About the Organization
Contractor: Aretum is a 700-person government technology contractor serving federal and defense customers across IT, cybersecurity, cloud infrastructure, and compliance, with a growing portfolio of CMMC-relevant defense contracts.
Technology: PreVeil provides end-to-end encrypted email and file sharing purpose-built for CMMC compliance, with native Microsoft integration and a shared responsibility matrix mapping directly to all 110 CMMC controls.
Partner: MCGlobalTech is a security program development firm with ten years in the defense industrial base. Lead CCA and CISO William McBorrough has sat on both sides of the assessment table and builds every program around long-term sustainability, not just audit readiness.
The Challenge: Reshaping What Exists Without Breaking It
A mature IT environment is an advantage going into CMMC. It is also a complication. The challenge at Aretum was not building from scratch. It was figuring out what needed to change, and what did not.
Only a subset of Aretum’s employees touch CUI. Bringing 700 people into compliance scope was never the right answer. The goal was a tight boundary around the users who actually handle controlled information, which required mapping the full CUI data flow before any technology decision was made.
Marian’s first instinct was GCC High. The operational reality stopped that quickly. A company-wide migration would mean two tenants with no interoperability, two accounts per user, and licensing costs three to four times higher than current spend.
“When I went deeper into GCC High, I found many roadblocks. Not everybody in my company is touching CUI… you end up with two tenants. It could be like three or four times the spending on licenses, which is already high.”
Marian Dawoud
IT Director, Aretum
An enclave was the only path that made sense. The question was which technology, and which partner, would make it work.
The Solution: PreVeil, the Right Partner, and a Program Built to Last
The Solution: PreVeil, the Right Partner, and a Program Built to Last
MCGlobalTech started with a CUI management strategy, not a gap assessment. Mapping the data flow first defined the scope, and scope determined everything else, including a point too many organizations miss: the compliance program has to be something the team can actually sustain long after the audit.
PreVeil handled encrypted email and file sharing under one platform, integrated natively with Outlook, and licensed per CUI user. No large onboarding fees, no company-wide disruption. Aretum’s existing Microsoft stack covered the endpoint side. PreVeil’s shared responsibility matrix mapped directly to CMMC controls, making documentation concrete from day one.
“Being able to demonstrate how PreVeil met the CMMC requirements was one of the easier parts of the process.”
Marian Dawoud
IT Director, Aretum
MCGlobalTech then guided the nine-month program build, meeting with Aretum as often as twice a week. SOPs were run for one to two months before the assessment so evidence was real, not staged. Every artifact was shared with the C3PAO in advance. A mock assessment was completed before the official audit.
“I can confidently say that if Marian would have audited today she would pass. And the reason was that it took us nine months ensuring that all of the requirements we documented can be operated in a way that is sustainable.”
William McBorrough
Lead CMMC Assessor and CISO, MCGlobalTech
Results: CMMC Level 2 Certified, Perfect Score
Aretum achieved CMMC Level 2 certification well ahead of the November 2026 phase-in deadline, with results that reflected the depth of preparation behind them.
- 110 out of 110: A perfect score across all CMMC Level 2 controls and 320 assessment objectives. No findings. No remediation.
- One day: The interview and test phase completed in a single day. Most organizations spend a full week, often with follow-up homework extending beyond it.
- Ahead of schedule: Certification achieved well before the November 2026 deadline, giving Aretum a competitive edge on government contracts.
For Marian, the certification has already changed how Aretum responds to contract requirements. When proposals arrive with security questionnaires or documentation requests, she pulls directly from the artifacts built during the CMMC process. The compliance work did not just produce a certificate. It produced an organized, accessible security program that serves the business every day.
Why This Matters for Defense Contractors
Most enterprise contractors assume CMMC will be manageable because they already have infrastructure and policies in place. What they find is that existing controls and a sustainable, auditable compliance program are two different things. That gap is where assessments fail.
Aretum closed it by getting three things right: the right technology in PreVeil, the right partner in MCGlobalTech, and an internal commitment to building something that would hold up long after the auditor left. That is not a complicated formula. But it requires intention, and most organizations skip at least one piece.
For contractors evaluating their own path to CMMC Level 2, Aretum’s engagement is the model. Scope it right, pick technology built for auditability, work with a partner who thinks like an assessor, and operate the program before you audit it. The results are replicable.
About PreVeil
PreVeil provides end-to-end encrypted email and file sharing designed to help defense contractors achieve CMMC compliance. PreVeil’s CUI enclave integrates seamlessly with Microsoft environments, reducing compliance scope and cost while enabling a faster, cleaner path to certification. Over 85 PreVeil customers have achieved perfect 110 scores on their CMMC assessments.
Ready to start your CMMC journey?
