Demonstrates CMMC Level 2 Compliance

In a recent case study, an SMB defense contractor using PreVeil to store and share Controlled Unclassified Information (CUI) achieved a 110/110 on a NIST SP 800-171 audit. The SMB deployed PreVeil, a cloud-based, end-to-end encrypted file sharing and email system, as an overlay of its Microsoft 365 Commercial environment. The audit was conducted by the US Department of Defense’s (DoD) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The SMB is a typical defense contractor. They’ve been in business for 15 years and have fewer than 100 employees. The contractor was very concerned about the time, expense, and complexity of the audit.

Case Study: Defense contractor achieves 110/110 score in NIST SP 800-171 DoD audit

Download your copy of our case study to also learn how compliance with NIST SP 800-171 makes compliance under CMMC 2.0 much simpler. That’s because the new CMMC Level 2 will require demonstration of compliance with the very same 110 NIST SP 800-171 security controls.

Download the Case Study

Microsoft 365 and Google Workspace don’t meet all DoD requirements for handling CUI. PreVeil is designed to comply with those requirements. Here’s how.

Defense contractors that handle CUI need to demonstrate that they meet four fundamental DoD requirements:

  1. Comply with NIST SP 800-171’s 110 security controls.
  2. Meet applicable FedRAMP standards. Cloud systems used for transmitting and storing CUI must be certified at FedRAMP Baseline Moderate or Equivalent.
  3. Meet FIPS 140-2 Validated Encryption standards when handling CUI.
  4. Comply with Defense Federal Acquisition Regulation (DFARS) 252.204-7012, including 7012 (c-g), which stipulate requirements for cyber incident reporting.

Evidence that the SMB defense contractor in this case study met the four fundamental DoD requirements using PreVeil:

  1. The SMB defense contractor demonstrated compliance with all 110 NIST SP 800-171 security controls upon completion of the DIBCAC audit and fulfillment of the just three findings in its Plan of Actions & Milestones (POA&M) soon thereafter.
  2. PreVeil meets FedRAMP Baseline Moderate Equivalent with attestation from an Accredited FedRAMP 3PAO (3rd Party Audit Organization). From a security and compliance viewpoint, FedRAMP Baseline Moderate Equivalent and FedRAMP Baseline Moderate are the same.
  3. PreVeil has achieved FIPS 140-2 validation from the Cryptographic Module Validation Program (CMVP), ensuring that the PreVeil system is FIPS compliant. See PreVeil’s FIPS 140-2 certificate on NIST’s Computer Security Resource website here.
  4. PreVeil meets DFARS 252.204-7012 requirements by storing all encrypted CUI data on the Amazon Web Services (AWS) Gov Cloud, which is assessed at FedRAMP High. PreVeil meets 7012 (c)-(g) by managing all logs and forensic information for reporting, and making them available to the DoD upon request for cyber-incident response.

PreVeil’s documentation package streamlines compliance

Defense contractors must document compliance in a System Security Plan (SSP). Putting one together can be very time-consuming and costly. PreVeil saves customers hundreds of hours (and thousands of dollars) by providing a comprehensive compliance documentation package, including an SSP template.

PreVeil’s SSP template is pre-filled to reflect the NIST SP 800-171 security controls PreVeil supports. The package also includes policy templates for the NIST SP 800-171 control families and additional required documentation.

The SMB in this case study began with a rudimentary SSP about 25 pages long. By the time of its successful audit, the SSP was approximately 225 pages long.

The 110 NIST SP 800-171 controls align completely with those of CMMC 2.0 Level 2. This case study consequently demonstrates that PreVeil also supports CMMC 2.0 Level 2 compliance.

Case study demonstrates PreVeil’s benefits of high security, simplicity, and low cost

Typical SMBs have limited resources and cybersecurity expertise. PreVeil’s secure platform provides world class security at a low cost in a simple to use platform.

  • PreVeil is built on a modern Zero Trust security model, recommended by the National Security Administration (NSA). PreVeil achieves compliance through a security-first approach.
  • PreVeil reduces complexity. There’s no need to rip and replace. PreVeil deploys as an overlay to existing Microsoft 365, Exchange, and Google Workspace accounts. PreVeil can be deployed in mere hours for most organizations, saving defense contractors tens of thousands in costs and lost time.
  • PreVeil needs to be deployed only to users handling CUI. This significantly lowers licensing costs.
  • PreVeil is easy to use. There’s no need for user training, which means no costly disruptions of productivity.
  • PreVeil provides its customers with a comprehensive documentation package including SSP and policy templates. This saves tens of thousands of dollars and months of preparation and consulting time.

All of this adds up to world-class security that’s far less expensive than alternatives. Achieving compliance with PreVeil costs 50% to 75% less than with GCC High.

PreVeil’s three-step program to achieve NIST SP 800-171 compliance and CMMC Level 2 certification

Our three-step program makes achieving compliance straightforward.

Step One: Deploy PreVeil.
SMBs can easily deploy PreVeil as an overlay to their existing IT environments, dramatically improving their cybersecurity and raising their NIST SP 800-171 scores.

Step Two: Use PreVeil’s compliance documentation package.
PreVeil provides a comprehensive documentation package to its customers. The package includes an SSP template that’s based on NIST SP 800-171’s 110 security controls, which CMMC 2.0 Level 2 mirrors. The template is prefilled to reflect PreVeil’s capabilities, along with procedures relevant to those controls.

PreVeil’s package also includes templates for required NIST SP 800-171 policies, a Customer Responsibility Matrix (CRM), and a POA&M showing how the remaining controls can be met.

Step Three: Finish with a PreVeil partner.
PreVeil supports compliance with the majority of NIST and CMMC 2.0 mandates. The remaining controls can be addressed with time-limited POA&Ms. PreVeil staff can provide ready access to more than a hundred partner organizations and compliance experts certified by the CMMC-AB, with deep knowledge of DFARS, NIST, CMMC, and PreVeil. Any one of these can take you over the finish line.


PreVeil makes compliance accessible to SMB defense contractors. Learn how PreVeil can save your organization time, money, and headache.

Learn more: