or Be Excluded

CMMC is now live—and will begin appearing in DoD contracts by mid-to-late 2025 via 48 CFR. The consequences are binary. As Michael Gruden, Government Contracts Cybersecurity Partner at Crowell & Moring and former Pentagon IT acquisition branch chief, warns:

“If you don’t possess the CMMC certifications for future contract awards, you will be entirely ineligible.”

Translation: No certification, no contract.

The M&A Trigger: When Deals Require New Assessments

CMMC isn’t just about technical controls—it’s about the structure and boundaries of the systems being assessed. According to Gruden:

“In the event of M&A activity that results in a significant architectural or boundary change to the contractor’s previous assessment, the contractor would likely need to undergo a new CMMC assessment.”

This means PE firms must now bake CMMC reassessment timelines and costs into deal models—especially when post-close integration will impact IT infrastructure or CUI handling.

Financial Stakes: Noncompliance Can Cost Millions

The enforcement landscape has dramatically escalated. Penalties stemming from the DoD’s Civil Cyber Fraud Initiative, which targets contractors who misrepresent their cybersecurity compliance, have been on the rise and represent a significant hit to a company’s bottom line.

“We represented clients where actually the opening kind of amounts for the fines were $100 million so these are not insignificant“

These fines not only hurt an organization’s pocketbook. they can have a profound impact on the organization’s reputation as well.

Due Diligence Implications

PE firms’ typical fast-paced transaction approach conflicts with the thoroughness required for proper CMMC due diligence.  PE firms need to slow down and take the time to understand the requirements. As Gruden warns,

“If this is not that you’re planning at the forefront- if you’re sort of just finding these things out along the way- it can significantly add to the timeline with regards to a deal.“

PE firms should evaluate:

• Target company’s current CMMC certification status
• Network architecture and data handling practices
• Quality and completeness of cybersecurity documentation
• Potential need for post-acquisition assessments

Building Portfolio Value Through Standardization

Forward-thinking PE firms are viewing CMMC as a portfolio-wide value creation opportunity. Standardizing CMMC compliance across multiple defense investments can reduce costs by up to 75% compared to legacy solutions.

The key is moving from reactive compliance to proactive preparation—what Gruden calls “doing it the right way” and “building with intentionality.”

Actionable Steps for PE Firms to Achieve CMMC Compliance

1. Early Assessment: Evaluate CMMC readiness during initial due diligence, not post-acquisition
2. Documentation Review: Ensure that companies have all critical documentation complete- including their System Security Plan and Standard Operating Procedures.
3. Legal Protection: Conduct assessments under attorney-client privilege to protect against discovery in potential enforcement actions
4. Portfolio Strategy: Consider standardizing CMMC solutions across defense investments to achieve economies of scale

The Bottom Line

CMMC represents both significant risk and substantial opportunity for PE firms with defense exposure. The cost of non-compliance—measured in lost contracts, enforcement actions, and deal complications—far exceeds the investment required for proper preparation.

As the defense industrial base continues consolidating and cybersecurity requirements intensify, PE firms that master CMMC compliance will gain a decisive competitive advantage in defense sector investments.

For PE firms looking to navigate CMMC requirements across their defense portfolios, early preparation and standardized solutions offer the clearest path to compliance and value creation.

The post What Private Equity Firms Need to Know About CMMC: M&A and Costs appeared first on PreVeil.

This blog explains the basic requirements of CMMC, latest timeline, projected costs of compliance, and tips on how to get started on CMMC compliance.

What is CMMC Compliance?

CMMC Compliance was introduced by the Department of Defense (DoD) to address widespread gaps in compliance and enforcement of the existing NIST SP 800-171 framework. While CMMC compliance doesn’t introduce new cybersecurity requirements for protecting FCI and CUI, it strengthens enforcement of the security measures already in place.

Previously, defense contractors were allowed to self-assess their compliance with DoD security requirements. Under CMMC, however, most contractors will need to undergo independent third-party assessments to verify compliance. These assessments will be conducted by CMMC Third Party Assessment Organizations (C3PAOs) that are trained and certified by the Cyber AB, CMMC’s official accreditation body.

Who Needs CMMC Certification?

Organizations that handle FCI or CUI must achieve CMMC certification at the level specified in their contract. This requirement applies not only to large, Prime defense contractors but also to subcontractors and smaller organizations further down the Defense Industrial Base (DIB) supply chain. Cybercriminals often target these smaller entities, viewing them as less secure entry points to sensitive data. By raising cybersecurity standards across the entire supply chain, the DoD aims to mitigate these vulnerabilities—a core objective of the CMMC program.

CMMC Levels and Their Compliance Requirements

CMMC has three levels of compliance, determined by the type of information your organization handles. To work on defense contracts, your organization must comply with the CMMC level specified in your contract and undergo the appropriate assessments, as shown in the figure below.

Security and assessment requirements—based on CMMC Level

^{Source: DoD Chief Information Officer website}

• Level 1 applies to organizations handling Federal Contract Information (FCI) only. Compliance requires meeting the basic safeguarding requirements outlined in FAR 52.204-21. Organizations at this level must perform annual self-assessments to verify compliance. 
• Level 2 is designed for organizations that handle Controlled Unclassified Information (CUI). Compliance at this level involves meeting the 110 security controls specified in NIST SP 800-171. Most organizations at this level will need to undergo third-party assessments every three years. These assessments are conducted by accredited CMMC Third Party Assessment Organizations (C3PAOs), who evaluate compliance with NIST SP 800-171 controls..
• Level 3 applies to organizations working with CUI and facing Advanced Persistent Threats (APTs)—sophisticated, state-sponsored attacks targeting critical defense programs. To achieve Level 3, organizations must comply with both the 110 NIST SP 800-171 security controls and an additional 24 enhanced security controls from NIST SP 800-172. Triennial assessments at this level are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s ultimate authority on compliance.

When Will CMMC Compliance Be Required?

The CMMC Final Rule (CFR 32) became effective on Dec 16, 2024 and CMMC assessments have begun. It will enter contracts by Mid-2025. See our CMMC timeline blog for more details.

It is important to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve CMMC certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC in Phase 1, in which case that contractor must flow down CMMC requirements to your organization at that time.

As leading cyber lawyer Robert Metzger said during PreVeil’s CMMC Summit:

The problem for most contractors is that you won’t know in advance when the compliance requirement will come to you or when your Prime will ask you to show you are ready for a certification assessment. Most organizations find that it takes 6-18 months to know that you are ready to pass an assessment. So you need to get started now.

CMMC Compliance Costs

The costs associated with achieving CMMC Level 2 certification can vary widely depending on several factors. These include your organization’s current cybersecurity maturity, the scope of your Controlled Unclassified Information (CUI) enclave, the number of employees handling CUI, the extent of internal preparation for the C3PAO assessment, and the need for external expertise to meet certification requirements.

The DoD estimates that the cost of CMMC Level 2 assessments and required affirmations of compliance will exceed $100,000, excluding any additional technology investments needed to meet requirements. The table below provides a breakdown of cost estimates for small defense contractors (fewer than 500 employees or less than $7.5 million in annual revenue):

DoD CMMC Level 2 Certification and Cost Estimates for small defense contractors (with < 500 employees or revenue < $7.5 million)

^{Source: Proposed Rule: Cybersecurity Maturity Model Certification Program}

These costs include time and resources from both in-house IT specialists and external service providers, such as Registered Practitioners (RPs) and C3PAOs, who assist in achieving CMMC Level 2 compliance.

However, it’s important to note that these estimates begin at the C3PAO assessment phase and exclude any costs incurred beforehand. Since defense contractors have been required to comply with NIST 800-171 standards—on which CMMC Level 2 is based—since 2017, the DoD does not consider NIST 800-171-related technologies or documentation as new expenses.

The good news is that there are technology solutions available that can significantly reduce the time and cost of achieving compliance. PreVeil’s blog, 6 Ways to Save Money on CMMC, offers insights into the costs involved and practical strategies to save money at each step of the process.

How to Become CMMC Compliant: 3 Steps to Get Started

If you’re just starting your CMMC Level 2 compliance journey, you should focus on meeting the 110 controls in NIST 800-171. PreVeil offers a three-step roadmap to NIST 800-171 compliance and CMMC Level 2 certification.

1. Adopt a platform that securely stores, processes and transmits CUI.

You’ll need to choose an email and file sharing platform that complies with DFARS 7012. Know that common commercial email solutions like Gmail and Microsoft O365 are not compliant & the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors; Ask for documented evidence and ask for customers who have achieved CMMC compliance.

