PreVeil is the first Cloud Service Provider (CSP) to meet the Department of Defense’s (DoD) stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance. This significant accomplishment further reinforces PreVeil’s position as the leading solution for defense contractors seeking a proven path to CMMC and DFARS compliance.


FedRAMP Equivalent Requirement Background

The requirement for defense contractors to use FedRAMP equivalent cloud services to store and process Controlled Unclassified Information (CUI) stems from the DFARS 252.204-7012(b)(2(ii)(D) clause which states:

“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”

DoD Definition of FedRAMP “Equivalent”

On December 21, 2023, the office of the CIO, US DoD, issued a memo defining the criteria for cloud service providers to be FedRAMP Moderate baseline equivalent (summarized below):

  • CSP must demonstrate 100% Compliance with the FedRAMP Moderate baseline controls with no outstanding Plan of Action and Milestones (POAM) through an assessment conducted by an independent, authorized FedRAMP third party assessment organization 3PAO. No self-attestation is permitted.
  • The CSP must submit a complete Body of Evidence (BOE) for review to the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s highest assessment organization. The BOE consists of:
  1. System Security Plan
  2. Security Assessment Plan
  3. Security Assessment Report performed by the FedRAMP assessor (3PAO)
  4. Evidence of Continuous Monitoring of the program, monthly and annually, validated by the 3PAO.

The DoD’s FedRAMP moderate equivalency requirement is more rigorous than for a FedRAMP ATO (Authorization to Operate) which typically does not require 100% compliance and allows POAM’s.  It is important to underscore that an ATO is not required for DFARS and CMMC, rather it’s a compliance criterion for cloud services deployed by government agencies.

PreVeil achieves FedRAMP Equivalency upon successful DIBCAC, CMMC PMO Review

For over three years, PreVeil has maintained a robust compliance program for all 325 FedRAMP Moderate controls for its end-to-end encrypted email and filesharing service. Compliance was validated by annual assessments conducted by independent, accredited 3PAOs.  Consequently, upon the release of DoD’s updated Equivalency criteria, PreVeil presented its latest 3PAO assessment report and BOE to DIBCAC. A team of DIBCAC assessors conducted a thorough, multi week review of the BOE and notified the company that the DoD CIO, CMMC Program Management Office and DIBCAC concur PreVeil meets the requirements for FedRAMP equivalency.

Enables Multiple PreVeil Customers to achieve 110/110 CMMC, NIST 800-171 Scores in DoD Assessments

PreVeil’s internal compliance credentials and encrypted email, file sharing products have enabled a rapidly growing number of customers to achieve 110/110 Scores in NIST 800-171 and CMMC Joint Surveillance Assessments conducted by DIBCAC and CMMC 3PAOs. PreVeil utilizes its compliance expertise to provide detailed CMMC and NIST 800-171 documentation to our customers. Our documentation streamlines the process and reduces the cost and time required by our customers to achieve compliance. These successful assessments are the ultimate validation the PreVeil solution’s benefits of compliance assurance, best in class security and low cost for defense contractors.

For further information on our product and compliance solution schedule a 15-minute compliance consult with our certified compliance experts.