CMMC is now live and will appear in contracts by mid-2025.

Defense contractors handling Controlled Unclassified Information (CUI) under DFARS 7012 must achieve CMMC Level 2 compliance by adhering to the 110 controls outlined in NIST SP 800-171, verified through third-party assessments conducted by C3PAOs. 

Microsoft 365 Commercial environments alone do not meet CMMC or DFARS requirements. Contractors have two primary compliance options:

  1. Integrate PreVeil with M365 Commercial: Overlay PreVeil’s compliant, end-to-end encrypted email and file-sharing solution onto your existing M365 Commercial environment. PreVeil handles all communications and file sharing involving CUI to meet DFARS, CMMC, and ITAR compliance requirements. This approach preserves existing workflows and IT investments, allowing the M365 platform to continue supporting non-DoD and non-CUI tasks.
  2. Migrate to Microsoft GCC High: Completely decommission your existing M365 environment and replace it with compliant versions of M365 applications hosted on Microsoft’s GCC High cloud environment—a process that is complex, expensive, and time-consuming.

Both solutions have demonstrated successful compliance in multiple assessments. PreVeil typically suits small and mid-sized businesses (SMBs), commercial enterprises with smaller defense subsidiaries, and organizations with international operations. Conversely, GCC High is generally preferred by large enterprises with extensive IT and compliance resources, significant budgets, and deep investment in Microsoft’s ecosystem.

This blog outlines key considerations to help organizations choose the best solution. It describes how an organization can quickly, straightforwardly, and cost-effectively integrate PreVeil into their existing M365 Commercial environment to achieve CMMC Level 2 certification without extensive system overhauls.

Understanding CMMC Level 2 Requirements

Any organization that handles CUI is subject to DFARS 252.204-7012, which invokes three requirements:

  • Protect unclassified Covered Defense Information (CDI) in accordance with NIST 800-171. To provide adequate security, contractors must implement the 110 security controls stipulated in NIST SP 800-171.
  • Report any cyber incidents to the DoD and provide access to servers and logs. Contractors need to report all cyber incidents (even commercial attacks) to the DoD, share all cyber incident data, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
  • Ensure Cloud Service Providers (CSPs) Meet FedRAMP Moderate or Equivalent standards. PreVeil is the first Cloud Service Provider (CSP) to meet this stringent FedRAMP Moderate Equivalency requirement.
  • Contractors must demonstrate compliance through assessments conducted by certified third-party organizations (C3PAOs).

Limitations of Microsoft 365 Commercial

Microsoft 365 Commercial alone is insufficient for handling CUI under CMMC Level 2. It lacks critical security controls mandated by NIST SP 800-171 and does not fully meet DFARS 7012 requirements, particularly regarding incident reporting and data preservation. Microsoft openly acknowledges these limitations in its official product comparison documentation.

Source: Microsoft

How PreVeil Enables Compliance with M365

PreVeil provides compliant, end-to-end encrypted email and file-sharing SaaS platform hosted on Amazon Web Services (AWS). It securely stores CUI within the US Sovereign FedRAMP High AWS GovCloud. PreVeil integrates seamlessly into existing M365 Commercial setups, enhancing compliance without workflow disruptions. The PreVeil solution consists of 4 key elements:

  • PreVeil Email: Seamlessly integrates with M365 (Outlook) enabling encrypted communication for CUI using existing email addresses.
  • PreVeil Drive: Provides secure cloud file storage and sharing for CUI, functioning similarly to OneDrive and fully integrated into Windows Explorer or Mac Finder.
  • Compliance Documentation Accelerator: Offers detailed, pre-filled compliance documentation and tutorials aligned with the PreVeil CUI platform, significantly reducing compliance effort and cost.
  • Partner Network: Our network of consultants, MSPs, and assessors help streamline your compliance journey, while saving you time and money, from preparation to your assessment.

Key Attributes of the PreVeil Solution

  • Quick Deployment: Implement within hours, supported by PreVeil’s expert team.
  • Selective License Deployment: Licenses are required only for users handling CUI, significantly reducing costs.
  • Free Supplier Collaboration: Enables secure collaboration with external partners at no additional cost using PreVeil Express accounts.
  • End-to-End Encryption: Guarantees unparalleled Zero Trust security and compliance with CMMC, DFARS, and ITAR.
  • Cost Efficiency: Rapid deployment, low-cost licenses, and integrated compliance documentation typically save organizations up to 75% compared to GCC High migrations.
  • Partner Network: Access to PreVeil’s extensive network of over 700 consultant experts and C3PAOs to refine documentation and streamline assessments.
  • Ease of Use: Integrates intuitively with familiar tools such as Outlook for email and native PC and Mac file systems. CUI can also be accessed via browsers and mobile devices (iOS, Android).

Watch the PreVeil Integration Video for a visual demonstration of the user setup.

Proven Compliance with PreVeil

PreVeil has effectively assisted numerous organizations in achieving CMMC Level 2 compliance:

  • FIPS 140-2 Validated Encryption: Provides robust encryption essential for compliance.
  • Successful Assessments: 20+ defense contractors, including multiple C3PAOs, have successfully passed CMMC assessments using PreVeil.
  • FedRAMP Equivalency: Meets FedRAMP Moderate Equivalency standards required by DFARS 7012.

Microsoft GCC High Migration

Migrating to GCC High involves fully replacing the existing M365 environment with Microsoft’s GCC High applications hosted on their US Sovereign Cloud. This complex migration, often spanning several months, requires specialized consultants due to the extensive configuration complexity needed to achieve compliance.

  • Full-Featured System: GCC High offers extensive configuration capabilities suitable for large, compliance-intensive enterprises.
  • Higher Costs: Significant investment due to costly expert implementation and elevated licensing fees.
  • Complex External Communication: Requires costly guest licenses for compliant collaboration with external entities not on GCC High.
  • No Documentation Support: The absence of integrated compliance documentation significantly increases cost and complexity, necessitating expensive consultants or internal compliance specialists.
  • Configuration Challenges: Frequent software updates and numerous configurable options increase the complexity of maintaining continuous compliance.

Conclusion

For defense contractors seeking a practical, cost-effective solution for CMMC Level 2 compliance, integrating PreVeil with M365 Commercial provides a proven, efficient pathway. This approach effectively secures CUI, preserves existing workflows, and avoids significant complexities and costs associated with migrating to GCC High.

To learn more: