CMMC Overview

The Department of Defense (DoD) created CMMC to better defend the cybersecurity of the Defense Industrial Base (DIB) against cybercriminals and our nation’s adversaries.
CMMC combines various cybersecurity standards already in place, along with other standards, and maps these best practices and processes to five Maturity Levels ranging from basic cyber hygiene practices at Level 1 to highly advanced practices and processes at Level 5.

Receive our monthly CMMC newsletter

DoD is taking a comprehensive supply-chain risk-management approach to improving cybersecurity. That means that all 300,000 DIB vendors will need to meet the requirements for the CMMC maturity level appropriate to the work they wish to do for DoD–whether they handle CUI or not.
One of the most significant changes from previous practice is the shift from self-assessment to external audits of cybersecurity compliance, which will be conducted by Third Party Accreditation Organizations (C3PAOs).

Clearly, business risk is high and all companies in the DIB need to take action.
Link to white paper will be here

CMMC Framework

The CMMC framework categorizes cybersecurity best practices into 17 broad domains (see below), such as “Systems and Communications Protection.” Forty-three distinct capabilities, such as “control remote system access” are distributed across the 17 domains. Not all companies need to demonstrate all 43 capabilities; they apply depending on the maturity level sought. Companies will demonstrate compliance with the required capabilities by showing adherence to a range of practices and processes.

17 CMMC Domains

CMMC Model Design

Practices are the technical activities required within any given capability requirement; 173 practices are mapped across the five CMMC maturity levels.

Processes serve to measure the maturity of organizations’ institutionalization of cybersecurity procedures.


Draft CMMC Model v0.7 Practices and Processes per Level
CMMC Level Practices Processes
Level 1 17
Level 2 55 3
Level 3 59 2
Level 4 26 2
Level 5 16 2
Total 173 9


17 Domains -> 43 Capabilities across Domains -> 173 Practices across Capabilities

9 Processes -> Distributed across the CMMC maturity levels

CMMC Levels

CMMC has five defined levels of cybersecurity maturity, each with a set of supporting practices and processes, as shown below. Practices range from basic cyber hygiene at Level 1 to advanced and progressive cyber hygiene at Level 5. In parallel, process levels range from simply performed at Level 1 to optimized at Level 5.
CMMC Maturity Level Descriptions

CMMC Maturity Level Descriptions

Note that companies must meet requirements for the level they seek in both the practice and the process realms. For example, a company that achieves Level 3 on practice implementation and Level 2 on process institutionalization will be certified at the lower CMMC Level 2.
Further, adherence to CMMC practices and processes is cumulative. Once a practice or process is introduced in a level, it becomes required for all levels above that as well. Thus, for example, for an organization to achieve Level 3, all the practices and processes defined in Levels 1, 2 and 3 must be achieved.

CMMC Timeline

CMMC applies to your business, even if you handle just FCI (Federal Contract Information) and not CUI. FCI is sensitive information that is not intended for public release. And implementation is on the fast track:
CMMC on the Fast Track

  • January 2020: Release of CMMC Version 1.0
  • January to June 2020: Capacity building of third party accreditors (C3PAOs)
  • June 2020: C3PAO market place opens
  • June 2020: CMMC requirements added to DoD RFIs
  • Sept. 2020: CMMC requirements incorporated into DoD RFP Sections L and M and used as the basis for “go/no-go” decisions.

As of Sept. 2020, the CMMC level of every DoD contractor and subcontractor must be certified by a C3PAO in order to do business with DoD.

What does my company need to do to comply?

First, determine the appropriate CMMC level for your company. It appears most likely that companies that handle just FCI (Federal Contract Information), and not CUI, will need to achieve Levels 1 or 2. Any company that handles CUI will need to achieve at least Level 3.
Once you determine the CMMC level you want to achieve, examine the current state of your cybersecurity and identify gaps between your organization’s capabilities and the requirements for the level you seek. It will be most productive if you conduct the gap analysis based on Appendix A of the CMMC v0.7 report. That appendix contains a matrix that lists all the required capabilities for each of the 17 domains, along with corresponding required practices, for each maturity level.
As your business considers how to address its cybersecurity deficiencies, keep in mind that with the adoption of CMMC, cybersecurity will be an allowable cost. Begin building budgets for what it will take to upgrade your cybersecurity to the level you need, and figure out how those costs will affect your rates.

How PreVeil can help

Defense companies must meet at least 110 requirements set out by the CMMC in order to work with CUI. PreVeil’s email and File platforms allow businesses to meet many of the requirements right out of the box. Moreover, PreVeil enables them to meet these standards without impacting their existing email and file servers.


PreVeil Email enables companies to send and receive encrypted emails from their existing email address.
It can integrate with mail clients like Outlook, Gmail, and the Mail app for Macintosh, and also works on browsers and mobile devices. When PreVeil email is used with Outlook, Gmail, or Apple Mail, the installation process creates a new set of mailboxes for your encrypted messages. Messages in these new mailboxes are encrypted and stored on PreVeil’s servers. There’s no change to the mailboxes that were already in your mail program and no impact to the servers that store your regular, unsecured messages.
Learn more about PreVeil email


PreVeil Drive enables end-to-end encrypted file sharing and storage.
Users can access files stored on Drive from any of their devices or share files with other users with desired access permissions. Unlike Box, OneDrive, Google Drive, and DropBox, who always have access to your data, only you and the people with whom you’ve explicitly shared files can decrypt them.
Learn more about PreVeil Drive

Learn more about how PreVeil can help you meet the demands of CMMC level 3 compliance when you schedule a meeting with our sales team.