Dozens of PreVeil customers have achieved CMMC compliance- validated by a perfect 110 score on their C3PAO or DoD assessment.  PreVeil is used by over 1,700 defense contractors and provides a comprehensive solution to simplify CMMC compliance. Through a combination of inherited and shared controls, PreVeil  supports over 90% of the NIST SP 800-171 security controls (102 of the 110).

2. Use prepared documentation to show compliance and save time and money.

Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming, and costly task.

PreVeil offers its customers a Compliance Accelerator documentation package that gives them a huge head start. It includes a pre-filled System Security Plan (SSP) with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates and more. Here’s what Paul Miller from Virtra said:

I would say the Preveil supporting documentation halved our time that we spent on the SSP. The pre-filled documents gave us that starting place to make sure we addressed everything in each control.

3. Identify certified consultants that are familiar with your technology

It’s understandable that many organizations lack the internal security expertise to conduct their NIST 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.

To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants—all with expert knowledge of DFARS, NIST, CMMC and PreVeil.

Now is the time to get started on CMMC compliance. Informed estimates from C3PAOs who have done this work are that it takes typical small to midsize organizations around 12 months to meet CMMC Level 2 requirements. That time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts.

To Learn More about CMMC Compliance

PreVeil is trusted by more than 1,700 small and midsize defense contractors. Learn more about how PreVeil can help you achieve CMMC Level 2 certification faster and more affordably:

The post What is CMMC Compliance? appeared first on PreVeil.

CMMC Background

Defense contractors handling controlled unclassified information (CUI) have been required to meet the 110 controls of NIST 800-171 since 2017. CMMC will validate compliance with NIST 800-171 through independent assessments conducted by C3PAOs (CMMC Third-Party Assessor Organization).

The DoD has made clear that CMMC is imminent and defense contractors need to work towards meeting compliance. Here’s what Matt Travis (CEO of Cyber-AB) warned at PreVeil’s CMMC Summit:

If you haven’t started getting engaged in CMMC, now is the time to do so. It was probably the time in early 2024, but now the light is flashing red.

The Latest CMMC Timeline

The CMMC Final Rule (CFR 32) became effective on Dec 16, 2024, and CMMC assessments started on Jan 2, 2025. CMMC will enter contracts (CFR 48) in mid-2025.

CMMC Compliance Deadline: When will it be in contracts?

The DoD Deputy Chief Information Officer (CIO) for Cybersecurity, David McKeown, said in June 2024 that “the DOD should be officially rolling CMMC 2.0 out and including it in contract paperwork in the first quarter of calendar year 2025”.

However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, Primes are already beginning to require their subcontractors to meet CMMC compliance requirements, ahead of the rule. Here’s what Leidos CISO JR Williamson said on a PreVeil panel,

Compliance isn’t going away. It is going to be a requirement to be able to bid on and continue to operate on these contracts.

Defense contractors who are not yet meeting all 110 NIST 800-171 controls should prioritize this immediately if they wish to continue bidding on defense contracts.

Preparing for CMMC Level 2

Given that CMMC will be in contracts in Q2 2025, you need to get started on your compliance preparations now, as it takes 12 months for the average defense contractor to get assessment ready. Doing nothing is not an option. Here’s what Matt Travis said:

If you do not get CMMC Certification, you will not be able to win DoD contracts. I cannot emphasize that enough

If you’re not sure where to start, read our CMMC Compliance Checklist blog. For convenience, here are a few ways to expedite your compliance journey:
 
1. Limit your Compliance Boundary with an Enclave: You may be able to establish a secure, isolated environment for CUI, which can simplify your documentation and save you money on licenses.

2. Use Pre-filled Documentation: Protecting CUI is at the core of NIST and CMMC compliance. However, you also must provide detailed documentation to prove that you’re compliant. CMMC assessments will be conducted by C3PAOs who will start by asking for this documentation. For example, your System Security Plan (SSP) needs to document how your organization meets the 110 controls of NIST 800-171. 

3. Limit POA&MS: Plans of Actions & Milestones (POAMs) describe your plan to meet any controls that are currently unmet. Make sure you are taking steps to address any POAMs and specifying the technologies and procedures you will need to close those gaps. C3PAOs will allow for only a limited use of POAMs at the time of assessment and then only for the least critical controls. You will need a minimum score of 80% (88/110) to be eligible for a conditional certification so we do not recommend relying on POAMs to pass CMMC.

4. Leverage Partners: If you get stuck, or don’t have the time or expertise to complete the steps required, you can take advantage of PreVeil’s preferred network of Assessors, Consultants, and Service Providers. They offer a variety of services to help accelerate your compliance journey, and you can have confidence that they were vetted and recommended by the PreVeil compliance team.

According to the current letter of the law, NIST 800-171A, you are already responsible for meeting all of the security standards included in CMMC. If you are not yet fulfilling this obligation, the time to act is now.

Next Steps

The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and protect CUI from our country’s adversaries. By getting started on your organization’s compliance journey, you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.

Learn More: Case Study: Defense Contractor Achieves CMMC Compliance with Perfect 110 Score

The post Countdown to Compliance: Demystifying the CMMC Timeline appeared first on PreVeil.

In this comprehensive guide, we’ll break it all down: what qualifies as CUI Basic, how it differs from CUI Specified, real-world examples, compliance requirements, and why protecting this type of data is essential for national security and business continuity.

What is CUI Basic?

Controlled Unclassified Information (CUI) refers to sensitive but unclassified data that the federal government requires to be protected. It replaces older, inconsistent markings like “FOUO” (For Official Use Only) and “SBU” (Sensitive But Unclassified).

CUI is divided into two main categories: CUI Basic and CUI Specified.

CUI Basic includes information that:

• Is not classified,
  
• Requires safeguarding due to government policy,
  
• But is not subject to specific legal handling requirements.
  

Instead, protection requirements are standardized under 32 CFR Part 2002 and NIST SP 800-171.

CUI Specified, however, includes controlled unclassified information that must be protected in accordance with legal or regulatory mandates.

Example of CUI Basic

Imagine a defense subcontractor providing technical specs and engineering drawings for a naval drone. The data isn’t classified or subject to ITAR but still requires protection.

Since there are no special laws governing its handling—but it’s sensitive and tied to national security—it’s categorized as CUI Basic and must be protected under NIST SP 800-171.

Example of CUI Specified

An aerospace company working on a defense contract receives technical data related to missile guidance systems that falls under the International Traffic in Arms Regulations (ITAR). Because ITAR is a federal law that imposes strict controls on how such data is stored, accessed, and shared—especially with foreign nationals—this information is classified as CUI Specified. It requires not only the baseline protections of NIST SP 800-171 but also compliance with ITAR’s specific legal requirements, such as limiting access based on citizenship and using approved export-controlled systems.

CUI Basic vs. CUI Specified: What’s the Difference?

Understanding the difference between CUI Basic and CUI Specified is crucial for compliance and correct data handling. Essentially, CUI Basic is governed by general CUI program regulations, while CUI Specified is governed by specific laws and are subject to additional protections.

If there’s no law dictating extra requirements, the data is classified as CUI Basic.

Common Categories of CUI Basic

There are dozens of CUI Basic categories that span technical, financial, and legal areas. The NARA CUI Registry is the authoritative source for the full list.

Some Common CUI Basic Categories Include:

• Procurement and Acquisition Data
  
• Proprietary Business Information
  
• Legal and Contractual Information
  
• Infrastructure Protection Data
  
• Patent Applications
  
• Financial or Budget Information
  
• Privacy Act Data (when not elevated to Specified)
  

These types of information must be safeguarded even though they are unclassified.

Compliance Requirements for CUI Basic

Contractors handling CUI Basic must meet strict cybersecurity and compliance obligations. These include the following standards and frameworks:

NIST SP 800-171

This is the core standard for protecting CUI Basic. It  includes 110 controls across 14 categories. Compliance involves implementing these NIST SP 800-171 controls, documenting them in a System Security Plan (SSP), and using a Plan of Actions and Milestones (POA&M) for any gaps.

CMMC Level 2

CMMC Level 2 directly maps to NIST 800-171 and applies to contractors handling CUI Basic. CMMC Level 2 assessments began in January 2025 and are expected to steadily increase as CMMC requirements are gradually incorporated into defense contracts over the coming years. During these assessments, organizations will be evaluated on their ability to meet all 110 security controls outlined in NIST SP 800-171, as well as how effectively they implement the procedures and policies detailed in their System Security Plan (SSP).

What is the Goal of Destroying CUI?

Knowing the difference between CUI Basic and CUI Specified is important, but so is the destruction of it. The goal of destroying CUI is to ensure that sensitive, unclassified government information cannot be accessed, reconstructed, or misused by unauthorized individuals once it is no longer needed.

Why CUI Destruction Matters

Just like classified information, CUI poses a risk if left unsecured—even after it’s outdated or no longer relevant. Improper disposal can lead to unauthorized disclosure of technical or procurement data, loss of competitive advantage or intellectual property, and national security threats through supply chain exposure.

Destroying CUI properly ensures that sensitive data doesn’t end up in the wrong hands, particularly in the context of cyber espionage, insider threats, or physical document theft.

Acceptable Methods for Destroying CUI

Per 32 CFR Part 2002, CUI must be destroyed in a manner that makes it unreadable, indecipherable, and irrecoverable. Acceptable methods include:

• For Paper: Cross-cut shredding, pulping, burning, or pulverizing
• For Electronic Media: Secure deletion, degaussing, cryptographic erase, or physical destruction (e.g., shredding drives)

Organizations must also follow any additional requirements set forth in their agency contracts or internal policies. Some types of CUI Specified may have their own mandated destruction protocols.

Why Protecting CUI Basic Is Critically Important

CUI Basic is a high-value target for cyber adversaries. Its protection is essential for national security, contract success, and business continuity.

National Security Implications

CUI Basic includes data on military systems and components, defense supply chains, and procurement and acquisition. If compromised, this data can directly harm U.S. national defense capabilities.

Supply Chain Risk

Adversaries often exploit small or mid-sized contractors to access the broader supply chain. Protecting CUI Basic helps close these gaps.

Legal and Business Consequences

Failure to protect CUI Basic can lead to:

• Breach of contract
  
• Contract revocation or suspension
  
• Disqualification from future DoD opportunities
  
• Costly audits and reputational damage

Who is Responsible for Applying CUI Markings?

Responsibility for applying CUI markings lies with the creator of the CUI—whether within the federal government or among contractors and subcontractors who create, receive, or manage CUI.

Role of Federal Agencies

Agencies that originate CUI are responsible for:

• Identifying what constitutes CUI under the NARA CUI Registry
  
• Marking documents and data correctly before dissemination
  
• Training employees and contractors on proper CUI handling
  

Agencies also designate CUI senior agency officials (SAOs) to oversee implementation and ensure compliance across departments.

Role of Contractors and Subcontractors

When contractors generate or receive CUI as part of a federal contract, they are required to:

• Mark any CUI they create or modify according to the source agency’s guidance
  
• Maintain those markings throughout the document’s lifecycle
  
• Ensure subcontractors and team members follow the same marking and safeguarding rules
  

Markings typically include:

• A header or footer with the word “CUI”
• Category markings (e.g., “CUI – Controlled Technical Information”)
• Limited dissemination controls if applicable

Here’s an example of how CUI will be marked on a contract.

Tools and Guidance for Proper Marking

The National Archives and Records Administration (NARA) provides templates and guidance for marking CUI, along with training resources. Contractors should also refer to agency-specific requirements and contractual clauses.

How PreVeil Helps You Protect CUI Basic

PreVeil offers end-to-end encrypted email and file sharing designed to meet the requirements of NIST 800-171, CMMC Level 2, and DFARS 7012.

Why Organizations Choose PreVeil:

• End-to-end encryption for email and files
  
• Seamless integration with Outlook and Gmail
  
• Affordable for SMBs in the DIB
  
• Compliant with ITAR, DFARS, and CMMC
  
• Easy collaboration with primes, subs, and government partners
  

PreVeil helps defense contractors achieve and maintain compliance—without enterprise complexity or cost.

Get Started Today

PreVeil is trusted by thousands of contractors to protect CUI Basic and comply with NIST 800-171 and CMMC 2.0. We can help you simplify compliance, secure your data, and safeguard your contracts.

The post What is CUI Basic? The Answers You’re Looking For appeared first on PreVeil.

This blog explains what DFARS 252.204-7012 is, who needs to comply, and how to make compliance simpler and more affordable.

What is DFARS 7012?

DFARS 7012 is a key clause within the Defense Federal Acquisition Regulation Supplement, and is crucial for securing Controlled Unclassified Information (CUI) in the defense sector. All contractors that handle unclassified Covered Unclassified Information (CUI)—i.e., Contractor Proprietary Information, Controlled Technical Information, and Controlled Defense Information (CDI)— will have a DFARS 7012 clause in their contract and therefore must comply with its provisions. That’s been the case since 2017. The regulation requires defense contractors and subcontractors to implement robust cybersecurity practices to protect sensitive data from cyber threats.

The essence of DFARS 7012 mandates compliance with specific cybersecurity standards, particularly those defined by the National Institute of Standards and Technology (NIST). The core requirement is adherence to NIST SP 800-171, which includes a comprehensive set of security controls for non-federal information systems.

We recommend that you review your organization’s contract to check if it contains the DFARS 7012 clause, in which case you need to comply with it. Note that your contract may be with another organization above you in the defense supply chain, rather than directly with your Prime contractor. In either case, you will still need to adhere to the requirements spelled out in DFARS 7012. Learn more below.

DFARS 7012 requirements

DFARS 7012 outlines several key requirements essential for safeguarding Controlled Unclassified Information (CUI). These requirements are mandatory for all defense contractors and subcontractors handling such information.

• Protect unclassified Covered Defense Information (CDI) in accordance with NIST 800-171. To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as well as the 320 objectives that are part of the controls.. 
• Report any cyber incidents to the DoD and provide access to servers and logs, per clauses (c)-(g). Contractors need to report all cyber incidents (even commercial attacks) to the DoD Cyber Crimes Center (DC3), share all cyber incident data, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See the (c)-(g) section below, which specifies these requirements.
• Ensure Cloud Service Providers (CSPs) Meet FedRAMP Moderate or Equivalent standards. Contractors must confirm that their CSPs have achieved the Federal Risk and Authorization Management Program (FedRAMP) Baseline Moderate or Equivalent standard. PreVeil is the first CSP to meet this stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance.

Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.

How DFARS 7012, NIST 800-171 and CMMC overlap

DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls. The key difference is that under CMMC, compliance will be checked by independent third-party assessors (C3PAOs) certified by the CyberAB, the CMMC Accreditation Body.

As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

How  DFARS 7019, 7020, and 7021 build on 7012

The DoD released its DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements in 2020. The goal of this supplement was to increase compliance with DFARS 7012. The Interim Rule introduced three new clauses – 7019, 7020 and 7021.

• Clause 7019 dramatically strengthens DFARS 7012 by requiring that contractors conduct a NIST SP 800-171 self-assessment according to DoD Assessment Methodology. Further, self-assessment scores must be reported to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.
• Clause 7020 notifies contractors that the DoD reserves the right to conduct a higher-level assessment of contractors’ cybersecurity compliance, and that contractors must give DoD assessors full access to their facilities, systems, and personnel. Further, 7020 strengthens 7012’s flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts.

• Clause 7021 paves the way for rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. The CMMC Proposed Rule became law in December 2024 and it will appear in contracts in late 2025. Visit our CMMC Timeline blog for the latest updates. 7021 also stipulates that contractors will be responsible for flowing down the CMMC requirements to their subcontractors.

Risks of non-compliance with DFARS 7012

Noncompliance with DFARS 7012 poses significant business risks. Cyber criminals often target smaller organizations, which they perceive as more vulnerable compared to well-resourced prime contractors. The consequences of such vulnerabilities can be severe, including the loss of intellectual property, operational incapacity, and substantial recovery costs that might include ransomware payments.

Furthermore, DFARS 7012 mandates that all cyber incidents be reported to the Department of Defense (DoD). Should investigations reveal inadequate security measures—essentially a failure to comply with the DFARS 7012 contract clause—the DoD may view this as a contract breach. Potential corrective actions can be severe and include:

• Withholding of progress payments
• Foregoing remaining contract options
• Contract termination, either partially or completely

In a June 2022 memo, the DoD emphasized that the absence of a plan or progress towards implementing NIST SP 800-171 requirements might constitute a material breach of contract, opening the door to these remedies.

DFARS 7012 Compliance Checklist

1. Reduce your compliance boundary: If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements by creating a separate enclave. This translates into a simpler assessment process that saves you time and money. Some solutions like Microsoft GCC High often need to be deployed across entire organizations, adding significant costs and complexity.
2. Choose a platform that’s easy to use and deploy: Platforms like Microsoft GCC High often require expensive consultants, separate email addresses, and a full rip-and-replace. Look for a solution that can be deployed in hours, uses your existing email addresses, and integrates directly with the tools you’re already using, like Outlook, Gmail, File Explorer and MacFinder.
3. Deploy a solution with proven CMMC credentials: If your organization has migrated to the cloud, know that standard commercial cloud services such as Microsoft 365 Commercial do not meet CMMC requirements for storing, processing and transmitting CUI. You want to verify that it has FIPS 140-2 encryption modules, meets DFARS c-g, is FedRAMP Moderate or Equivalent, and has been used to pass multiple DoD assessments.
4. Use pre-filled compliance documentation to save you time and money: To pass an assessment, contractors will need detailed, evidence based documentation clarifying how the controls are addressed within their company. This can be a daunting, time-consuming and costly task so look for a solution that offers pre-filled documentation including a System Security Plan (SSP) and Standard Operating Procedures.

Conclusion

PreVeil is the leading solution for DFARS 7012, NIST 800-171 and CMMC compliance and is trusted by more than 1,700 small and midsize defense contractors. In addition, over 25 PreVeil customers have achieved compliance with DFARS 7012/CMMC- validated by a perfect 110 score on their C3PAO or DoD assessment. 

The post What is DFARS 252.204-7012 and Why It’s Important appeared first on PreVeil.

This blog serves as a comprehensive guide to crafting a robust SSP capable of withstanding auditor scrutiny. While creating a CMMC-compliant SSP can seem daunting, this guide will demystify the process & list the steps to streamline your efforts.

What is an SSP?

A System Security Plan (SSP) is a document that outlines a defense contractor’s cybersecurity strategy for protecting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The SSP provides a detailed account of how security controls from NIST SP 800-171 are implemented, monitored, and enforced through policies, technology, or a combination of both. It also defines the roles and responsibilities of security personnel, ensuring the proper handling and protection of FCI or CUI.

For contractors pursuing CMMC Level 2 compliance, developing an SSP is not optional—it is a mandatory requirement. Since 2016, NIST 800-171 has stipulated that organizations must:

In the CMMC process, an Authorized Third-Party Assessment Organization (C3PAO) will typically review the SSP as a prerequisite for conducting the Level 2 assessment. If the C3PAO determines that the SSP lacks sufficient detail or does not adequately address the NIST 800-171 requirements, they may deem the organization not ready for assessment. In such cases, contractors will need to revise and strengthen their SSP before the evaluation can proceed.

What should an SSP include?

A comprehensive SSP should include the following components:

• Your Scope: Clearly document where CUI is processed, stored, or transmitted within the system. Specify who has access to this information and under what conditions.
• In-Scope Systems: Provide a detailed description of system boundaries, system interconnections, and key components within the system environment. This includes servers, networks, applications, and any devices involved in handling CUI.
• Objectives and Metrics: Describe how each NIST 800-171 security requirement is being implemented. Include measurable metrics or mechanisms to monitor, assess, and improve the effectiveness of security controls over time.

The more detailed and precise your SSP is, the better. Thorough documentation ensures that your processes are clear and verifiable not only for your team but also for future assessors. It also helps identify gaps, demonstrate compliance, and facilitate continuous improvement.

How to create a SSP (with examples)

Creating an SSP can be a time consuming process, but here is the best way to approach creating the program.

Step 1: Complete a Self Assessment

The best way to get started in creating your organization’s SSP is to start with a self-assessment against the 110 NIST 800-171A requirements. This exercise will force you to review each control and take an inventory of what you have in terms of policy, technology. From there you can see the gaps of which controls you need to work on or which ones you already meet.

Step 2: Utilize an SSP Template

After completing a self-assessment, you should download one of the many SSP templates available online, like this one provided by NIST, and start writing the documentation for each control. Then you have the outline for your SSP. You can also utilize solutions like PreVeil’s Compliance Accelerator, which can cut down documentation work by 60%. It includes pre-filled SSP documentation that explains how a customer can meet NIST 800-171/A controls.

The disadvantage of attempting to create an SSP in-house is that there are many nuances to writing up the processes and creating the robust documentation you will need. Indeed, trying to do it on their own is where many contractors fail. A typical SSP, along with its supporting documentation, ranges from 80-120 pages. Without the help of training or a CMMC consultant, your SSP policies and procedures will likely not align because you are not implementing the processes you claimed to. As a result, your SSP won’t pass an audit.

Step 3: Identify the Controls

For CMMC Level 2, your SSP needs to go through the 110 controls of NIST 800-171 one by one and explain how you’ll satisfy each and every one of them. Each control can be satisfied by technology, policy or a combination of both.

Step 4: Address the Controls

If a control can be met by technology, the IT team can simply state that the control is met by a technology solution. If, however, the control is met by a training or an incident response plan, then explaining the process of how the organization meets those requirements becomes much more complex. Many contractors will turn to a certified consultant to assist. Whether you’re creating this in-house or you’re using a consultant, knowing exactly how controls can be addressed is helpful, which is why we’ve included an example below.

Example of How a SSP Addresses a Specific Controls: AC L1-3.22

This control states:

The policy could state:

• No CUI or FCI will be posted on our public-facing websites
• There are three roles that can post information on the company’s public facing website: Admin, Power user, Author
• The Compliance Officer will review all materials before they are posted to the website
• If FCI or CUI is accidentally posted (spillage), we will follow the procedure referenced in our Incident Response Plan – See Incident Response Plan (Document 21)

In addition, the organization will need to demonstrate that they have absorbed the lessons of this control and made it part of their standard behavior.

Example of How a SSP Addresses a Specific Controls: CA.L2-3.12.4

CA.L2-3.12.4 provides a slightly more detailed example. The control states that contractors must:

The supporting policy might state:

• The organization will ensure that the SSP is updated, at least annually, and whenever necessary procedural updates are required.
• The organization will only allow those resources with full background checks to act as Administrators. Those Administrators will be the only authorized resources to update the SSP.
• The Acting Authority for the organization (i.e., the CEO, CISO, CTO, etc.) will finalize the SSP and the SSP will not be active until the finalization, via signature, of the Acting Authority.

The associated procedures documented within the SSP could then state:

• The SSP will be updated every year, or as needed. To ensure this, the Administrator of the SSP will complete the Version History of the SSP to include:
  • The date the SSP was updated
  • Updates made to the SSP
  • Administrator responsible for the updates
  • Updated version number of the SSP
• Administrators of the SSP will complete the following tasks before being eligible to update the SSP:
  • Complete a full Top-Secret Tier 5 background check that must be fully adjudicated (not Interim)
  • The Acting Authority assigns the resource with the Administrator role
    • The Acting Authority will assign the role of Administrator through the creation of a ticket in the internal company ticket system.
      • That ticket will then be routed to the IT Manager
        • The IT Manager will then update the Roles and Responsibilities matrix to ensure that the new Administrator’s information is correctly reflected
• Once updates are completed for the SSP, the document will go through the document review process:
  • Document is sent via email or shared drive link to the authorized Document Reviewer listed on the Roles and Responsibility matrix.
  • The document reviewer will review the document and then submit it to the Acting Authority with any additional information required.
  • The Acting Authority will review the document and ask any questions or gain any additional clarification from the Administrator before ensuring that the document is signed and then disseminated to all stakeholders.

And this control is not unique in its complexity. Many of the NIST 800-171 controls require this level of detail in order to fulfill the requirements of building an accurate SSP and creating an SSP that could pass an audit.

Frequently asked questions about SSPs

How PreVeil can help

PreVeil can reduce the need for expensive external consultants. We offer a Compliance Accelerator with pre-filled CMMC documentation, including an SSP, a customer responsibility matrix (CRM) and Plan of Action and Milestones (POA&M) for the controls that PreVeil doesn’t meet.

While PreVeil’s template still requires contractors to customize the SSP to how their environment works, the CRM saves contractors hundreds of hours of prep and consultant time. PreVeil’s documentation helps contractors know who is responsible for meeting the control- whether it is their organization, PreVeil or AWS – for example. And the Compliance Accelerator includes a POA&M for the controls that still need to be met.

PreVeil can also assist contractors in finding a compliance expert who understands the CMMC landscape and can help their business work through their compliance questions. With PreVeil, customers have a partner, not just a solution.

Conclusion

If you’re a defense contractor, you must create a SSP in order to continue working with the Department of Defense (DoD). If you don’t already have a robust SSP that can stand up to an audit, then you’re already in breach of compliance.

Reach out to one of our compliance experts for a free 15 minute compliance consult or learn more about how to get a copy of PreVeil’s SSP.

