The CMMC Proposed Rule was published in the Federal Register in December 2023, and CMMC will begin appearing in contracts in late 2024 or early 2025. That means now is the time to enhance your cybersecurity, meet the 110 NIST 800-171 controls, and preserve your ability to do work for the DoD.

CMMC will require any defense contractor that handles CUI (Controlled Unclassified Information) to achieve at least CMMC Level 2, certifying its ability to securely store and share CUI. If your business protects CUI with M365 Commercial—which is not Level 2 compliant—you will need to seek an alternate solution.  

This blog outlines three straightforward steps you can take to save time, minimize costs, and achieve Level 2 certification.

What are CMMC Level 2’s cybersecurity requirements?

Any organization that handles CUI is subject to DFARS 252.204-7012, which invokes three requirements:

  • Protect unclassified Covered Defense Information (CDI) in accordance with NIST 800-171. To provide adequate security, contractors must implement the 110 security controls stipulated in NIST SP 800-171.
  • Report any cyber incidents to the DoD and provide access to servers and logs. Contractors need to report all cyber incidents (even commercial attacks) to the DoD, share all cyber incident data, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
  • Ensure Cloud Service Providers (CSPs) Meet FedRAMP Moderate or Equivalent standards. PreVeil is the first Cloud Service Provider (CSP) to meet this stringent FedRAMP Moderate Equivalency requirement.
  • Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.

Microsoft 365 Commercial Doesn’t meet CMMC Requirements 

Defense contractors cannot use just M365 Commercial to secure CUI and achieve CMMC Level 2 because it does not meet key DoD cybersecurity requirements. Microsoft readily acknowledges this, as shown in its own product comparison chart below:

Source: Microsoft

Achieving CMMC Level 2 compliance with M365 Commercial and PreVeil

It’s clear that M365 Commercial by itself will not help your organization achieve CMMC Level 2: it doesn’t meet compliance requirements for CUI and ITAR data, nor does it meet DFARS 252.205-7012 (c)-(g), which require forensic incident reporting and media preservation. Microsoft may offer its GCC platform to defense contractors instead. However, GCC still doesn’t meet the compliance requirements for CMMC Level 2 by itself. To ensure both protection of all CUI and compliance with NIST SP 800-171 and DFARS 252.204-7012 (including flow down) requirements, Microsoft offers its expensive and difficult-to-implement GCC High platform to the DIB instead (read here about how PreVeil compares to GCC High).

PreVeil is an end-to-end encrypted file sharing and email system. Its security architecture was built on Zero Trust principles, and is grounded in world-class end-to-end encryption. With PreVeil, files, data and emails are never decrypted on any server anywhere. If attackers breach a server, all they will get is useless gibberish. PreVeil’s servers can never see your data. Microsoft’s can. And that means that an attacker breaking into the server (for example, by compromising an administrator) can also access all your organization’s data.

Moreover, PreVeil’s file sharing and email service is a fraction of the cost of GCC High. PreVeil needs to be deployed only to your employees who handle CUI, whereas GCC High typically requires deployment across your entire organization. And PreVeil makes configuration and deployment simple and inexpensive, with no need to rip and replace your existing infrastructure. Your employees don’t even need to change their Outlook email address.

PreVeil’s straightforward solutions also help you avoid expensive CMMC consultant engagements, which are par for the course for GCC High installation.

The table below contrasts PreVeil and GCC High for securing CUI.

Clearly, your company doesn’t have to go through a time consuming and costly disruption to upgrade to Microsoft’s GCC High to protect CUI and achieve CMMC Level 2. Instead, you can be an M365 company and comply with CMMC Level 2 requirements by using PreVeil’s compliant cloud environment for handling CUI, and at the same time continue to use M365’s Commercial cloud environment for your other needs.

A Proven Solution: PreVeil helps SMB defense contractor using M365 Commercial achieve perfect 110 NIST SP 800-171 score in DoD audit

A small defense contractor using PreVeil to store and share CUI achieved a perfect 110/110 score on a NIST SP 800-171 DIBCAC audit. To prepare for the rigorous (and unexpected) audit, the contractor deployed PreVeil as an overlay to its existing M365 Commercial environment for all its users handling CUI.

Deployment was an easy process that laid the foundation for compliance with NIST SP 800-171’s most important controls, that is, the ones that protect CUI. The defense contractor’s top score placed it alongside the nation’s top prime contractors for cybersecurity.

In fact, more than a half-dozen PreVeil customers have received perfect 110 NIST 800-171 scores on their CMMC Joint Surveillance Assessments (JSVAs), which will directly translate to a CMMC Level 2 certification once rulemaking is finalized.

PreVeil’s Three-Step Roadmap to CMMC Level 2 Certification

PreVeil offers a unique three-step solution to smooth your company’s path to CMMC Level 2 certification and make it more affordable. PreVeil does far more for your organization than just offering a secure platform for CUI. Rather, PreVeil serves as a partner throughout your journey to CMMC Level 2 certification, as described below:

SMBs can easily deploy PreVeil as an overlay to their existing M365 Commercial environment, dramatically improving their cybersecurity and raising their NIST SP 800-171 scores.

PreVeil understands how overwhelming documentation of compliance can be for SMBs and so created its comprehensive compliance documentation package as another means to help its customers on their compliance journey. The package includes a System Security Plan (SSP) template that’s based on NIST SP 800-171’s 110 security controls and is prefilled to reflect PreVeil’s capabilities and the 102 security controls it supports, along with procedures relevant to those controls. To help you complete the SSP, PreVeil’s documentation package also includes policy templates for the CMMC 2.0 Level 2/NIST SP 800-171 control families, as well as templates for an internal responsibility matrix, a Customer Responsibility Matrix (CRM) specifying which controls PreVeil supports, and a POA&M for showing how the controls that PreVeil doesn’t support can be met.

This comprehensive compliance documentation package gives your organization a considerable head start on its SSP and essential supporting documents—otherwise a daunting, time-consuming, and costly task. The package will dramatically accelerate preparation for your required C3PAO (CMMC Third-Party Assessment Organization) audit and your path to CMMC Level 2 compliance.

While PreVeil Drive and Email support compliance with virtually all of NIST and CMMC 2.0 mandates related to the storage and communication of CUI, other mandates will need to be addressed too. To facilitate that, PreVeil has partnered with hundreds of organizations and individuals certified by the CMMC-AB, including C3PAOs, with expert knowledge of DFARS, NIST, CMMC and PreVeil. PreVeil staff will help your organization cross the finish line to CMMC Level 2 by coordinating your access to its specialized partner community—all while saving time, reducing costs, and minimizing your risks.


You can meet CMMC Level 2 requirements by deploying PreVeil as an overlay to your existing M365 Commercial environment. Our aim is to make that process as seamless and affordable as possible while providing unparalleled security for the protection of CUI.

Schedule 15 Minutes for free with our Compliance team

Learn how you can maintain your existing O365 and Exchange set up, with the benefit of PreVeil’s security + CMMC compliance.

Book a Session