The Challenge: GCC High Wasn’t Working
“We had a GCC High VDI environment. Users had to log into a separate virtual desktop, separate app, separate SharePoint, separate everything. And we were seeing a lot of signs of spillage and low utilization — we knew there was stuff going on and we weren’t seeing it.”
Director of IT & Information Security
This contractor was serious about compliance — ISO 27001 certified, mature SSP, dedicated IT and information security team. They started where many legacy defense contractors do: GCC High.
It didn’t work.
Users Hated It: Employees had to log into a separate virtual desktop to access CUI & the IT team could see the results in the logs: Only 1 login per day & signs of spillage into the commercial environment. People weren’t using it.
Twice the Cost: Running two parallel Microsoft tenants meant paying for two sets of licenses for a significant portion of the workforce- plus the operational burden of administering a second tenant.
Assessment Risk: When the contractor ran their mock assessment on the GCC High environment, the audit logs told the story: Sparse activity & low engagement — it was a utilization problem, and no amount of policy can fix that.
They needed a different approach.
The Solution: PreVeil + Commercial Microsoft 365
In May 2025, the contractor switched to PreVeil + commercial M365. Users kept their existing devices, email clients, and workflows. CUI moved through PreVeil’s end-to-end encrypted environment for the 50 users in the CUI enclave. Everything else stayed commercial. The results in the activity logs were immediate. Where the GCC High logs showed one login per day, PreVeil showed dozens of entries per hour — exactly what assessors expect from a system employees actually use.
How They Got Compliant — Without Outside Help
No MSP. No compliance consultant. Five internal people.
The team folded PreVeil’s SSP language directly into their existing documentation rather than starting from scratch. PreVeil’s technical white paper was particularly useful in building the evidence package. For scoping, they adapted PreVeil’s publicly available scoping diagram — submitted to the C3PAO and approved without pushback.
CUI spillage prevention was built in layers: Microsoft Purview DLP policies flagged or quarantined emails and files containing CUI markings (drawn from DoD CIO guidance), acceptable use policies covered the user side, a spill response procedure went into the incident response plan, and Teams recording and transcription were disabled to address verbal CUI handling.
The Assessment
The CMMC assessment took 3 days on Zoom calls, working through all 320 objectives. With help from the PreVeil documentation, every artifact had a clear, documented answer. At the end of day three, they had some unmet objectives — but every one of them was closed within the 10-day remediation period.
Final score: 110/110.
The Numbers
| Microsoft GCC High | PreVeil | |
|---|---|---|
| User Experience | Separate VDI, separate apps | Works inside existing tools & workflows |
| Utilization | Low (1 login/day in audit logs) | High (dozens of entries/hour) |
| Total Solution Cost | Baseline | ~50% less |
| Used in CMMC Certification? | No | Yes |
What They’d Tell the Next Organization
Get organizational buy-in before you start. The biggest delays weren’t technical — they were human. Management underestimating the level of effort, users pushing back on workflow changes. CMMC changes how people work with CUI. That has to be a company-level commitment, not just an IT project.
Lock down scope before you build. Every scope change meant reworking documentation and starting sections over.
The certification opened pipeline opportunities that had been stalled pending the credential. The investment paid off faster than expected.
About PreVeil
PreVeil provides end-to-end encrypted email and file sharing designed to help defense contractors achieve CMMC compliance. PreVeil’s CUI enclave integrates seamlessly with Microsoft environments, reducing compliance scope and cost while enabling a faster, cleaner path to certification. Over 85 PreVeil customers have achieved perfect 110 scores on their CMMC assessments.
Ready to start your CMMC journey?