The post What is a System Security Plan (SSP)? appeared first on PreVeil.

In this blog, we’ll explore the key requirements for ITAR compliance, how to meet those requirements, the serious penalties of non-compliance, and strategies for protecting ITAR-controlled data.

The 6 ITAR Compliance Requirements You Need to Know

For organizations and their subcontractors aiming for compliance with the International Traffic in Arms Regulations (ITAR), understanding the key compliance requirements is the first step. Here is the list of requirements your operations needs to meet to ensure ITAR compliance:

1. Register with the Directorate of Defense Trade Controls (DDTC)

All entities covered by ITAR must file a Statement of Registration with the State Department’s Directorate of Defense Trade Controls (DDTC). This requirement holds whether you plan to export products, services, or data. Registrations must be renewed annually and may be denied due to legal issues or bans related to ITAR activities.

2. Restrict Access to U.S. Persons Only

The goal of ITAR compliance is to control the import and export of technical data, including software, part-drawings, and photos, related to USML items. Organizations are only allowed to share ITAR data with US persons. U.S.-based companies operating overseas must not share ITAR-protected technical data with local employees unless specifically authorized by the State Department. Limited exemptions exist for certain allies like Canada, the UK, and Australia.

3. Adhere to Reporting and Record-Keeping Requirements

Comply with reporting and record keeping requirements. Organizations must report any ITAR violations to DDTC. Organizations must also retain records for five years after the completion of the transaction and make these records available to DDTC upon request.

4. Obtain Necessary Export/Import Licenses 

Before exporting or importing defense-related articles or data, secure the appropriate licenses from the DDTC. These licenses, which can last up to four years, should detail the recipient, final use, end-user, and destination country of the items.

5. Monitor ITAR-Controlled Items

Maintain awareness of the location of ITAR-controlled items and who accesses them. Record all transfers, noting the specifics of each new custodian and any subsequent movements.

6. Ensure ITAR Compliance in Cloud Storage

ITAR compliance imposes stringent controls on storing and handling defense-related data. Cloud providers must enforce robust security measures such as encryption, stringent access controls, and continuous monitoring to safeguard data. They must also comply with strict data residency regulations to ensure all ITAR-sensitive data remains within the U.S.

ITAR Compliance Checklist

The U.S. Department of State leaves it up to manufacturers to develop, implement and maintain their own compliance programs. There is no specific ITAR certification to obtain, only your responsibility of registering with DDTC and being compliant.

Use this compliance checklist to guide your program.

1. Start with ITAR Compliance Training. Understand how ITAR applies to your USML goods, services, or data, and make sure you are meeting ITAR compliance requirements. First, review the USML list. All products and services related to items on the USML list are subject to ITAR compliance. Next, familiarize yourself with all the articles of ITAR, which consist of 11 parts. The regulations are deliberately designed for flexibility, so that you can adjust your security practices to your specific risk profile, as well as evolving technologies and national security threats.
2. Ensure all organizations in your supply chain are ITAR compliant. It is your duty to ensure that all parties you share ITAR data with, including subcontractors, comply with ITAR. As part of this, you must ensure that you do not share data with any foreign persons without appropriate licensure, and never with anyone on the prohibited countries list.
3. There is no formal certification process to become ITAR compliant. Instead, there are certain standards that companies are expected to comply with.Unlike CMMC and other regulations, ITAR does not have a formal certification process. It is your responsibility to ensure that your data handling processes are secure and protect national security interests. The hefty penalties leveraged against companies in breach of ITAR in recent years prove companies must take ITAR compliance seriously.
4. Understand if exemptions apply to your organization. ITAR exemptions are very specific. Types of exemptions include public domain exemptions, technical data exemptions, and temporary importation of defense articles exemptions. Understand if any exemptions apply to your organization to avoid running afoul of ITAR.
5. Report any ITAR violations that occur. Should an ITAR violation occur, accidentally or intentionally, it is your responsibility to report it immediately to DDTC.

Who Needs to Be ITAR Compliant?

Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services on the USML is required to register with the DDTC and comply with ITAR regulations. These requirements also extend to the company’s subcontractors and supply chain. 

ITAR Violation Penalties

There are serious penalties imposed for failing to get the specific licenses and documentation required for ITAR compliance. These penalties can include civil fines of up to $500,000, criminal fines of up to $1,000,000, and jail time of up to 10 years imprisonment per violation.

Failure to Register: Manufacturing items listed on the U.S. Munitions List (USML) without proper registration is illegal.

Lack of Technical Data Licenses: Organizations must obtain appropriate approvals and licenses to export technical data or defense services related to firearms and ammunition.

Incorrect Documentation:Errors in documents, such as DDTC license applications or registration forms, can result in ITAR or customs violations.

Failure to Vet Other Parties: ITAR data must not be sent to parties that are barred from handling it.

Uncontrolled Technical Data: It is prohibited to transfer or disclose technical data to foreign persons within the United States without the required licenses.

Willful Non-compliance: Deliberate failure to adhere to ITAR regulations is taken especially seriously and may result in harsher penalties or additional charges.

ITAR Violation Example

ITAR Encryption Carveout

Before March 2020, organizations were required to store all ITAR technical data on U.S.-based servers, managed by U.S. persons, primarily using on-premise storage solutions. However, in March 2020, the State Department acknowledged advances in cybersecurity that could enhance operations without jeopardizing national security. Consequently, they issued 22 CFR 120.54, also known as the ITAR Carveout for Encrypted Technical Data. This regulation allows defense companies to use end-to-end encryption to transmit, store, and share unclassified ITAR technical data without needing an export license, if they adhere to the following criteria:

1. Data Classification: The data must remain unclassified.
2. Encryption Standards: Data must be secured using end-to-end encryption compliant with FIPS 140-2 standards or its successors.
3. Security Measures: The data must not be decrypted at any point from origin to recipient, nor can decryption means be provided to any third parties, including cloud service providers. This ensures that only the intended recipient, who must be a U.S. person or someone authorized under ITAR, has access to the decryption keys, network access codes, or passwords.
4. Geographic Restrictions: The data must not be intentionally sent to or stored in countries restricted under ITAR regulations, nor sent from these countries.

The introduction of 22 CFR 120.54 allows organizations to shift from expensive on-premise data storage to more cost-effective, end-to-end encrypted cloud services. This update not only simplifies the management of ITAR data but also reduces the need for frequent import/export licensing for data sharing.

ITAR Compliance Software

PreVeil’s Email and Drive platforms meet the rigorous requirements set by the State Department under the ITAR Carveout for Encrypted Technical Data. By leveraging state-of-the-art end-to-end encryption, PreVeil ensures that all user data remains protected throughout its lifecycle.

Robust Encryption Standards: At the core of PreVeil’s security architecture are FIPS 140-2 validated encryption algorithms. By relying on these algorithms, PreVeil is able to ensure that data is encrypted before leaving the user’s device and remains encrypted until it reaches the intended recipient; it is never decrypted on the server. This method effectively shields the data from unauthorized access, including from server attacks or insider threats.

Exclusive Access to Encryption Keys: Unique to PreVeil’s platform is the absolute control over encryption keys. No third party, nor any other organization, has access to the keys, network access codes, or passwords necessary for decryption. Only the recipient can decrypt the data, ensuring unparalleled security of sensitive information.

PreVeil Drive for Secure File Management: Users can encrypt, store, and share files containing ITAR-regulated data using PreVeil Drive. This platform integrates seamlessly with everyday tools such as Windows Explorer, Mac Finder, and web browsers, making it incredibly user-friendly while maintaining robust security.

PreVeil Email for Secure Communications: With PreVeil Email, users can continue to send and receive emails using their existing email addresses from services like Office 365, Gmail, or Apple Mail. The transition to using PreVeil’s encrypted email system is smooth and familiar, minimizing disruption and training requirements while enhancing the security of email communications.

The post ITAR Compliance: The Requirements You Need to Know appeared first on PreVeil.

Underlying this success is the trust customers place in our FedRAMP Moderate Equivalent status. PreVeil is the first Cloud Service Provider (CSP) to meet the Department of Defense’s (DoD) stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance. This significant accomplishment further reinforces PreVeil’s position as the leading solution for defense contractors seeking a proven path to CMMC and DFARS compliance.

