CMMC & DFARS Compliance Mandates & Timeline

CMMC will require organizations handling CUI to demonstrate they meet the 110 NIST 800-171 controls and to get independently certified at Level 2. CMMC is under rule making in 2023. It is important to understand that contractors with a DFARS 7012 clause are already required to implement the same 110 NIST 800-171 controls as CMMC and report their score to the SPRS database or risk fines and penalties for non-compliance.

Read our CMMC Whitepaper

A Simple Platform for CUI Security

PreVeil Email and Drive are an encrypted cloud service to store and share CUI for NIST 800-171 and CMMC compliance. PreVeil significantly increases SPRS scores and is seamlessly integrated with an organization’s O365, Exchange or Google Workspace. From deployment to documentation to assessment, we support you every step of the way.

How PreVeil Helps you Meet CMMC & DFARS

Support for 102/110 NIST 800-171 Controls for CMMC & DFARS

PreVeil’s end-to-end encrypted File Sharing and Email platform helps contractors protect CUI and address 102/110 NIST 800-171 controls. Contractors can demonstrate substantial compliance with DFARS 7012 and CMMC.

System Security Plan Documentation

A detailed SSP is essential to demonstrate compliance. PreVeil provides compliance documentation for an SSP that specifies how we -in conjunction with customer policies and procedures – support 102 NIST 800-171 controls. We also provide guidance for the controls that PreVeil doesn’t meet with a Plan of Action and Milestones (POA&M) template.

Meet DFARS 7019 & Raise your SPRS score

DFARS 7019 requires organizations to compute their NIST 800-171 compliance score and report it to the SPRS database. A high score provides a significant competitive advantage. By adopting PreVeil, contractors can significantly raise their SPRS score by over 80 points. We also provide you with software to automatically compute your SPRS score.

Meet FedRAMP, FIPS & DFARS 7012(c-g)

In addition to NIST 800-171, PreVeil provides you evidence that you satisfy three important DFARS compliance requirements. We support DFARS 7012(c-g) Incident Reporting, meet FedRAMP Moderate Baseline Equivalent and use FIPS 140-2 validated encryption algorithms to protect CUI.

Support Throughout your Compliance Journey

PreVeil’s in-house compliance experts support you throughout your compliance journey – from preparation to assessment. We also connect you to our network of authorized CMMC consultants (RPs) and assessors (C3PAOs) familiar with the PreVeil solution, ensuring your preparation and assessment are streamlined and low-cost.

Why Leading Defense Contractors Choose PreVeil

Easy to Deploy

Deploys in hours alongside your existing IT systems, saving months of business disruption and expense.

Low Cost

Only users handling CUI require a low-cost, all-inclusive license. Furthermore, an organization’s suppliers and partners can join for free.

Complete Solution

Our comprehensive solution includes a platform to protect CUI, robust documentation, and consulting to simplify compliance and reduce cost.

Contractor Achieves DFARS Compliance & Maximum NIST 800-171 Score

A small defense contractor achieved a maximum NIST 800-171 score, meeting 110 out of 110 controls in a rigorous DoD audit. The contractor used PreVeil to protect, store and share CUI. Under CMMC 2.0, the contractor would meet Level 2 certification requirements.

Read the Case Study

Get to Know the PreVeil Platform


PreVeil Drive

PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with suppliers and partners. Works with Windows Explorer, Mac Finder and on browsers.


Learn More About PreVeil Drive

PreVeil Email

PreVeil Email is an encrypted email service that addresses CMMC 2.0 and ITAR requirements. It adds an encrypted mailbox to Outlook and Gmail, letting you continue to use these accounts. Users can send and receive emails just like they are used to while continuing to use their existing email address.


Learn More About PreVeil Email

PreVeil comes with encrypted storage for your email and files containing CUI. All data is automatically stored on Amazon’s FedRAMP High GovCloud.

Encrypted Storage on Amazon GovCloud

Zero Trust Security

PreVeil implements NSA-recommended Zero Trust security and assumes a breach is inevitable. All data is secured using end-to-end encryption. Information is only ever encrypted and decrypted on a user’s device -never on the server. It can also be recovered from a Ransomware attack. Organizations can restrict the flow of CUI to their trusted partners and suppliers.


Learn More About PreVeil Security

CMMC Compliance FAQs

How can I communicate securely with my upstream military agencies or Primes who do not have PreVeil?

PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.

Can I continue to use Commercial O365 or Gmail if I need to be CMMC compliant?

You can continue to use platforms like Commercial O365 and Gmail but they must be separated from your compliance boundary and not handle CUI.

How are CMMC Level 2 and NIST 800-171 related?

Under CMMC 2.0, requirements for the new Level 2 (Advanced)—the level comparable to the old CMMC Level 3—will be in complete alignment with NIST SP 800-171 security controls.

Can I use PreVeil to communicate with suppliers?

PreVeil is also an ideal tool for collaborating with suppliers. Contractors can set granular permissions such as read only or view only to maintain control and visibility over their data. They can revoke access anytime by unsharing. PreVeil can be downloaded for free by subcontractors. Primes can be assured their supply chain is compliant and secure.

Can I use PreVeil to manage ITAR data?

Yes, PreVeil can be used to manage ITAR data.

In PreVeil, data is secured using end-to-end encryption and FIPS 140-2 algorithms. Cloud service providers can never access the decryption keys since private keys are stored on the user device. We also store all ITAR data in AWS GovCloud datacenters, enabling easy compliance with data residency requirements.