Who Is Acme?
Acme is a representative sample company created by PreVeil to demonstrate how a typical Defense Industrial Base (DIB) contractor — 20 employees, several working remotely or on-site at government facilities, with one internal resource focused on CMMC — can achieve CMMC Level 2 compliance efficiently and affordably.
Acme’s security procedures and documentation were developed using PreVeil’s Compliance Accelerator, a package designed to help real organizations follow the same proven model that has helped 50+ contractors achieve perfect 110/110 CMMC scores. Every piece of Acme’s documentation — from procedures to the System Security Plan (SSP) — has been reviewed by a C3PAO, making it both assessment-ready and assessor-validated. By understanding Acme’s story, defense contractors will be better equipped to handle CMMC readiness and compliance.
Acme’s Tech Stack
At the heart of Acme’s compliance architecture is PreVeil, which serves as the company’s secure enclave for all CUI files and secure emails. PreVeil is used exclusively for processing, storing, and transmitting CUI, satisfying key NIST 800-171 controls related to encryption, access control, and data transmission. PreVeil is deployed alongside a standard commercial Microsoft M365 tenant that handles non-CUI data.
PreVeil’s end-to-end encryption is validated to FIPS 140-2 standards, and its compliant cloud backend — which is FedRAMP Moderate equivalent — ensures that even PreVeil cannot access customer data. By isolating all CUI activity within PreVeil, Acme dramatically reduced its compliance scope: only five users and their five company-managed devices fall within the CUI boundary.
Supporting that enclave are common Microsoft tools that address the remaining CMMC control areas:
- Microsoft Intune manages the endpoints within scope, enforcing OS-level encryption, configuration baselines, MFA, and device compliance
- Microsoft Entra ID provides identity and access management — enabling least-privilege access and conditional policies for CUI users.
- Additional Microsoft security layers — including Defender for Endpoint, BitLocker, and Authenticator — round out CMMC control coverage for endpoint protection, encryption at rest, and multifactor authentication.
- A locked CUI filing cabinet stores printed CUI—the CUI printer and filing cabinet never leave the locked office.
The result is a clean, CMMC-aligned architecture that’s easy to manage and cost-effective.
Acme’s CUI flow diagram
Acme’s All-In Pricing
Acme’s goal was to achieve CMMC compliance without excessive cost or complexity. Crucial for their efforts was limiting their CUI scope through PreVeil. Their investment broke down as follows:
- Microsoft 365 Business Premium (20 users): $5,300/year
- PreVeil (5 users): $6,400/year, including admin licenses, Accelerator and Documentation
- CMMC Third-Party Assessment (C3PAO): $30,000 every three years
In total, Acme spent about $11,700 in annual recurring software costs and $30,000 for its C3PAO assessment. Because they leveraged a PreVeil preferred C3PAO, their triennial assessments go smoothly and cost them less than the industry average.
For about $42,000 in the first year, Acme built a compliant CUI enclave capable of supporting DoD contracts.
Acme’s Timeline to Certification
Because Acme used PreVeil’s Compliance Accelerator and maintained a small, well-defined CUI scope, the company was able to set up a compliant environment quickly. One Acme employee worked part time on CMMC. The entire process — from initial scoping to successful assessment — took roughly six months.
- Month 1: Installed PreVeil, defined CUI boundary, reviewed DFARS clauses, and familiarized the team with NIST 800-171 and CMMC Level 2 controls with the help of PreVeil’s Compliance Accelerator.
- Month 2: Conducted a self-assessment, identified gaps, and created a Plan of Actions and Milestones (POA&M).
- Months 3–4: Implemented missing controls, documented the System Security Plan (SSP), and gathered supporting artifacts.
- Month 5: Completed an internal readiness review and finalized documentation.
- Month 6: Engaged a C3PAO to schedule formal assessment.
This structured, focused approach allowed Acme to move efficiently through the CMMC process with just one internal resource working part time on compliance.
Conclusion
Acme’s story demonstrates that CMMC compliance doesn’t have to be overwhelming. By using PreVeil’s secure enclave to handle all CUI and leveraging familiar Microsoft tools — which many defense contractors have included with their Microsoft licenses — Acme achieved certification in six months at a fraction of the cost many contractors expect.
The Acme documentation, included with PreVeil’s Compliance Accelerator, gives real companies a head start on their own journey. It’s assessment-ready, assessor-validated, and has been successfully used in CMMC assessments.
CMMC is no longer a distant goal on the horizon. It is here. Requirements started entering government contracts on November 10th. Because Acme achieved CMMC certification with a perfect 110/110 score, they are eligible to bid on those contracts.
Behind on CMMC? Don’t know how to get started? Check the links below.
