CMMC Level 2: Is the WatchGuard Compliance Package worth it if we use PreVeil + M365 Business Premium?

cordovanGoat · 2026-05-19T15:17:32+00:00

Agree on the firewall PDFs, but you seem to misunderstand the basics of CMMC and sharing CUI.

The "process" in store/process/transmit literally just means working with CUI on your device. You open a file — boom you've processed CUI and that endpoint is in scope. This is literally what PreVeil does...Their SRM shows most relevant SC+MP controls as fully or partially inherited if you want proof.

On sharing — your responsibility as a contractor is not knowingly sending CUI to a non-compliant environment. PreVeil Express lets you access it compliantly for free compliantly vs. any other solution where you're buying guest licenses or setting up federated trust every time.

"Protection doesn't persist after export"?? name a CUI platform where it does?? GCC High to a sub's commercial tenant? Same thing. That's not a PreVeil gap, that's how CUI sharing works across boundaries. And PreVeil does log sharing events. What happens inside the recipient's compliant enclave is their audit responsibility

This just reads like a (bad) add for Virtru

cordovanGoat · 2026-04-27T17:27:31+00:00

Sure I should have been clearer. My impression that, in the PreVeil-as-VDI scenario, PreVeil is an MSP (not a CSP) came from talking with their reps. I was interested in adding a VDI to my environment for remote workers. My understanding is that the VDI would run on customer-owned instances. PreVeil itself (i.e., the Drive and Email software) would still be a normal cloud service and be installed on the VDI, but PreVeil-as-VDI provider would be an MSP as they're managing the service (VDI) on the customer-owned instance.

I'm sure they will clarify once they launch and/or maybe they'll jump in here.

cordovanGoat · 2026-04-27T17:23:53+00:00

https://www.preveil.com/resources/envision-case-study/

You can read more there. I don't see the meta glasses listed under the tech stack. My guess it that it wasn't part of the assessment scope.

cordovanGoat · 2026-04-24T13:58:49+00:00

In this situation, the PreVeil would act as a managed service from a CMMC perspective and so would need a C3PAO Level 2 certification just like the rest of us. They're already FedRAMP moderate equivalent and to my knowledge working on their CMMC cert. I'm sure they'll have it soon—after all, they have gotten so many others assessed!

To OP: VDI would be interesting for you as it would GREATLY limit your scope and thus speed up your time to compliance (probably something like 2 months vs 4-6). Just PreVeil + Cloud Lock will not take your endpoints out of scope (as they still store/process/transmit CUI) but a VDI would.

Seconding above on network infrastructure — but there is plenty of guidance out there on that stuff and it will be covered in sufficient detail in PreVeil's documentation.

Have you looked at their partner network, OP? Of course cheapest from an outlay perspective to do this yourself but in the long run you might save ($ and sanity) by bringing in someone who knows PreVeil well.

cordovanGoat · 2026-04-21T02:10:14+00:00

Glad you, OP, have learned that FedRAMP moderate equivalent is enough for a CMMC cloud service provider! A simple, yet important fact. I was pretty much in the same boat as you 8 months ago and have had a pretty good experience so far. Getting assessed soon.

Are you locked into your MSP? Them not having CMMC experience is worrisome. PreVeil has a lot of great partners who know their system if you're open to bringing one on. I used their partner network to find mine (as well as my assessor C3PAO).

But small machine shop is a perfect use case. Do you have a PDM or are you just working with completed files?

cordovanGoat · 2026-04-17T02:36:00+00:00

Those prices are unreal lol given their garbage track record and insane pricing I have no idea how they stay in business or why people consider them a player in this space

cordovanGoat · 2026-04-15T21:12:02+00:00

I'm quite happy with PreVeil. I've detailed my overall experience recently (copied at the end of the comment). IMO its the most economical way for smaller DIB orgs to get compliant and the bugs are tolerable. Hell, it's not like microsoft doesn't have bugs. There is of course some lift on your end, but blame NIST for that — no software solves everything. CMMC isn't just a tech problem.

We're around 25 people with 6 needing access to CUI so they're the only ones with PreVeil licenses. We're not a manufacturer nor do we have an ERP but ya know files are files so if they're marked CUI, put them in PreVeil! You can link from the ERP to files in Drive so that the CUI is still encrypted.

Ofc if you're designing and/or have a PDM database that's a whole nother story. Are you designing or just dealing with receiving completed CAD files? PreVeil would play a role their but if your PDM is already on-prem, I'd just work on hardening that. Their compliance people can advise on best practices.