FedRAMP Equivalent Requirement Background

The requirement for defense contractors to use FedRAMP equivalent cloud services to store and process Controlled Unclassified Information (CUI) stems from the DFARS 252.204-7012(b)(2(ii)(D) clause which states:

“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”

DoD Definition of FedRAMP “Equivalent”

On December 21, 2023, the office of the CIO, US DoD, issued a memo defining the criteria for cloud service providers to be FedRAMP Moderate baseline equivalent (summarized below):

• CSP must demonstrate 100% Compliance with the FedRAMP Moderate baseline controls with no outstanding Plan of Action and Milestones (POAM) through an assessment conducted by an independent, authorized FedRAMP third party assessment organization 3PAO. No self-attestation is permitted.
• The CSP must submit a complete Body of Evidence (BOE) for review to the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s highest assessment organization. The BOE consists of:

1. System Security Plan
2. Security Assessment Plan
3. Security Assessment Report performed by the FedRAMP assessor (3PAO)
4. Evidence of Continuous Monitoring of the program, monthly and annually, validated by the 3PAO.

The DoD’s FedRAMP moderate equivalency requirement is more rigorous than for a FedRAMP ATO (Authorization to Operate) which typically does not require 100% compliance and allows POAM’s.  It is important to underscore that an ATO is not required for DFARS and CMMC, rather it’s a compliance criterion for cloud services deployed by government agencies.

PreVeil achieves FedRAMP Equivalency upon successful DIBCAC, CMMC PMO Review

For over three years, PreVeil has maintained a robust compliance program for all 325 FedRAMP Moderate controls for its end-to-end encrypted email and filesharing service. Compliance was validated by annual assessments conducted by independent, accredited 3PAOs.  Consequently, upon the release of DoD’s updated Equivalency criteria, PreVeil presented its latest 3PAO assessment report and BOE to DIBCAC. A team of DIBCAC assessors conducted a thorough, multi week review of the BOE and notified the company that the DoD CIO, CMMC Program Management Office and DIBCAC concur PreVeil meets the requirements for FedRAMP equivalency.

Enables Multiple PreVeil Customers to achieve 110/110 CMMC, NIST 800-171 Scores in DoD Assessments

PreVeil’s internal compliance credentials and encrypted email, file sharing products have enabled a rapidly growing number of customers to achieve 110/110 Scores in NIST 800-171 and CMMC Joint Surveillance Assessments conducted by DIBCAC and CMMC 3PAOs. PreVeil utilizes its compliance expertise to provide detailed CMMC and NIST 800-171 documentation to our customers. Our documentation streamlines the process and reduces the cost and time required by our customers to achieve compliance. These successful assessments are the ultimate validation the PreVeil solution’s benefits of compliance assurance, best in class security and low cost for defense contractors.

The post PreVeil Achieves DoD FedRAMP Moderate Equivalency appeared first on PreVeil.

This comprehensive guide provides insights into CMMC Level 2, its key requirements, and how to achieve compliance.

CMMC 2.0: Level 2 (Advanced) Requirements

Under CMMC 2.0, the ‘Advanced’ level (Level 2) has five key requirements.

1)     Protect CUI Using NIST SP 800-171 Controls

Contractors must protect CUI using the 110 controls specified in NIST SP 800-171. These controls are grouped into 14 families of security requirements, which are further broken into 320 specific security objectives. For a deeper understanding of NIST SP 800-171, read our blog.

2)     Compliance Will Be Determined via Third-Party Assessments

CMMC Level 2 requires a CMMC Third Party Assessment Organization (C3PAO) to validate compliance with NIST SP 800-171 controls. The fundamental purpose of the CMMC program is to avoid reliance on self-assessments.

3)    FedRAMP Baseline Moderate:

The cloud service must be FedRAMP Baseline Moderate Equivalent or have an Authorization to Operate (ATO). Contractors must determine if their cloud service meets the FedRAMP requirement by either checking the FedRAMP marketplace for an ATO or seeking a letter of attestation for FedRAMP Equivalence from a certified FedRAMP 3PAO. The US Department of Defense has established the requirements for FedRAMP equivalence in this memo.

4)    FIPS 140-2 Encryption:

CUI must be encrypted using cryptographic modules validated to meet Federal Information Processing Standards (FIPS) 140-2. Organizations should seek a validation certificate from the cloud service and verify it on the NIST website.

5)    Incident Reporting:

Contractors must ensure that the cloud service complies with DFARS 7012 (c-g) requirements, including cyber incident reporting, malicious software handling, and media preservation and protection.

CMMC Relationship to DFARS 7012

CMMC and DFARS 7012 both establish the same compliance requirements for CUI. However, DFARS, which contractors must already comply with to fulfill their existing contracts, allows for self-assessments. In contrast, CMMC mandates evaluations by third-party assessors. This change addresses the deficiencies observed under DFARS, where self-assessments often led to inadequate protection of CUI.

CMMC Timeline

The CMMC Final Rule has been published and became effective on December 16, 2024. In addition, C3PAO-led CMMC assessments began in January of this year 2025 . Upcoming on the CMMC timeline, the DoD will gradually increase the number of programs with CMMC requirements over 4 years, culminating in all applicable contracts requiring CMMC compliance.

Consequences of Non-Compliance

Contractors without a CMMC certification from a C3PAO will be ineligible for contract awards, ensuring that contractors take their responsibility to protect CUI seriously.

It is important to understand that even though CMMC will be phased in over time, it does not necessarily follow that you have more time to achieve CMMC certification. Your organization, for example, could be far down the supply chain from a contractor subject to CMMC in Phase 1, in which case that contractor must flow down CMMC requirements to your organization at that time.

CMMC Certification Duration and Reaffirmation Requirements

A CMMC Level 2 certification will last for three years. However, organizations must reaffirm their ongoing compliance annually. This reaffirmation must be formally signed off by a senior executive of the organization.

Level 2 compliance is not a one-time event; instead, CMMC requires ongoing revalidation. This requires updating compliance documentation and IT systems post-assessment. The executive reaffirmation will serve as a serious validation of ongoing compliance, with non-compliance or false declarations carrying legal consequences.

CMMC Assessment Guide

CMMC has a scoring system for each control based on the NIST SP 800-171A Assessment Methodology. Each of the 110 controls in NIST SP 800-171 is assigned a point value, leading to a total possible score of 110 points. However, due to the weighting of different controls, the actual point value for each control can vary significantly.

To be certified, an organization must achieve a minimum score of 88, which represents 80% compliance. However, it is crucial to understand that certain critical controls must be fully implemented. Here’s a breakdown:

1. Critical Controls:

These controls have higher point values and are considered foundational. Missing even one critical control can result in a significant reduction in the overall score and can disqualify an organization from certification. All critical controls must be met to achieve the minimum score.

2. Non-Critical Controls:

These controls generally have fewer points assigned to them but are still essential for a comprehensive security posture. Some of these controls can be part of the unmet controls, provided they do not cause the score to drop below 88 points.

Points are deducted for each unmet control, and the deductions can range from 1 to 5 points per control. Critical controls might result in larger deductions if not implemented.

Limited Duration Plan of Action and Milestones (POA&M) Allowed

CMMC 2.0 allows an organization to be compliant without a perfect 110 score. Unmet controls must be documented with a timeline for implementation in a Plan of Action and Milestones (POA&M). These POA&Ms must be addressed within 180 days of certification. This approach makes compliance more achievable without requiring perfection, especially for small and medium-sized businesses (SMBs).

In summary, achieving a minimum score of 88 is mandatory for CMMC Level 2 certification, but organizations must ensure all critical controls are implemented and have a clear plan for addressing any remaining gaps within the allowed timeframe.

CMMC Compliance Documentation Requirements

To demonstrate compliance, an organization must prepare detailed documents on how it protects CUI and ensure that personnel are trained to follow the appropriate policies and procedures necessary to secure CUI. The primary documents include:

1. System Security Plan (SSP):

The SSP document outlines the organization’s security posture, detailing the implementation of the 110 controls from NIST SP 800-171. The SSP should cover all aspects of the IT environment, including hardware, software, policies, and procedures.

2. Standard Operating Procedures (SOPs):

These documents provide step-by-step instructions on how specific security tasks are to be performed. SOPs ensure consistency in security practices and help personnel understand their roles and responsibilities in maintaining cybersecurity.

3. Plan of Action and Milestones (POA&M):

The POA&M document outlines the organization’s plan for addressing any unmet controls, including timelines and milestones for achieving full compliance. It is a critical component for organizations that do not achieve a perfect score initially.

4. Customer Responsibility Matrix:

This matrix delineates the responsibilities between the organization and its cloud service providers, ensuring clarity on who is accountable for various security measures.

5. Artifacts:

These are evidentiary documents that demonstrate the implementation of security controls. Artifacts can include logs, configuration files, audit reports, training records, and other evidence that supports compliance claims.

