The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework begins rolling out this year, with CMMC requirements expected to be built into as many as 15 “pathfinder” contracts for primes. It’s estimated that each prime contract will have roughly 100 subcontractors, meaning that up to 1,500 primes and subcontractors will need to comply with CMMC in order to do work for the DoD on those first contracts.

From there, CMMC implementation will pick up speed. DoD intends to increase the number of prime contracts that include a CMMC requirement based on the following targets:

By the beginning of FY2026, DoD plans to have incorporated required CMMC levels into all its contracts. For the time being, all defense contractors will need to achieve the specified CMMC level by the time of contract award. As the program is more fully implemented, though, CMMC certification is likely to be required in order to bid. In any case, CMMC certification will serve as the basis of “go/no go” decisions for awarding defense contracts.

CMMC Level 3

The DoD has said that the FY2021 pathfinder contracts will focus on mid-sized projects that require the contractor to achieve CMMC Level 3. Primes will be required to flow down the appropriate CMMC requirement to their subcontractors.

CMMC Level 3 applies to contractors that process or store CUI (Controlled Unclassified Information) and requires that organizations demonstrate “…a basic ability to protect and sustain an organization’s assets and CUI.”

The figure below summarizes the basic characteristics of the five CMMC levels:

Achieving CMMC Level 3 compliance with Google Workspace

Given its lack of cybersecurity controls, it is clear that Google Workspace is not CMMC compliant. But that doesn’t mean your company has to go through a time consuming or costly disruption to switch to another communication and collaboration service. Instead, there’s a more secure, easier, and less expensive path to CMMC compliance: PreVeil Email and Drive, which can be layered over Google Workspace.

PreVeil’s security architecture was built on Zero Trust principles, grounded in world-class end-to-end encryption. With PreVeil, email, files and data are never decrypted on any server anywhere. Even PreVeil’s servers can’t see your data. If attackers breach a server, all they will get is useless gibberish.

PreVeil provides end-to-end encryption for email and file sharing at a fraction of the cost of alternatives. PreVeil needs to be deployed only to your employees who handle CUI, whereas alternatives require deployment across an entire organization. And as explained below, PreVeil makes configuration and deployment simple and inexpensive, with no need to rip and replace your existing infrastructure. Your employees don’t even need to change their Gmail address.

PreVeil’s straightforward solutions also help you avoid expensive CMMC consultant engagements, which are par for the course for alternatives to CMMC compliance.

In short, you can continue to use Google Workspace and comply with CMMC requirements by leveraging technological advances that enable end-to-end encryption and other CMMC-mandated security controls.

PreVeil Email, as demonstrated in the video below, lets your employees send and receive encrypted emails containing CUI using their existing Gmail address, all while maintaining CMMC Level 3 compliance. It integrates seamlessly with Gmail, and works on browsers and mobile devices. The installation process automatically creates a new set of mailboxes for your encrypted messages. Messages in these new mailboxes are encrypted and stored on PreVeil’s servers. There are no changes to the mailboxes already in your mail program and no impact on the servers that store your regular, unsecured messages.

PreVeil Email: Video demonstration

PreVeil Drive, as demonstrated in the video below, enables end-to-end encrypted file sharing and storage of CUI that is CMMC Level 3 compliant. Users can access files stored on PreVeil Drive from any of their devices, or share files with other users who have the appropriate access permissions through PreVeil’s Trusted Communities. Unlike Google Drive which always has access to your data, only you and the people with whom you’ve explicitly shared files can decrypt them. PreVeil Drive is easy to use and automatically integrates with Windows File Explorer and Mac Finder and has no impact on your existing file servers. It’s available for Windows, Mac and, with PreVeil’s mobile app, for iPads and smartphones as well.

PreVeil Drive: Video demonstration

All DoD contractors, regardless of size, will soon need to comply with CMMC requirements. To help you do so, PreVeil leverages a fundamentally better security paradigm. But better security isn’t enough. If security is difficult to use, it won’t be used. To be effective, security must be as frictionless as possible. PreVeil was created with this principle in mind so that all your security objectives, including CMMC compliance, will be met.

PreVeil’s CMMC white paper -downloaded more than 1500 times by defense contractors- presents detailed information on what your company needs to do to comply with CMMC and, likewise, work with the DoD. Our aim is to make that process as seamless and affordable as possible while providing unparalleled security.

To learn more about PreVeil and how your company can get started with CMMC compliance, contact us.