Encrypted Email & File Collaboration for DFARS & CMMC Compliance

DFARS & CMMC Compliance Mandates & Timeline

PreVeil’s 3 Part Solution for CMMC & DFARS Compliance

Email & Drive file collaboration protect CUI with end-to-end encryption. Meets FedRAMP, FIPS 140-2, and DFARS 7012 c-g.

A proven toolkit with C3PAO-validated videos, pre-filled documentation (Standard Operating Procedure, System Security Plan, etc), and 1×1 support from our compliance experts.

Support through your entire compliance journey- from prep to assessment- through our compliance team & network of CMMC consultants & auditors.

PreVeil is the first company to fully meet the stringent, updated DoD requirements for FedRAMP Moderate Equivalent. We have 100% compliance with FedRAMP Moderate baseline controls and zero POA&Ms. Since FedRAMP is a requirement for CUI in the cloud, customers can be confident in their ability to be CMMC and DFARS compliant with PreVeil.

PreVeil’s Email and File Sharing platform enables contractors to protect CUI with end-to-end encryption & supports 102 out of 110 NIST 800-171 controls.

PreVeil provides pre-filled documents with approved language covering all 110 NIST 800-171 controls; Get our Standard Operating Procedures, System Security Plan, and more.

DFARS 7019 requires organizations to compute their NIST 800-171 compliance score and report it to the DoD’s SPRS database. By adopting our solution, this PreVeil customer increased their SPRS score by over 80 points.

In addition to NIST 800-171, PreVeil provides support for DFARS 7012 (c-g) Incident Reporting, meets FedRAMP Moderate Baseline Equivalent and uses FIPS 140-2 validated encryption modules to protect CUI.

This custom roadmap to CMMC, guided by compliance experts and CMMC assessors (C3PAOs), takes you from the theoretical to the practical.

We provide 1×1 support through your entire compliance journey – from prep to assessment through our network of CMMC consultants and auditors.

Why Leading Defense Contractors Use PreVeil

Deploys in hours using your existing email addresses and integrates with Outlook, Gmail, and all your usual workflows.

Only users handling CUI require a low-cost, all-inclusive license. Share with 3rd parties for free.

Over 10 defense contractors + C3PAO customers have achieved perfect 110 scores in DoD assessments

Get to Know the PreVeil Platform

PreVeil Drive lets users encrypt, store and share their files containing CUI. Users can easily access these files from their computers or phones and share them with suppliers and partners. Works with Windows Explorer, Mac Finder and on browsers.

PreVeil Email is an encrypted email service that addresses CMMC, DFARS and ITAR requirements. It adds an encrypted mailbox to Outlook and Gmail, letting users send and receive emails just like they are used to.

All data is automatically stored on Amazon’s FedRAMP High GovCloud.

PreVeil implements NSA-recommended Zero Trust security and assumes a breach is inevitable. We secure all data using end-to-end encryption, making it useless to hackers. Information is only encrypted and decrypted on a user’s device- never on the server. It can also be recovered from a Ransomware attack. Organizations can restrict the flow of CUI to their trusted partners and suppliers.

A Proven Solution

Over 10 defense contractors + C3PAOs have used PreVeil to achieve perfect 110 scores in DoD assessments

Frequently Asked Questions

DFARS 7012 requires defense contractors to:

  • Provide adequate security to protect unclassified Covered Defense Information (CDI). To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving cybersecurity and raising your SPRS score.
  • Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3). In addition to reporting cyber incidents, contractors also need to share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
  • Meet Federal Risk and Authorization Management Program (FedRAMP) standards. Contractors must confirm that their Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.

Read more about DFARS 7012 on our blog.

DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 clause requires contractors to complete two main tasks:

  • Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
  • Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.

The Interim Rule is a key component of the Department of Defense’s campaign to increase compliance with its cybersecurity regulations and improve security throughout the Defense Industrial Base (DIB).

Read more about DFARS 7019 on our blog.

DFARS 252.204-7012 (c)-(g) stipulate actions that an organization must take in the event of a cybersecurity incident. Note that DFARS 252.204-7012 (c)-(g) is currently in effect and has been for several years.

Briefly, the requirements are:

Compliance with DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Briefly, the requirements are:

c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)

d) malicious software, if discovered, to be submitted to DC3

e) media preservation and protection for 90 days

f) provide DC3 access to additional information if requested

g) assist DoD with cyber incident damage assessment if requested

Read more about your c-g requirements on our blog.

DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. When CMMC is implemented as expected in 2023, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—also will require compliance with the same 110 NIST SP 800-171 security controls.

The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.

As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

First, all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for your required NIST SP 800-171 self-assessment and is a prerequisite for consideration for a DoD contract.

Self-assessment scores need to be filed with the DoD’s SPRS. The highest score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented.

If a contractor’s SPRS score is less than 110, indicating that security gaps exist, then the contractor must create a Plan of Action & Milestones (POA&M) that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more.

Know that at this point, an SPRS score of 110 is rare . The key is to have an active plan in place to continue to improve your organization’s cybersecurity. The plan should address other DFARS 7012 mandates, too, including those related to cyber incident reporting and ensuring that your cloud service provider meets required FedRAMP standards.

Your System Security Plan should address other DFARS 7012 mandates, too, including DFARS 7012 (c)-(g) related to cyber incident reporting and cooperating with the DoD on any ensuing investigations. DFARS 7012 also requires defense contractors to ensure that their Cloud Service Provider (CSP) meets required FedRAMP standards. Don’t take that for granted—confirm with your CSP that it has achieved at least FedRAMP Baseline Moderate or Equivalent level.

PreVeil is also an ideal tool for collaborating with suppliers. Contractors can set granular permissions such as read only or view only to maintain control and visibility over their data. They can revoke access anytime by unsharing. PreVeil can be downloaded for free by subcontractors. Primes can be assured their supply chain is compliant and secure.

PreVeil’s Email Gateway offers its customers a communication channel that enables them to seamlessly send and receive email with Primes or .mil personnel that are restricted from creating a free PreVeil account. Please reach out to PreVeil for more information.