PreVeil Email and Drive is trusted by thousands of organizations to protect their CUI and has helped over 100+ organizations achieve CMMC Level 2 certification.
Today, we’re proud to announce that PreVeil’s Managed Service offering, which includes our VDI environment and Email Relay, has passed its CMMC Level 2 assessment with a perfect 110 score. This certification demonstrates that our offering meets the rigorous standards of a C3PAO assessment and allows our customers to approach their own assessments with full confidence in the architecture.
PreVeil VDI: The Fastest Path to CMMC
With the Phase 2 of the CMMC rollout starting in November, PreVeil designed a new offering for organizations that needed to get compliant quickly: a VDI purpose-built for CMMC that inherits 79/110 controls and enables customers to achieve CMMC in 110 hours.

When PreVeil deploys a VDI environment, it acts as a “Managed Service Provider” or MSP. We designed the compliant environment and provision replicas of it for each VDI customer, then hand over the keys, so the customer owns and runs the tenant. It was precisely this PreVeil-managed environment that passed assessment.
We built this environment as if we were handling CUI ourselves, then became its first customer by putting it through a full assessment,
said Gregg Laroche, VP of Product at PreVeil. “It’s just like we built a restaurant, had the health department come in and check everything out. Now, when we ‘franchise’ our setup by standing up the same environment for our customers, assessors already know that it has passed muster. They’re starting from an environment that’s already been assessed and approved for CUI.”
Certifying the VDI architecture validates the shared responsibility model that is the core of the offering. Because the assessed environment and the environment we provision for VDI customers are the same, the 79 controls the customer inherits from PreVeil are already assessed and certified. A customer’s own assessor can rely on PreVeil’s certification — meaning they need not re-examine the already certified controls. What’s left for the customer is the smaller set of controls they own or share, all documented up front in the SRM.
Because PreVeil’s C3PAO partners are familiar with the environment, they can offer assessments at a reduced rate. As Dan Ciarlette, CTO and a Lead CMMC Assessor at DeMase-Tech, puts it:
PreVeil’s VDI is a game-changer. It keeps endpoints out of scope, so there’s far less for me to assess and clients get certified faster and more cost-effectively.”
Two roles, Two Certifications: CMMC Level 2 and FedRAMP Moderate Equivalency
This CMMC L2 certification is distinct from the FedRAMP Moderate Equivalency PreVeil maintains as a cloud service provider, which is unchanged and continues to cover PreVeil Email and Drive.
In addition to covering the PreVeil VDI, the CMMC L2 certification also covers PreVeil Email Relay, a managed service that streamlines the transmission of CUI over email. The Relay bridges a PreVeil environment to an external party’s existing compliant email system — such as a government agency or a prime running GCC High — so both sides can collaborate seamlessly and CUI never leaves the complaint boundary.
The two certifications reflect the two roles PreVeil plays: the cloud service behind our encrypted email and file collaboration software, and the managed environment behind PreVeil VDI and Email Relay.
Why this matters now
CMMC Phase 2 begins in November, and over 100 contracts representing tens of millions in solicitations now require certification as a condition of contract award. Contractors needing a faster path to compliance can now choose PreVeil VDI with confidence.
More than 100+ defense contractors have achieved CMMC compliance with PreVeil. These successful assessments are the ultimate validation of the PreVeil solution’s benefits: compliance assurance, best-in-class security, and low cost for defense contractors.