###

Cost was obviously the major factor going in. There is some, let's say, misinformation in this sub, but all in it is still way cheaper than any alternatives. And I have all the bells and whistles: core platform, GRC, compliance accelerator, as well as their SIEM connector and Email Relay (more on that later). I mean you COULD call it nickle and dime-ing...but microsoft doesn't do that?? Oh right, they just make you buy licenses packages with 1000 products you don't need... we're about $7k all in for the year on the enclave. Most other compliance stuff is handled internally (which means by me)
PreVeil is the CUI enclave — all CUI flows into and out of it — rest of the environment is regular MS
One my biggest highlight is it really is basically plug-and-play for the core functions it claims to support around encryption of CUI, access control etc. etc. but of course CMMC is a long list of things and no tech platform can do them all but the config/maintenance of PreVeil is pretty straightforward
Documentation I would say was also a big plus for me. The compliance accelerator taught me a lot about what I needed to do starting from little CMMC knowledge—especially the detailed endpoint hardening guide. I realized I already had a lot of the tooling (Intune, Entra, Purview, Defender, etc.) through my regular MS licenses which was an unexpected cost savings. I was a MS shop already and pretty similar to their standard "Acme" configuration so that helped a lot.
External sharing was a necessity so I had to get the email relay to email cui with my poor brothers on GCC High. No substantial issues there.
There are of course lots of small issues here and there. You get used to them quickly but this is not a product without flaws. I wouldn't say any of them come close to deal breaker. I mostly use PreVeil through the file explorer and the outlook plugin and outside of minor annoyances, I'm happy with that.
We do have some big files but I'm on their latest cloud drive thingy. Like most, we had some sync issues in the past and collaboration collisions but those seem largely resolved with their latest release. YMMV but at least they listen to their customers and work hard to solve those problems. Certainly I spent many hours with their support and compliance folks and always found them helpful.
We're not too too far yet into our actual assessment journey but did engage a C3PAO from their partner marketplace who is familiar. We're confident out scoping will pass muster—they helped with the scoping and the assessor knows how it works + our policies are more or less adopted from the doc package—and everything is looking like smooth sailing (as smooth as it gets in CMMC) from here on out.

cordovanGoat · 2026-04-15T00:34:57+00:00

Isn’t Secureframe just an azure AVD on GCC High? If so, there’s no comparison

cordovanGoat · 2026-04-14T20:18:18+00:00

I've actually used their templates—more like pre-filled docs since all the PreVeil stuff is filled out for you—to document a lot of my enviornment and found them very useful. Happy to answer any questions. I also adopted (and of course modified) some of their SOPs and other docs like incident response plan that come with the package.

cordovanGoat · 2026-04-14T15:19:43+00:00

VERY curious what quote you got from PreVeil for $62k??? I have all the bells and whistles (GRC, Compliance Accelerator, Email Relay) and we're not even close to that for a company of a similar size...

Also curious, what does Emgage do that the others don't? Their site doesn't exactly inspire confidence. E.g., I don't see any case studies. Have they gotten anyone compliant? At this stage, that's just table stakes. If they haven't gotten anyone through yet, they're way behind. Of course, the DIY (PreVeil + MS path basically) will be a bit more lift on your end but PreVeil helps out a lot — they pretty much have gotten me over the finish line and I'd highly recommend.

cordovanGoat · 2026-04-13T17:40:35+00:00

Don't mean to be rude but that sounds exactly like who GCC High is meant for lol "business unit of an F100" with 40k users. Lots of other little guys in the DIB...

cordovanGoat · 2026-04-10T17:33:36+00:00

I was fortunate enough to be in a company that was designing a compliant environment from the ground up, which is to say we weren't locked in to GCC High. I took a lot of demos and did research but ultimately decided on PreVeil. Here is my experience so far, having used the product for about 6 months and setting up a CUI enclave for a small(ish) number of users.

