DFARS & CMMC Compliance Mandates & Timeline

DFARS 7012 requires organizations to protect Controlled Unclassified Information (CUI) by implementing the 110 NIST 800-171 controls. DFARS 7019 requires contractors to rigorously self-assess compliance with the 110 NIST controls and report their score to the DoD’s SPRS database, or risk fines and penalties. When CMMC comes into effect, contractors will be required to get certified by a third-party assessor to demonstrate they meet their DFARS 7012 obligations.

Read our DFARS Whitepaper

A Simple Platform for Meeting DFARS Requirements

PreVeil’s encrypted cloud service for storing and sharing CUI helps defense contractors rapidly meet their requirements for DFARS 7012 (NIST 800-171, FedRAMP, Incident reporting), 7019 (SPRS Score), 7020 and CMMC.

How PreVeil Helps you Meet

Support for 102 out of 110 NIST 800-171 Controls

PreVeil’s File Sharing and Email platform enables contractors to protect CUI with end-to-end encryption and support 102 out of 110 NIST 800-171 controls. Contractors can achieve Zero Trust security for CUI and demonstrate substantial compliance with DFARS 7012 and CMMC.

System Security Plan Documentation

A detailed SSP is essential to demonstrate compliance. PreVeil provides a templated, self-service SSP that specifies how our platform- in conjunction with customer policies and procedures- supports 102 NIST 800-171 controls.

Meet DFARS 7019 & Raise your SPRS score

DFARS 7019 requires organizations to compute their NIST 800-171 compliance score and report it to the DoD’s SPRS database. A high score provides a significant competitive advantage. By adopting PreVeil, contractors can significantly raise their SPRS score by over 80 points. We also provide you with software to automatically compute your SPRS score.

Meet FedRAMP, FIPS & DFARS 7012 (c-g)

PreVeil provides you evidence that you satisfy three important DFARS 7012 compliance requirements. We support DFARS 7012 (c-g) Incident Reporting, meet FedRAMP Moderate Baseline Equivalent and use FIPS 140-2 validated encryption modules to protect CUI.

Support Throughout your Compliance Journey

PreVeil’s in-house compliance experts support you throughout your compliance journey – from preparation to assessment. We also connect you to our network of authorized CMMC consultants (RPs) and assessors (C3PAOs) familiar with the PreVeil solution, ensuring your preparation and assessment are streamlined and low-cost.

Why Leading Defense Contractors Choose PreVeil

Easy to Deploy

Deploys in hours alongside your existing IT systems, saving months of business disruption and expense.

Low Cost

Only users handling CUI require a low-cost, all-inclusive license. Furthermore, an organization’s suppliers and partners can join for free.

Simpler Compliance

Our comprehensive solution includes a platform to protect CUI, robust documentation, and consulting to simplify compliance and reduce cost.

Contractor Achieves DFARS Compliance & Maximum NIST 800-171 Score

A small defense contractor achieved a maximum NIST 800-171 score, meeting 110 out of 110 controls in a rigorous DoD audit. The contractor used PreVeil to protect, store and share CUI. Under CMMC 2.0, the contractor would meet Level 2 certification requirements.

Read the Case Study


Get to Know the PreVeil Platform


PreVeil Drive

PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or mobile devices and share them with suppliers and partners. Works with Windows Explorer, Mac Finder and on browsers.


Learn More About PreVeil Drive

PreVeil Email

PreVeil Email is an encrypted email service that addresses CMMC 2.0, DFARS and ITAR requirements. It adds an encrypted mailbox to Outlook and Gmail, letting you continue to use these accounts. Users can send and receive emails just like they are used to while continuing to use their existing email address.


Learn More About PreVeil Email

All data is automatically stored on Amazon’s FedRAMP High GovCloud.

Encrypted Storage on Amazon GovCloud

Zero Trust Security

PreVeil implements NSA-recommended Zero Trust security and assumes a breach is inevitable. We secure all data using end-to-end encryption, making it useless to hackers. Information is only ever encrypted and decrypted on a user’s device -never on the server. It can also be recovered from a Ransomware attack. Organizations can restrict the flow of CUI to their trusted partners and suppliers.

Learn More About PreVeil Security

Frequently Asked Questions

Can you explain the requirements for DFARS 7012?

DFARS 7012 requires defense contractors to:

  • Provide adequate security to protect unclassified Covered Defense Information (CDI). To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving cybersecurity and raising your SPRS score.
  • Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3). In addition to reporting cyber incidents, contractors also need to share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
  • Meet Federal Risk and Authorization Management Program (FedRAMP) standardsContractors must confirm that their Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.

Read more about DFARS 7012 on our blog.

Can you explain the requirements for DFARS 7019?

DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 clause requires contractors to complete two main tasks:

  • Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
  • Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.

The Interim Rule is a key component of the Department of Defense’s campaign to increase compliance with its cybersecurity regulations and improve security throughout the Defense Industrial Base (DIB).

Read more about DFARS 7019 on our blog.

What are my responsibilities under DFARS 7012 c-g?

DFARS 202.204-7012 (c)-(g) stipulate actions that an organization must take in the event of a cybersecurity incident. Note that DFARS 202.204-7012 (c)-(g) is currently in effect and has been for several years.

Briefly, the requirements are:

Compliance with DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Briefly, the requirements are:

c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)

d) malicious software, if discovered, to be submitted to DC3

e) media preservation and protection for 90 days

f) provide DC3 access to additional information if requested

g) assist DoD with cyber incident damage assessment if requested

Read more about your c-g requirements on our blog.

How do DFARS 7012 and CMMC overlap?

DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. When CMMC is implemented as expected in 2023, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—also will require compliance with the same 110 NIST SP 800-171 security controls.

The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.

As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

How can defense contractors comply with DFARS 7012?

First, all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for your required NIST SP 800-171 self-assessment and is a prerequisite for consideration for a DoD contract.

Self-assessment scores need to be filed with the DoD’s SPRS. The highest score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented.

If a contractor’s SPRS score is less than 110, indicating that security gaps exist, then the contractor must create a Plan of Action & Milestones (POA&M) that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more.

Know that at this point, an SPRS score of 110 is rare . The key is to have an active plan in place to continue to improve your organization’s cybersecurity. The plan should address other DFARS 7012 mandates, too, including those related to cyber incident reporting and ensuring that your cloud service provider meets required FedRAMP standards.

Your System Security Plan should address other DFARS 7012 mandates, too, including DFARS 7012 (c)-(g) related to cyber incident reporting and cooperating with the DoD on any ensuing investigations. DFARS 7012 also requires defense contractors to ensure that their Cloud Service Provider (CSP) meets required FedRAMP standards. Don’t take that for granted—confirm with your CSP that it has achieved at least FedRAMP Baseline Moderate or Equivalent level.

Can I use PreVeil to communicate with suppliers?

PreVeil is also an ideal tool for collaborating with suppliers. Contractors can set granular permissions such as read only or view only to maintain control and visibility over their data. They can revoke access anytime by unsharing. PreVeil can be downloaded for free by subcontractors. Primes can be assured their supply chain is compliant and secure.

How can I communicate securely with my upstream military agencies or Primes who do not have PreVeil?

PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.