Organization Stats
- Organization Size: 40+
- Scope: Enclave (3 assets, 3 users)
- Assessment Level: CMMC Level 2
- Boundary Type: Enclave
- Architecture: Full Cloud (Using PreVeil with Cloud Locking)
- Cloud Services:
- M365 Commercial (Azure, Entra ID, Purview, + Intune) for Endpoint Protection
- PreVeil (AWS GovCloud) for CUI storage, process, and transfer.
- C3PAO: StrategicIT Solutions
- Cert Status: 110/110
The Assessment Experience
“Initially, we reached out to several C3PAOs to assess the status of our preparation for the final assessment. After conference calls with different C3PAOs, we decided to proceed with the final assessment. Since we were using PreVeil, it was essential to find a C3PAO that understood the PreVeil system, which we located through PreVeil’s partner portal.
We did not utilize RPOs and opted to skip the mock assessment, going directly to the final assessment. The only ESP/CSPs we used were M365 and PreVeil. We manage our own system, so we didn’t need an MSP.
It is crucial for OSCs to clearly identify the flow of Controlled Unclassified Information (CUI), CUI assets, CUI users, and both external and internal boundaries. This clarity makes it easier for auditors to understand your CUI protection system. When these aspects are well-defined, it simplifies controlling who can access specific systems through conditional access policies.
Our C3PAO was quite flexible regarding the artifacts we provided for the non-technical domains, but they were very strict about the technical domains. In the technical domains, there is no ambiguity; you either have the necessary controls in place or you don’t. The proof is in the pudding.
Additionally, present the controlling, protecting, and monitoring of your external and internal boundaries in a straightforward manner. Auditors prefer not to see unnecessary or non-CUI-related information in the procedures or System Security Plan (SSP), so avoid including that information.
We spent the majority of our time implementing controls for endpoint protection on CUI assets. Thanks to the built-in protection features offered by PreVeil, such as Cloud Lock, we didn’t have to worry about the storage, processing, and transmitting of CUI on CUI assets. Protection of data at rest and in transit was effectively handled by PreVeil’s proprietary communication channels. We didn’t need to explain how PreVeil was interfacing with the AWS GovCloud; they already knew how it operated.
For us, using the PreVeil and selecting a PreVeil experienced C3PAO worked out.”
The Result: Clean Assessment + Perfect Score
Final Score:
110/110
CMMC Level 2 Certification Score
Self-managing a CMMC implementation is achievable — but it requires discipline. This contractor’s success came down to a few decisions that compounded: scoping the enclave tightly, mapping CUI flow clearly before the assessment, and choosing a C3PAO already familiar with PreVeil’s architecture: assessors needed no explanation of how the platform worked, which kept the technical domains moving cleanly.
PreVeil’s Cloud Locking handled data protection at rest and in transit out of the box, which meant implementation effort could stay focused on endpoint hardening rather than engineering CUI controls from scratch. No RPO, no MSP, no mock assessment — just the right architecture and a clear scope.
“We did not utilize RPOs and opted to skip the mock assessment, going directly to the final assessment. The only ESP/CSPs we used were M365 and PreVeil. We manage our own system, so we didn’t need an MSP.“
u/Good4Next3years
Reddit User
