Encrypted Email & File Collaboration for DFARS & CMMC Compliance
Trusted by over 1,600 defense contractors.
Proven Compliance. Easy to use. Save 75% vs GCC High.
DFARS & CMMC Compliance Mandates & Timeline
DFARS 7012 requires organizations to protect Controlled Unclassified Information (CUI) by implementing the 110 NIST 800-171 controls. DFARS 7019 requires contractors to rigorously self-assess compliance with the 110 NIST controls and report their score to the DoD’s SPRS database, or risk fines and penalties. CMMC is expected to become law in Q4 2024, at which time contractors will be required to get certified by a third-party assessor to demonstrate they meet DFARS 7012.
PreVeil’s 3 Part Solution for CMMC & DFARS Compliance
If you process Controlled Unclassified Information (CUI), you are currently required to meet NIST 800-171/ DFARS 7012.
Protect your business from fines + contract loss with PreVeil.
Platform
Email & Drive file collaboration protect CUI with end-to-end encryption. Meets FedRAMP, FIPS 140-2, and DFARS 7012 c-g.
Compliance Accelerator
A proven toolkit with C3PAO-validated videos, pre-filled documentation (Standard Operating Procedure, System Security Plan, etc), and 1×1 support from our compliance experts.
Partner Network
Support through your entire compliance journey- from prep to assessment- through our compliance team & network of CMMC consultants & auditors.
PreVeil is the 1st Company to meet FedRAMP Moderate Equivalency
PreVeil is the first company to fully meet the stringent, updated DoD requirements for FedRAMP Moderate Equivalent. We have 100% compliance with FedRAMP Moderate baseline controls and zero POA&Ms. Since FedRAMP is a requirement for CUI in the cloud, customers can be confident in their ability to be CMMC and DFARS compliant with PreVeil.
How PreVeil Helps you Meet CMMC & DFARS
Support for 102 out of 110 NIST 800-171 Controls
PreVeil’s Email and File Sharing platform enables contractors to protect CUI with end-to-end encryption & supports 102 out of 110 NIST 800-171 controls.
Pre-filled Documentation
PreVeil provides pre-filled documents with approved language covering all 110 NIST 800-171 controls; Get our Standard Operating Procedures, System Security Plan, and more.
Meet DFARS 7019 & Raise your SPRS score
DFARS 7019 requires organizations to compute their NIST 800-171 compliance score and report it to the DoD’s SPRS database. By adopting our solution, this PreVeil customer increased their SPRS score by over 80 points.
Meet FedRAMP, DFARS 7012 (c-g) & FIPS
In addition to NIST 800-171, PreVeil provides support for DFARS 7012 (c-g) Incident Reporting, meets FedRAMP Moderate Baseline Equivalent and uses FIPS 140-2 validated encryption modules to protect CUI.
Roadmap to CMMC Videos
This custom roadmap to CMMC, guided by compliance experts and CMMC assessors (C3PAOs), takes you from the theoretical to the practical.
Preferred Partners
We provide 1×1 support through your entire compliance journey – from prep to assessment through our network of CMMC consultants and auditors.
Save $200,000 vs GCC High
When it comes to speed to compliance and cost, PreVeil is undoubtedly the right decision. We got it done on time and on budget, saving $200,000 compared to GCC High…if you care about being on time, GCC High is a much bigger risk than PreVeil.
-VP of Operations at a defense contractor that achieved a 110/110 on their CMMC Joint Surveillance Assessment
Why Leading Defense Contractors Use PreVeil
Easy to Use
Deploys in hours using your existing email addresses and integrates with Outlook, Gmail, and all your usual workflows.
Save 75%
Only users handling CUI require a low-cost, all-inclusive license. Share with 3rd parties for free.
Compliant
Dozens of contractors have used PreVeil to achieve CMMC/DFARS compliance.
Get to Know the PreVeil Platform
Information is only encrypted and decrypted on a user’s device – never on the server – making it useless to attackers if hacked.
PreVeil Drive
PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or phones and share them with suppliers and partners. Works with Windows Explorer, Mac Finder and on browsers.
PreVeil Email
PreVeil Email is an encrypted email service that addresses CMMC, DFARS and ITAR requirements. It adds an encrypted mailbox to Outlook and Gmail, letting users send and receive emails just like they are used to.
Encrypted Storage on Amazon GovCloud
All data is automatically stored on Amazon’s FedRAMP High GovCloud.
Zero Trust Security
PreVeil implements NSA-recommended Zero Trust security and assumes a breach is inevitable. We secure all data using end-to-end encryption, making it useless to hackers. Information is only encrypted and decrypted on a user’s device- never on the server. It can also be recovered from a Ransomware attack. Organizations can restrict the flow of CUI to their trusted partners and suppliers.
A Proven Solution
Over 10 defense contractors + C3PAOs have used PreVeil to achieve perfect 110 scores in DoD assessments
Kokosing
This construction company with DoD contracts used PreVeil Drive to secure CUI in an enclave, reducing the cost and complexity of CMMC compliance. They achieved a perfect 110 JSVA score, which transfers to CMMC Level 2 certification once CMMC is finalized.
Frequently Asked Questions
Can you explain the requirements for DFARS 7012?
DFARS 7012 requires defense contractors to:
- Provide adequate security to protect unclassified Covered Defense Information (CDI). To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving cybersecurity and raising your SPRS score.
- Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3). In addition to reporting cyber incidents, contractors also need to share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
- Meet Federal Risk and Authorization Management Program (FedRAMP) standards. Contractors must confirm that their Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.
Read more about DFARS 7012 on our blog.
Can you explain the requirements for DFARS 7019?
DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 clause requires contractors to complete two main tasks:
- Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
- Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.
The Interim Rule is a key component of the Department of Defense’s campaign to increase compliance with its cybersecurity regulations and improve security throughout the Defense Industrial Base (DIB).
Read more about DFARS 7019 on our blog.
What are my responsibilities under DFARS 7012 c-g?
DFARS 252.204-7012 (c)-(g) stipulate actions that an organization must take in the event of a cybersecurity incident. Note that DFARS 252.204-7012 (c)-(g) is currently in effect and has been for several years.
Briefly, the requirements are:
Compliance with DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Briefly, the requirements are:
c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)
d) malicious software, if discovered, to be submitted to DC3
e) media preservation and protection for 90 days
f) provide DC3 access to additional information if requested
g) assist DoD with cyber incident damage assessment if requested
Read more about your c-g requirements on our blog.
How do DFARS 7012 and CMMC overlap?
DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. When CMMC is implemented as expected in 2023, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—also will require compliance with the same 110 NIST SP 800-171 security controls.
The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.
As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”
How can defense contractors comply with DFARS 7012?
First, all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for your required NIST SP 800-171 self-assessment and is a prerequisite for consideration for a DoD contract.
Self-assessment scores need to be filed with the DoD’s SPRS. The highest score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented.
If a contractor’s SPRS score is less than 110, indicating that security gaps exist, then the contractor must create a Plan of Action & Milestones (POA&M) that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more.
Know that at this point, an SPRS score of 110 is rare . The key is to have an active plan in place to continue to improve your organization’s cybersecurity. The plan should address other DFARS 7012 mandates, too, including those related to cyber incident reporting and ensuring that your cloud service provider meets required FedRAMP standards.
Your System Security Plan should address other DFARS 7012 mandates, too, including DFARS 7012 (c)-(g) related to cyber incident reporting and cooperating with the DoD on any ensuing investigations. DFARS 7012 also requires defense contractors to ensure that their Cloud Service Provider (CSP) meets required FedRAMP standards. Don’t take that for granted—confirm with your CSP that it has achieved at least FedRAMP Baseline Moderate or Equivalent level.
Can I use PreVeil to communicate with suppliers?
PreVeil is also an ideal tool for collaborating with suppliers. Contractors can set granular permissions such as read only or view only to maintain control and visibility over their data. They can revoke access anytime by unsharing. PreVeil can be downloaded for free by subcontractors. Primes can be assured their supply chain is compliant and secure.
How can I communicate securely with my upstream military agencies or Primes who do not have PreVeil?
PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.
