PreVeil Achieves DoD FedRAMP Moderate Equivalency

May 1, 2025

The PreVeil platform — trusted by thousands of organizations to protect Controlled Unclassified Information (CUI) — just helped its 25th customer achieve a perfect 110 score on their CMMC assessment. This milestone further solidifies PreVeil as the leading solution for defense contractors seeking a proven, affordable path to CMMC compliance.

Underlying this success is the trust customers place in our FedRAMP Moderate Equivalent status. PreVeil is the first Cloud Service Provider (CSP) to meet the Department of Defense’s (DoD) stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance. This significant accomplishment further reinforces PreVeil’s position as the leading solution for defense contractors seeking a proven path to CMMC and DFARS compliance.

FedRAMP Equivalent Requirement Background

The requirement for defense contractors to use FedRAMP equivalent cloud services to store and process Controlled Unclassified Information (CUI) stems from the DFARS 252.204-7012(b)(2(ii)(D) clause which states:

“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”

DoD Definition of FedRAMP “Equivalent”

On December 21, 2023, the office of the CIO, US DoD, issued a memo defining the criteria for cloud service providers to be FedRAMP Moderate baseline equivalent (summarized below):

CSP must demonstrate 100% Compliance with the FedRAMP Moderate baseline controls with no outstanding Plan of Action and Milestones (POAM) through an assessment conducted by an independent, authorized FedRAMP third party assessment organization 3PAO. No self-attestation is permitted.
The CSP must submit a complete Body of Evidence (BOE) for review to the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the DoD’s highest assessment organization. The BOE consists of:

System Security Plan
Security Assessment Plan
Security Assessment Report performed by the FedRAMP assessor (3PAO)
Evidence of Continuous Monitoring of the program, monthly and annually, validated by the 3PAO.

The DoD’s FedRAMP moderate equivalency requirement is more rigorous than for a FedRAMP ATO (Authorization to Operate) which typically does not require 100% compliance and allows POAM’s. It is important to underscore that an ATO is not required for DFARS and CMMC, rather it’s a compliance criterion for cloud services deployed by government agencies.

PreVeil achieves FedRAMP Equivalency upon successful DIBCAC, CMMC PMO Review

For over three years, PreVeil has maintained a robust compliance program for all 325 FedRAMP Moderate controls for its end-to-end encrypted email and filesharing service. Compliance was validated by annual assessments conducted by independent, accredited 3PAOs. Consequently, upon the release of DoD’s updated Equivalency criteria, PreVeil presented its latest 3PAO assessment report and BOE to DIBCAC. A team of DIBCAC assessors conducted a thorough, multi week review of the BOE and notified the company that the DoD CIO, CMMC Program Management Office and DIBCAC concur PreVeil meets the requirements for FedRAMP equivalency.

Enables Multiple PreVeil Customers to achieve 110/110 CMMC, NIST 800-171 Scores in DoD Assessments

PreVeil’s internal compliance credentials and encrypted email, file sharing products have enabled a rapidly growing number of customers to achieve 110/110 Scores in NIST 800-171 and CMMC Joint Surveillance Assessments conducted by DIBCAC and CMMC 3PAOs. PreVeil utilizes its compliance expertise to provide detailed CMMC and NIST 800-171 documentation to our customers. Our documentation streamlines the process and reduces the cost and time required by our customers to achieve compliance. These successful assessments are the ultimate validation the PreVeil solution’s benefits of compliance assurance, best in class security and low cost for defense contractors.

For further information on our product and compliance solution schedule a 15-minute compliance consult with our certified compliance experts.

15 Min. with Compliance

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and Certified CMMC Assessor (CCA) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

May 12, 2025

What’s New in PreVeil: Product Updates

PreVeil News

April 25, 2025

Understanding CMMC Level 2 (Advanced)

CMMC

April 23, 2025

CMMC Assessment Guide: Navigating Your Compliance Journey

CMMC