On-Premises C3PAO Assessments

Once the documentation is prepared, it is submitted to a C3PAO for review. The C3PAO will conduct a thorough on-premises assessment, which includes:

• Document Review: Evaluating the submitted documentation to verify compliance with CMMC requirements.
• Interviews: Conducting in-person interviews with key personnel responsible for IT and compliance functions. These interviews help assess the organization’s understanding and implementation of the documented controls.
• Site Visits: Performing site visits to observe and verify the implementation of security measures in the organization’s physical and IT environment.

The DoD estimates that such assessments will take approximately 120 hours with three assessors. This intensive review process ensures that the organization’s cybersecurity practices are robust and compliant with CMMC Level 2 requirements.

How PreVeil Helps with CMMC Level 2 Compliance

Achieving CMMC Level 2 compliance can be costly, complex, and time intensive. PreVeil offers a proven, three-step solution tailored for SMBs and utilized by over a thousand defense contractors. The solution not only simplifies the compliance process but also results in substantial cost savings, with organizations saving tens to hundreds of thousands of dollars. Numerous clients have successfully attained perfect 110/110 scores in their CMMC JSV assessments using this approach.

Key Benefits:

• Significant Cost Reduction: PreVeil customers save 75% vs GCC High
• Ease of Deployment and Use: Deploys in hours alongside existing IT systems like O365, GSuite. Support for existing workflows both within the organization and with suppliers and partners, enhances compliant collaboration without added complexity.
• Unrivaled Security: Ensures top-tier protection for CUI communications.

Step 1: Secure Platform for Storing and Sharing CUI

PreVeil’s low cost, end-to-end encrypted email and file sharing solution meets CMMC Level 2 requirements, including support for NIST 800-171, FedRAMP, FIPS 140-2 encryption, and DFARS 7012 (c-g) incident reporting. It deploys in hours and integrates seamlessly with existing O365 or GSuite systems, avoiding costly replacements and minimizing deployment expenses.

Step 2: Comprehensive Documentation

PreVeil reduces the effort and cost associated with preparing for assessments by providing detailed CMMC documentation. The C3PAO validated documentation includes video tutorials that cover all 110 controls, streamlining the preparation process and significantly reducing documentation costs. Plus, get 1-on-1 support from our compliance experts if you get stuck.

Step 3: Partner Network and Expert Support

PreVeil has developed a strong network of certified CMMC consultants and MSPs to offer comprehensive compliance support, ensuring customers are fully prepared for assessments.

• Consulting Services: Expert CMMC guidance throughout the compliance journey, from assessment to certification.
• Managed Service Providers: Any external IT support required to maintain compliance.
• C3PAO Pre-Validation: PreVeil’s consistent collaboration with C3PAOs enhance familiarity with PreVeil systems and streamline the assessment process, further reducing costs and minimizing assessment risks.

Additional Resources

For further information, see more resources from PreVeil below.

The post Understanding CMMC Level 2 (Advanced) appeared first on PreVeil.

This blog is designed to help you navigate the CMMC assessment process. Whether you’re just starting out or preparing for an upcoming assessment, you’ll learn what assessors are looking for, how to prepare your documentation and systems, and how to avoid the most common mistakes that can delay certification.

What is a CMMC Assessment and Why It Matters

Before diving into the assessment process, it’s important to understand what Cybersecurity Maturity Model Certification (CMMC) is and how it applies to your organization.  CMMC is a cybersecurity framework developed by the U.S. Department of Defense (DoD) to ensure that contractors handling sensitive federal information — like Controlled Unclassified Information (CUI) — meet specific security requirements spelled out in NIST 800-171. NIST 800-171 has been a contractual obligation since 2017 and CMMC was designed to add an assessment component to the NIST standard to ensure compliance requirements are met.

CMMC consists of  three compliance levels:

• Level 1 (Foundational): Requires annual self-assessment against the 17 NIST 800-171 controls that apply to Level 1. Level 1 only applies to organizations handling Federal Contract Information (FCI), which is information not deemed critical to national security. For Level 1 self-assessments, a senior company official is required to affirm that the company is meeting all requirements for compliance. The company will also need to register these self-assessments and affirmations in the DoD’s SPRS.
• Level 2 (Advanced): Level 2 is based on the 110 NIST 800-171 and applies to contractors handling CUI. A small fraction of Level 2  companies will be allowed to perform self-assessment, but over 95% will require third party assessment by a CMMC Third Party Assessment Organization (C3PAO).
• Level 3 (Expert): Companies handling the most sensitive information will need to meet Level 3 (Expert). Level 3 is based on the 110 controls of NIST SP 800-171 as well as a subset of requirements from NIST SP 800-172. To achieve Level 3, OSCs will first need to pass a level 2 assessment by a C3PAO. The OSC will then be assessed for Level 3 readiness directly by the government.

Organizations handling CUI need to know that assessments have already begun. If you are a contractor or subcontractor that processes, stores, or transmits CUI as part of DoD contracts, CMMC compliance is not optional. You’ll either be required to submit a self-assessment score to SPRS or, more likely, undergo a formal third-party review by a C3PAO — depending on the nature of the contract.

The Importance of a CMMC Assessment

A CMMC assessment is not just a checkbox exercise — it’s a critical step toward securing your eligibility for DoD contracts and proving your organization can protect sensitive government data. The CMMC Final Rule was passed in December 2024 and assessments have been taking place since January of this year. As the CMMC program rolls out, more contractors and subcontractors will require proof of compliance, making assessments essential for staying competitive in the defense industrial base.

A CMMC assessment verifies that your organization has implemented the necessary cybersecurity practices and controls outlined in NIST SP 800-171 for Level 2. Assessors will review documentation, interview personnel, and evaluate your technical environment to confirm that your security posture aligns with the CMMC framework.

Achieving certification signals to Prime contractors and the DoD that your organization takes cybersecurity seriously. It can help:

• Increase your eligibility for contract awards
  
• Build trust with government and industry partners
  
• Avoid the reputational and financial risks tied to security breaches or noncompliance

How to Prepare for a CMMC Assessment

Achieving CMMC compliance takes 9-12 months. It’s important to get started now on your compliance journey so you won’t become ineligible for government contracts.

Here are some of the important first steps you need to take to get ready for CMMC:

1. Determine your CMMC level: Your defense contract will specify which CMMC level your organization will need to achieve. CMMC levels are based on the type of information your organization works with. Any organization that handles CUI will need to achieve at least Level 2.
2. Familiarize yourself with CMMC: Begin by familiarizing yourself with the CMMC framework and determine which CMMC level your organization needs to achieve.
3. Scope your compliance boundary: The more you can limit your boundary, the easier it will be to maintain. In addition, scoping will also allow you to achieve compliance more quickly and economically. 
4. Adopt a platform to protect CUI: Most organizations will need to employ new technology solutions to protect CUI. Remember that file sharing and email is how CUI is most often transmitted both inside and outside of an organization. If you’re using Microsoft 365 Commercial, know that it does not support CMMC compliant communications. You’ll need to make a switch.
5. Develop robust documentation: It’s not enough to simply protect CUI, you also must be able to prove that you’re compliant. That’s accomplished with detailed documentation such as your System Security Plan (SSP). An SSP is required by NIST 800-171 and is used to explain how your organization meets each of the 110 NIST 800-171 controls.

There are many further steps you’ll want to engage in to ensure you are ready for an assessment. These steps range from conducting a self-assessment to (potentially) working with an outside consultant. Get started with our step-by-step overview of how to prepare – see our CMMC Compliance Checklist.

The CMMC Assessment Process 

The CMMC Accreditation Board (CyberAB) has authored the CMMC Assessment Process (CAP) handbook to explain the assessment roles, responsibilities, requirements, and timeline. The CAP explains the four phases of the assessment.

Phase 1: Plan and prepare the assessment

In this step, the C3PAO will confirm that the Organization Seeking Compliance (OSC) has evidence to meet a substantial number of assessment objectives. The OSC will need to provide the results of a self-assessment along with a list of evidence, a robust SSP, a list of all the personnel involved in the procedures evaluated, and any other relevant documentation.

Phase 2: Conduct the assessment

In the assessment, the C3PAO will check the OSC’s fulfillment of every single compliance objective and control in NIST 800-171A. The C3PAO will then determine the final CMMC results on a binary scale of met / not met.

If the OSC assessment ends with at least 88/110 (80% of the CMMC Level 2 practices), the C3PAO has the discretion to allow the organization to use a Plans of Actions and Milestones (POA&Ms) as temporary stopgap measures for eligible controls that are not yet fully satisfied. Note that only a limited number of NIST controls are eligible for POAM status. In addition, the organization must close out any POAMs within 180 days.

