According to Stacy Bostjanick, DoD Cybersecurity Maturity Model Certification (CMMC) program director, the DoD is aiming to release an Interim Rule on the CMMC framework in 2023. That means that now is the time for your organization to take action to enhance its cybersecurity levels and preserve its ability to do work for the DoD. You don’t have to achieve 100% compliance with DoD cybersecurity standards by 2023, but you should far along the path to doing so by then.

CMMC will require any defense contractor that handles CUI (Controlled Unclassified Information) to achieve at least CMMC Level 2, certifying its ability to securely store and share CUI. If your business protects CUI with M365 Commercial—which is not Level 2 compliant—you will need to seek an alternate solution. This blog outlines three straightforward steps you can take to minimize your costs and time to achieve Level 2 certification.

What are CMMC Level 2’s cybersecurity requirements for protecting CUI?

CMMC Level 2 security control requirements will mirror the 110 controls specified in NIST SP 800-171. The National Institute of Technology and Standards (NIST) developed those controls specifically to protect CUI. Any organization that handles CUI also is subject to DFARS 252.204-7012. That clause invokes not just its own (c)-(g) requirements for cyber incident reporting and the NIST SP 800-171 security controls, but also the FedRAMP Baseline Moderate or Equivalent standard for organizations that use cloud services. Additionally, NIST SP 800-171 invokes FIPS 140-2, which specifies cryptographic modules to be used for end-to-end encryption.

Defense contractors cannot use just M365 Commercial to secure CUI and achieve CMMC Level 2 because it does not meet key DoD cybersecurity requirements. Microsoft readily acknowledges this, as shown in its own product comparison chart below:

Source: Microsoft


Achieving CMMC Level 2 compliance with M365 Commercial and PreVeil overlay

It’s clear that M365 Commercial by itself will not help your organization achieve CMMC Level 2: it doesn’t meet compliance requirements for every type of CUI, including for example CDI (Controlled Defense Information) and ITAR data, nor does it meet DFARS 252.205-7012 (c)-(g), which require forensic incident reporting and media preservation. Microsoft may offer its GCC platform to defense contractors instead. However, GCC still doesn’t meet the compliance requirements for CMMC Level 2 by itself. To ensure both protection of all CUI and compliance with NIST SP 800-171 and DFARS 252.204-7012 (including flow down) requirements, Microsoft offers its expensive and difficult-to-implement GCC High platform to the DIB instead.

Fortunately there’s a more secure and less expensive alternative to GCC or GCC High for CMMC compliance: PreVeil Email and Drive, which can simply be layered over M365.

PreVeil is an end-to-end encrypted file sharing and email system. Its security architecture was built on Zero Trust principles, and is grounded in world-class end-to-end encryption. With PreVeil, files, data and emails are never decrypted on any server anywhere. If attackers breach a server, all they will get is useless gibberish. PreVeil’s servers can never see your data. Microsoft’s can. And that means that an attacker breaking into the server (for example, by compromising an administrator) can also access all your organization’s data.

Moreover, PreVeil’s file sharing and email service is a fraction of the cost of GCC High. PreVeil needs to be deployed only to your employees who handle CUI, whereas GCC High typically requires deployment across your entire organization. And PreVeil makes configuration and deployment simple and inexpensive, with no need to rip and replace your existing infrastructure. Your employees don’t even need to change their Outlook email address.

PreVeil’s straightforward solutions also help you avoid expensive CMMC consultant engagements, which are par for the course for GCC High installation.

The table below contrasts PreVeil and GCC High for securing CUI.

Clearly, your company doesn’t have to go through a time consuming and costly disruption to upgrade to Microsoft’s GCC High to protect CUI and achieve CMMC Level 2. Instead, you can be an M365 company and comply with CMMC Level 2 requirements by using PreVeil’s compliant cloud environment for handling CUI, and at the same time continue to use M365’s Commercial cloud environment for your other needs.

Case Study: PreVeil overlay helps SMB defense contractor using M365 Commercial achieve highest possible NIST SP 800-171 score in DIBCAC audit

In a recent case study, a small defense contractor using PreVeil to store and share CUI achieved a 110/110 on a NIST SP 800-171 audit. To prepare for the rigorous (and unexpected) audit, the contractor deployed PreVeil as an overlay to its existing M365 Commercial environment for all its users handling CUI. Deployment was an easy process that laid the foundation for compliance with NIST SP 800-171’s most important controls, that is, the ones that protect CUI. The defense contractor’s top score placed it alongside the nation’s top prime contractors for cybersecurity.

Without PreVeil’s advanced security and compliance features to protect CUI, the contractor’s NIST SP 800-171 score would have been significantly lower. With PreVeil, because CMMC Level 2’s 110 security controls mirror those of NIST SP 800-171, the contractor likely would have been deemed to have met the new CMMC Level 2 requirements if they had been in effect at the time.

PreVeil’s Three-Step Roadmap to CMMC Level 2 Certification

PreVeil offers a unique three-step solution to smooth your company’s path to CMMC Level 2 certification and make it more affordable. PreVeil does far more for your organization than just offering a secure platform for CUI. Rather, PreVeil serves as a partner throughout your journey to CMMC Level 2 certification, as described below:

Step One: Adopt a cloud platform to secure, store and share CUI

SMBs can easily deploy PreVeil as an overlay to their existing M365 Commercial environment, dramatically improving their cybersecurity and raising their NIST SP 800-171 scores. That means you’ll also make significant progress on your journey to achieving CMMC Level 2 certification as well, given the alignment of NIST SP 800-171 and CMMC Level 2 security control requirements.

Step Two: Take advantage of PreVeil’s compliance documentation package

PreVeil understands how overwhelming documentation of compliance can be for SMBs and so created its comprehensive compliance documentation package as another means to help its customers on their compliance journey. The package includes a System Security Plan (SSP) template that’s based on NIST SP 800-171’s 110 security controls and is prefilled to reflect PreVeil’s capabilities and the 102 security controls it supports, along with procedures relevant to those controls. To help you complete the SSP, PreVeil’s documentation package also includes policy templates for the CMMC 2.0 Level 2/NIST SP 800-171 control families, as well as templates for an internal responsibility matrix, a Customer Responsibility Matrix (CRM) specifying which controls PreVeil supports, and a POA&M for showing how the controls that PreVeil doesn’t support can be met.

This comprehensive compliance documentation package gives your organization a considerable head start on its SSP and essential supporting documents—otherwise a daunting, time-consuming, and costly task. The package will dramatically accelerate preparation for your required C3PAO (CMMC Third-Party Assessment Organization) audit and your path to CMMC Level 2 compliance.

Step Three: Leverage PreVeil’s partner community

While PreVeil Drive and Email support compliance with virtually all of NIST and CMMC 2.0 mandates related to the storage and communication of CUI, other mandates will need to be addressed too. To facilitate that, PreVeil has partnered with hundreds of organizations and individuals certified by the CMMC-AB, including C3PAOs, with expert knowledge of DFARS, NIST, CMMC and PreVeil. PreVeil staff will help your organization cross the finish line to CMMC Level 2 by coordinating your access to its specialized partner community—all while saving time, reducing costs, and minimizing your risks.


You can meet CMMC Level 2 requirements by deploying PreVeil as an overlay to your existing M365 Commercial environment. Our aim is to make that process as seamless and affordable as possible while providing unparalleled security for the protection of CUI.

To learn more about PreVeil and how your company can get started with CMMC compliance: