NIST 800-171 & CMMC Compliance Mandates & Timeline

The US Department of Defense (DoD) already requires defense contractors handling CUI to implement the 110 NIST SP 800-171 controls under their current DFARS 7012 contract obligations. They must also report their NIST 800-171 compliance score to the SPRS database or risk fines and penalties for non-compliance. CMMC will require organizations handling CUI to meet the same 110 NIST 800-171 controls and get independently certified at Level 2. The CMMC Interim Rule is projected to be in place by March 2023.

A Simple Platform for CUI Security

PreVeil Email and Drive are an encrypted cloud service to store and share CUI for NIST 800-171 and CMMC compliance. PreVeil significantly increases SPRS scores and is seamlessly integrated with an organization’s O365, Exchange or Google Workspace. From deployment to documentation to assessment, we support you every step of the way.

Why Leading Defense Contractors Choose PreVeil

Easy to Deploy

Deploys in hours alongside your existing IT systems, saving months of business disruption and expense.


Only users handling CUI require a low-cost, all inclusive license. An organization’s suppliers and partners can join for free.


PreVeil supports 84/110 CMMC controls. It is FedRamp Moderate Baseline Equivalent, uses FIPS 140-2 validated encryption algorithms & supports DFARS 7012 c-g.

Support Throughout Your Compliance Journey


We provide robust compliance documentation, policy templates and a customer responsibility matrix. This simplifies creation of a System Security Plan (SSP), essential for demonstrating compliance. Saves significant time and money.


CMMC compliance is a complex undertaking. PreVeil connects customers to its network of certified CMMC assessors, auditors and IT experts to help organizations efficiently prepare for a successful audit or self-certification.


We connect you to authorized assessors (C3PAOs) that understand PreVeil. During an assessment, it is critical to rapidly respond to assessors’ questions. Our in-house experts support you by answering PreVeil-related questions, resulting in a streamlined, successful audit.

Proven Results: Contractor Achieves Maximum NIST 800-171 Score

A small defense contractor achieved a maximum NIST 800-171 score, meeting 110 out of 110 controls in a rigorous DoD audit. The contractor used PreVeil to protect, store and share CUI. Under CMMC 2.0, the contractor would meet Level 2 certification requirements.

Read the Case Study


Get to Know the PreVeil Platform

PreVeil Drive

PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with suppliers and partners. Works with Windows Explorer, Mac Finder and on browsers.


Learn More About PreVeil Drive

PreVeil Email

PreVeil Email is an encrypted email service that addresses CMMC 2.0 and ITAR requirements. It adds an encrypted mailbox to Outlook and Gmail, letting you continue to use these accounts. Users can send and receive emails just like they are used to while continuing to use their existing email address.


Learn More About PreVeil Email

PreVeil comes with unlimited storage for your email and files containing CUI. All data is automatically stored on Amazon’s FedRAMP High GovCloud.

Unlimited Storage on Amazon GovCloud

Zero Trust Security

PreVeil implements NSA-recommended Zero Trust security and assumes a breach is inevitable.
All data is secured using end-to-end encryption. Information is only ever encrypted and decrypted on a user’s device -never on the server. CUI cannot be accessed via stolen passwords or a compromised administrator’s credentials. It can also be recovered from a Ransomware attack. Organizations can restrict the flow of CUI to their trusted partners and suppliers.


Learn More About PreVeil Security

CMMC Compliance FAQs

How can I communicate securely with my upstream military agencies or Primes who do not have PreVeil?

PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.

Can I continue to use Commercial O365 or Gmail if I need to be CMMC 2.0 compliant?

You can continue to use platforms like Commercial O365 and Gmail but they must be separated from your compliance boundary and not handle CUI.

How are CMMC Level 2 and NIST 800-171 related?

Under CMMC 2.0, requirements for the new Level 2 (Advanced)—the level comparable to the old CMMC Level 3—will be in complete alignment with NIST SP 800-171 security controls.

Can I use PreVeil to communicate with suppliers?

PreVeil is also an ideal tool for collaborating with suppliers. Contractors can set granular permissions such as read only or view only to maintain control and visibility over their data. They can revoke access anytime by unsharing. PreVeil can be downloaded for free by subcontractors. Primes can be assured their supply chain is compliant and secure.

Can I use PreVeil to manage ITAR data?

Yes, PreVeil can be used to manage ITAR data.

In PreVeil, data is secured using end-to-end encryption and FIPS 140-2 algorithms. Cloud service providers can never access the decryption keys since private keys are stored on the user device. We also store all ITAR data in AWS GovCloud datacenters, enabling easy compliance with data residency requirements.