Find out what the DoD’s new CMMC requirements means for contractors. Check out our white paper.

What is CMMC?

Cyber threats are one of the most important strategic threats facing the United States. The Department of Defense (DoD) created CMMC to better defend the vast attack surface that the Defense Industrial Base (DIB) sector presents to adversaries.
CMMC measures a company’s ability to protect FCI (Federal Contract Information) and CUI (Controlled Unclassified Information).It outlines five levels of cybersecurity maturity, ranging from basic cyber hygiene practices at Level 1 to highly advanced practices and processes at Level 5.
All of the approximately 300,000 vendors that make up the DoD supply chain must achieve the maturity level appropriate to the sensitivity of the information they handle for DoD.
CMMC combines existing cybersecurity control standards such as NIST SP 800-171, DFARS Clause 252.204-7012, CFR 52.204-21, and others, into one unified standard for cybersecurity and maps them across the five CMMC maturity levels.

What does CMMC mean for my business?

The biggest change from previous practice is the shift from self-assessment of cybersecurity compliance to required external audits. All contractors will need to be certified by a CMMC Third Party Assessment Organization (C3PAO) at the CMMC maturity level appropriate to their DoD work . In the past noncompliance with DoD security regulations was acceptable as long as companies prepared POAMs (Plans of Action and Milestones) outlining how they would address deficiencies. That will no longer be the case under CMMC.
The timetable for implementation of CMMC is rapid. DoD is aiming to add CMMC requirements to RFPs by Fall 2020. It is expected that the requirements will be phased in, starting with companies that handle CUI associated with DoD critical programs and technologies. Once in effect, CMMC certification will be the basis of a “go/no go” decision for DoD contracts.
Companies that work with or generate CUI will need to achieve CMMC Level 3 at a minimum , which most likely will mean that they will need to strengthen the security of their email communications, file sharing, and storage. Note that if your business has migrated to the cloud, standard commercial cloud services such as Microsoft Office 365 and Gmail are not CMMC compliant.

How do I get started with CMMC?

First, determine the appropriate CMMC level for your company. At this point, it appears most likely that companies that handle just FCI will need to achieve Levels 1 or 2. Any company that handles CUI will need to achieve at least Level 3. Higher Levels 4 and 5 will focus on reducing the risk of advanced persistent threats (APTs) and are intended to protect CUI associated with DoD critical programs and technologies.
Next, examine the current state of your cybersecurity and identify gaps between your organization’s capabilities and the requirements for the maturity level you seek. Develop a plan to help guide you toward closing gaps and implementing needed IT systems and processes .
Finally, select a C3PAO to certify your organization. C3PAOs are expected to be trained, accredited and ready to certify businesses in mid-2020.

How PreVeil can help?

Current commercial email and file sharing solutions in the market are insufficient to comply with CMMC rules for organizations working with CUI. Companies must implement platforms that meet CMMC rules for communication and storage of CUI if they wish to bid on DoD contracts.

Email and Drive

PreVeil email is an encrypted email service that addresses CMMC requirements for communications and storage containing CUI. It adds an encrypted mailbox to Outlook and Gmail without changing your existing email address.
PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with others.
Learn more about Email and Drive


PreVeil’s encrypted Email and Drive, when combined with relevant policies and processes, support compliance with virtually all of the CMMC mandates related to the communication and storage of CUI.
For a detailed analysis, see Appendix A of our CMMC whitepaper.

Why companies choose PreVeil?

Aerospace & Defense companies choose PreVeil for communications and storage of CUI because its platform provides the gold standard of end-to-end encryption to protect email and files. Moreover, the platform is a fraction of the cost of alternatives. It only needs to be deployed to those users handling CUI, whereas alternatives require deployment across an entire organization.
PreVeil’s configuration and deployment are simple and inexpensive. The platform requires no challenging integration with your existing email and file servers.

Learn more about how PreVeil can help your company meet the demands of CMMC level 3 compliance and beyond.

Schedule a demo

Frequently Asked Questions (FAQ)

What is FCI?

Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated for the Government. This information is typically provided under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

What is CUI?

Controlled Unclassified Information (CUI) is government information that requires safeguarding and controls limiting its dissemination.

Is CMMC replacing DFARS?

CMMC builds upon existing DFARS 252.204.7012 regulations rather than replacing them. CMMC adds a verification component to DFARS so that companies are no longer able to self-attest to their cybersecurity compliance.

How can my organization become certified?

Beginning in June of 2020, the DOD will open up the third-party accreditors (C3PAOs) marketplace. These accreditors are tasked with assessing and certifying DoD contractors who want to bid on RFPs.

Is self-certification possible?

Under CMMC, self-certification is no longer possible.

If I am not CMMC certified, can I participate in RFPs for the DoD?

No. If a company is not CMMC certified, it cannot participate in an RFP for the DoD. Specifically, the DoD intends to identify the required CMMC level in RFP sections L and M, and use responses there as the basis of a “go/no go” decision.

What level of CMMC certification is required for a contract?

DoD intends to identify the required CMMC level in RFP sections L and M, and use responses there as the basis of a “go/no go” decision.

How do I know if CMMC applies to me?

All companies conducting business with the DoD must be certified. Starting in June 2020, all new Department of Defense contracts will require contractors – including subcontractors – to have a Cybersecurity Maturity Model Certification (CMMC).

How often do I need to be reassessed?

Reassessment frequency is still under consideration.

My organization does not handle CUI. Do I still need to be certified?

Yes. All companies conducting business with the DoD must be certified. The level of certification will depend on the type of information the company handles.

Will Prime contractors be responsible for ensuring compliance of their suppliers?

Yes. All contractors are responsible for the CMMC compliance of their participating companies in their supply chain.