Encrypted Email & File Collaboration for DFARS & CMMC Compliance

DFARS & CMMC Compliance Mandates & Timeline

PreVeil’s encrypted cloud service for storing and sharing CUI helps defense contractors rapidly meet their requirements for DFARS 7012 (NIST 800-171, FedRAMP, Incident reporting), 7019 (SPRS Score), 7020 and CMMC.

PreVeil is the first company to fully meet the stringent, updated DoD requirements for FedRAMP Moderate Equivalent. The Department of Defense’s leading assessment entity, DIBCAC, alongside the CMMC Program Office, have established our Equivalency through an in-depth analysis of the Body of Evidence (BOE) we provided. We have 100% compliance with FedRAMP Moderate baseline controls and zero POA&Ms. Since FedRAMP is an essential requirement for CUI in the cloud, customers can be confident in their ability to be CMMC and DFARS compliant with PreVeil.

PreVeil’s File Sharing and Email platform enables contractors to protect CUI with end-to-end encryption and supports 102 out of 110 NIST 800-171 controls. Contractors can achieve Zero Trust security for CUI and demonstrate substantial compliance with DFARS 7012 and CMMC.

A detailed SSP is essential to demonstrate compliance. PreVeil provides a templated, self-service SSP that specifies how our platform- in conjunction with customer policies and procedures- supports 102 NIST 800-171 controls.

DFARS 7019 requires organizations to compute their NIST 800-171 compliance score and report it to the DoD’s SPRS database. A high score provides a significant competitive advantage. By adopting PreVeil, contractors can significantly raise their SPRS score by over 80 points. We also provide you with software to automatically compute your SPRS score.

PreVeil provides you evidence that you satisfy three important DFARS 7012 compliance requirements. We support DFARS 7012 (c-g) Incident Reporting, meet FedRAMP Moderate Baseline Equivalent and use FIPS 140-2 validated encryption modules to protect CUI.

PreVeil’s in-house compliance experts support you throughout your compliance journey – from preparation to assessment. We also connect you to our network of authorized CMMC consultants (RPs) and assessors (C3PAOs) familiar with the PreVeil solution, ensuring your preparation and assessment are streamlined and low-cost.

Why Leading Defense Contractors Use PreVeil

Deploys in hours using your existing email addresses and integrates with Outlook, Gmail, and all their usual workflows.

Only users handling CUI require a low-cost, all-inclusive license. Furthermore, an organization’s suppliers and partners can join for free.

Our comprehensive solution includes a platform to protect CUI, robust documentation, and consulting to simplify compliance and reduce cost.

A small defense contractor achieved a perfect NIST 800-171 score, meeting 110 out of 110 controls in a rigorous DoD audit. The contractor used PreVeil to protect, store and share CUI. This will directly translate to a CMMC Level 2 Certificate once CMMC is finalized.

We’re leaps and bounds ahead of where we would have been if we hadn’t gone with PreVeil’s policies and procedures. I look at what we wrote before PreVeil and it was barebones; what PreVeil offered was much more detailed which is something I’m really happy with because when we deal with auditors, the more information we can share with them the better.

Kelly Smith

Director of Business Administration MEC2

If you process Controlled Unclassified Information (CUI), you are currently required to meet NIST 800-171/DFARS 7012. Protect your business from penalties and contract loss.

Get to Know the PreVeil Platform

PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with suppliers and partners. Works with Windows Explorer, Mac Finder and on browsers.

PreVeil Email is an encrypted email service that addresses CMMC 2.0, DFARS and ITAR requirements. It adds an encrypted mailbox to Outlook and Gmail, letting you continue to use these accounts. Users can send and receive emails just like they are used to while continuing to use their existing email address.

All data is automatically stored on Amazon’s FedRAMP High GovCloud.

PreVeil implements NSA-recommended Zero Trust security and assumes a breach is inevitable. We secure all data using end-to-end encryption, making it useless to hackers. Information is only ever encrypted and decrypted on a user’s device -never on the server. It can also be recovered from a Ransomware attack. Organizations can restrict the flow of CUI to their trusted partners and suppliers.

Frequently Asked Questions

DFARS 7012 requires defense contractors to:

  • Provide adequate security to protect unclassified Covered Defense Information (CDI). To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving cybersecurity and raising your SPRS score.
  • Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3). In addition to reporting cyber incidents, contractors also need to share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
  • Meet Federal Risk and Authorization Management Program (FedRAMP) standards. Contractors must confirm that their Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.

Read more about DFARS 7012 on our blog.

DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 clause requires contractors to complete two main tasks:

  • Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
  • Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.

The Interim Rule is a key component of the Department of Defense’s campaign to increase compliance with its cybersecurity regulations and improve security throughout the Defense Industrial Base (DIB).

Read more about DFARS 7019 on our blog.

DFARS 202.204-7012 (c)-(g) stipulate actions that an organization must take in the event of a cybersecurity incident. Note that DFARS 202.204-7012 (c)-(g) is currently in effect and has been for several years.

Briefly, the requirements are:

Compliance with DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Briefly, the requirements are:

c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)

d) malicious software, if discovered, to be submitted to DC3

e) media preservation and protection for 90 days

f) provide DC3 access to additional information if requested

g) assist DoD with cyber incident damage assessment if requested

Read more about your c-g requirements on our blog.

DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. When CMMC is implemented as expected in 2023, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—also will require compliance with the same 110 NIST SP 800-171 security controls.

The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.

As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

First, all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for your required NIST SP 800-171 self-assessment and is a prerequisite for consideration for a DoD contract.

Self-assessment scores need to be filed with the DoD’s SPRS. The highest score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented.

If a contractor’s SPRS score is less than 110, indicating that security gaps exist, then the contractor must create a Plan of Action & Milestones (POA&M) that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more.

Know that at this point, an SPRS score of 110 is rare . The key is to have an active plan in place to continue to improve your organization’s cybersecurity. The plan should address other DFARS 7012 mandates, too, including those related to cyber incident reporting and ensuring that your cloud service provider meets required FedRAMP standards.

Your System Security Plan should address other DFARS 7012 mandates, too, including DFARS 7012 (c)-(g) related to cyber incident reporting and cooperating with the DoD on any ensuing investigations. DFARS 7012 also requires defense contractors to ensure that their Cloud Service Provider (CSP) meets required FedRAMP standards. Don’t take that for granted—confirm with your CSP that it has achieved at least FedRAMP Baseline Moderate or Equivalent level.

PreVeil is also an ideal tool for collaborating with suppliers. Contractors can set granular permissions such as read only or view only to maintain control and visibility over their data. They can revoke access anytime by unsharing. PreVeil can be downloaded for free by subcontractors. Primes can be assured their supply chain is compliant and secure.

PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.