Phase 3: Report assessment results

The C3PAO shares the assessment results with the OSC and decides whether any unsatisfied controls can be addressed through a POAM. If POAMs are allowed, the Lead Assessor identifies those controls, and the organization moves to Phase 4. If there are no POAMs, Phase 4 isn’t needed and the assessment wraps up.

Phase 4: Close out POA&Ms and assessment

If the OSC received a conditional CMMC Level 2 certification during phase 3, then the final step is to close any open POA&Ms within 180 days. In order to receive CMMC Level 2 certification, the OSC must close all open POA&Ms within 180 days and have a C3PAO verify that they’re closed out.

3 CMMC Assessment Pitfalls and How to Avoid Them

The C3PAO assessments that have taken place since January 2025 have revealed several compliance shortfalls.  Some of the most common ones include:

1. System Security Plan (SSP) does not match what is done in practice: The first thing a C3PAO will review in your assessment is your SSP, which details how your organization is implementing every control and practice. They want to make sure what is written in your SSP is how the control is met in practice. Unfortunately, many organizations have one set of instructions in their SSP but meet the control in a separate manner. 
2. Addressing 110 requirements versus 320 objectives : Assessors are looking at the 320 NIST 800-171 objectives to determine if a requirement is being met.  Unfortunately, OSCs have focused on meeting the top level control rather than the underlying objectives.
3. Organizations don’t realize that they need to maintain assessment readiness: Organizations have been focused on getting ready to pass their C3PAO-led assessment without making plans for how they will work to maintain their compliant status.

Check out our webinar on From the Frontlines: The First 60 Days of CMMC Compliance to learn from leading C3PAOs about challenges they see OSCs running into as they go through CMMC assessments.

How PreVeil Can Help Achieve CMMC Compliance

If your organization handles CUI and wishes to stay in the Defense Industrial Base, then you will need to become CMMC compliant. PreVeil can help.

PreVeil is the leading solution for CMMC compliance. Trusted by over 1,600 small and midsize defense contractors, PreVeil’s solution has proven successful in getting 15+ contractors and C3PAOs perfect 110 scores in tough DoD audits.

1. Technology Platform: Our Email and Drive platform protects CUI with end-to-end encryption and meets FedRAMP Moderate Equivalent, FIPS 140-2 and DFARS 7012 c-g.
2. Compliance Accelerator: We provide pre-filled CMMC documentation, assessor-validated videos and 1×1 support from our compliance experts.
3. Partner Network: We support your organization through the entire compliance journey – from prep to assessment – with our network of CMMC consultants and auditors.

PreVeil’s proven solution has been used by over 25 defense contractors and C3PAOs to achieve perfect 110 scores in CMMC and DoD assessments.

Read PreVeil’s Guide to CMMC, used by 5,000 defense contractors

Take Action Below

The post CMMC Assessment Guide: Navigating Your Compliance Journey appeared first on PreVeil.

A key part of the CMMC ecosystem is the CMMC Third-Party Assessment Organization (C3PAO), which conducts independent assessments of companies to ensure compliance with CMMC requirements. Whether you are looking to become a C3PAO or need a C3PAO to perform your CMMC assessment, this guide will provide everything you need to know.

What is a C3PAO?

A C3PAO is an entity accredited by the Cyber AB to conduct official CMMC assessments. These organizations are responsible for evaluating organizations seeking certification (OSCs) to determine if they meet the necessary cybersecurity standards mandated by CMMC. 

C3PAOs employ trained Certified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs) who conduct assessments based on the CMMC Assessment Process (CAP) guidelines. The role of a C3PAO is critical, as their assessments determine whether a company achieves CMMC, and can therefore bid on and maintain government contracts that involve Controlled Unclassified Information (or CUI).

Why Are C3PAOs Important?

• Ensuring Compliance: C3PAOs verify that defense contractors follow CMMC-required cybersecurity practices, reducing the risk of cyber threats.
  
• Standardized Assessments: As independent third parties, C3PAOs ensure assessments are consistent and objective.
  
• Securing the Supply Chain: By enforcing strong cybersecurity measures, C3PAOs help strengthen the DIB’s resilience against cyberattacks.
  

Details of a C3PAO CMMC Assessment

A C3PAO-led CMMC assessment is a structured process that evaluates whether an organization meets the cybersecurity requirements for its required CMMC level 2. The assessment process typically follows these stages:

1. Pre-Assessment Preparation

Before engaging a C3PAO, an organization should conduct an internal review to identify cybersecurity gaps. Many companies hire a Registered Practitioner (RP) or CMMC consultant to help prepare.

2. Readiness Review with C3PAO

Investing in a CMMC Assessment, you will want to know exactly how much you will need to spend in time and money to meet compliance standards. Moving forward in the process without knowing the costs that might arise can cause unwanted financial concerns, so a readiness review with a C3PAO is a smart idea.

3. CMMC Assessment 

Once an OSC is ready, the formal C3PAO assessment begins:

• Initial Documentation Review: Assessors review policies, procedures, and system security plans (SSP).
  
• Interviews with Key Personnel: The C3PAO interviews employees responsible for cybersecurity policies and implementation.
  
• Testing Security Controls: The C3PAO validates cybersecurity measures by observing system operations.
  
• Remediation Period (if needed): If the OSC falls short of the necessary 110 requirements, they  have 10 days post-assessment to correct any deficiencies regardless of what the score is. During this 10 day period, they should strive to achieve a 110 if possible to avoid paying for a follow-up close out assessment. If the OSC can’t get to a 110, they should attempt to at least achieve 88 and not miss any of the required controls. So long as they do this, the OSC is then afforded 180 days to finalize any gaps and get to a 110.
• Final Assessment Report: The C3PAO provides a report to the Cyber-AB, which then determines certification status.
  

4. Certification and Beyond

• If an OSC passes, the certification remains valid for three years, with annual self-attestation.
  
• If an OSC fails, it must remediate deficiencies and reapply for a new assessment.
  

How to Become a C3PAO

If your organization wants to become a C3PAO, you must meet Cyber-AB’s eligibility requirements and follow these steps:

1. Meet Initial Requirements

• Your company must be legally registered in the United States.
  
• You must undergo a Foreign Ownership, Control, or Influence (FOCI) evaluation.
  

2. Apply for C3PAO Status

• Submit an application to Cyber-AB.
  
• Complete a background check.
  
• Provide proof of liability insurance.
  

3. Hire Certified Assessors

To become a C3PAO, your organization must meet the minimum staffing requirements provided by the Cyber-AB. 

4. Pass a DIBCAC Assessment

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must validate that your organization meets security standards in order to achieve CMMC Level 2 compliance.

5. Pay Fees and Maintain Compliance

C3PAOs must pay annual fees to Cyber-AB and renew certifications regularly.

How to Choose a C3PAO for Your CMMC Assessment

Choosing the right C3PAO is crucial to a smooth CMMC assessment. Here’s what you should consider:

1. Verify Accreditation

Ensure the C3PAO is officially listed in the Cyber-AB Marketplace to confirm accreditation.

2. Consider Industry Experience

Look for C3PAOs with experience in your specific industry to ensure they understand the unique cybersecurity challenges in your sector.

3. Evaluate Their Assessment Approach

Some C3PAOs offer pre-assessment readiness services, while others focus only on final assessments. Clarify what is included before signing a contract.

4. Check for Conflicts of Interest

A C3PAO cannot assess your company if it has previously provided consulting services to you.

5. Compare Costs and Timelines

C3PAO assessments can be expensive. Get multiple quotes and consider assessment timelines before choosing. 

Top C3PAOs

The best C3PAO for your company is probably going to be one familiar with your tech stack, ensuring they have the expertise to meet compliance and move through the process smoothly. 

If you’re a PreVeil customer, check our Partner Marketplace for Preferred C3PAOs. Each is certified by the CyberAB and vetted by our compliance team, so they’re familiar with our technology and documentation, which saves you time & money.

Learn More about CMMC 

A CMMC certification is essential for government contractors handling CUI and FCI, and C3PAOs play a crucial role in ensuring compliance. Whether you’re seeking CMMC certification or considering becoming a C3PAO yourself, understanding the CMMC assessment process, requirements, and available C3PAOs will help you navigate the system successfully.If you’re ready for a CMMC assessment, start researching accredited C3PAOs today to ensure you meet DoD compliance requirements!

The post Understanding C3PAOs in the CMMC Ecosystem: What They Are and How to Choose One appeared first on PreVeil.