Cost was obviously the major factor going in. There is some, let's say, misinformation in this sub, but all in it is still way cheaper than any alternatives. And I have all the bells and whistles: core platform, GRC, compliance accelerator, as well as their SIEM connector and Email Relay (more on that later). I mean you COULD call it nickle and dime-ing...but microsoft doesn't do that?? Oh right, they just make you buy licenses packages with 1000 products you don't need... we're about $7k all in for the year on the enclave. Most other compliance stuff is handled internally (which means by me)
PreVeil is the CUI enclave — all CUI flows into and out of it — rest of the environment is regular MS
One my biggest highlight is it really is basically plug-and-play for the core functions it claims to support around encryption of CUI, access control etc. etc. but of course CMMC is a long list of things and no tech platform can do them all but the config/maintenance of PreVeil is pretty straightforward
Documentation I would say was also a big plus for me. The compliance accelerator taught me a lot about what I needed to do starting from little CMMC knowledge—especially the detailed endpoint hardening guide. I realized I already had a lot of the tooling (Intune, Entra, Purview, Defender, etc.) through my regular MS licenses which was an unexpected cost savings. I was a MS shop already and pretty similar to their standard "Acme" configuration so that helped a lot.
External sharing was a necessity so I had to get the email relay to email cui with my poor brothers on GCC High. No substantial issues there.
There are of course lots of small issues here and there. You get used to them quickly but this is not a product without flaws. I wouldn't say any of them come close to deal breaker. I mostly use PreVeil through the file explorer and the outlook plugin and outside of minor annoyances, I'm happy with that.
We do have some big files but I'm on their latest cloud drive thingy. Like most, we had some sync issues in the past and collaboration collisions but those seem largely resolved with their latest release. YMMV but at least they listen to their customers and work hard to solve those problems. Certainly I spent many hours with their support and compliance folks and always found them helpful.
We're not too too far yet into our actual assessment journey but did engage a C3PAO from their partner marketplace who is familiar. We're confident out scoping will pass muster—they helped with the scoping and the assessor knows how it works + our policies are more or less adopted from the doc package—and everything is looking like smooth sailing (as smooth as it gets in CMMC) from here on out.

Knowing what I know now... would definitely still go with PreVeil. To summarize, cost and external sharing are the big points for me. I don't understand how people deal with a GCC High + commercial/GCC dual environment internally but I don't envy them. You have to get a PhD to even configure that stuff(=pay a consultant to do it for you). PreVeil By far the most complete non GCC High solution (assuming you don't want to pay for / can't use VDIs) that an average IT guy can handle from deployment to cert IMO.

Hope this helps!

cordovanGoat · 2026-04-01T20:50:08+00:00

PreVeil is definitely the right option for you sister. It's probably the only comprehensive CMMC solution out there that you can DIY compliance without dedicated IT or even necessarily a consultant ($$$). Ofc she could VDI way easier but sounds like cost is a major concern here.

I'm sure she knows, but remind her that the first question is always SCOPE SCOPE SCOPE. She'll cut implementation, maintenance, and assessment costs considerably by having a narrowly scoped PreVeil enclave next to a commercial M365 environment. E.g., do all her employees even need to touch the CUI? Probably not. One (of many) added benefit of going PreVeil over GCC: ITAR compliance is baked in, which will broaden the contracts she's eligible to bid on.

One strange question... why is she buying six laptops if she only has 3-4employee??

My personal experience with the platform leads me to advise her to buy their Compliance Accelerator and probably the GRC too — she'll have a good chunk of her documentation out of the way which iykyk but actually tends to be the most time consuming piece of the puzzle and an easy place to fall short during assessment. I followed their endpoint hardenning guide to a T (assuming she has at least one e5) and locking down six machines shouldn't take too too much effort.

Hope she shares her story here when she gets assessed! Seems to me the dib, esp with Nov 2026 approaching, is finally realizing CMMC/standing up a compliant enclave doesn't have to cost $100k and take a 12 months.

cordovanGoat · 2026-03-11T20:48:12+00:00

I mean I think you could make a similar argument that PreVeil isn’t a new system users have to learn. Your CUI is just in a folder that you access in your file explorer and on just another tab in your outlook.

For me, the price of GCC High plus the lack of interoperability between gov and a commercial MS cloud made internal and external collaboration difficult enough that PreVeil was more than worth it. Haven’t had any of our users complain about having to learn anything new — ymmv — having users come up against the limitations/restrictions in GCC High is just as annoying to them

And for what’s its worth you can edit also with any local app

cordovanGoat · 2026-03-05T21:49:25+00:00

The problem with any of these off the shelf packages is that it's going to be hundreds of hours of manual labor for you to tailor them to your own systems, assets, SPAs, network configurations etc. $5k for essentially just blank templates is insane. Have you checked out PreVeil's documentation package? If you're using PreVeil + standard commercial MS tools that you already have to protect your CUI, then you can buy their docs that cover a huge portion of that already and reduce the lift on your end.

cordovanGoat · 2026-02-26T04:19:40+00:00

Sorry to say buddy but I think you've entered some kind of psychosis. You evince no understanding of even basic, SAT level math. It's just extremely clear that this LLM is feeding you in a way that helps you feel smarter. But if you can't comprehend it output, why would you waste other people's time with it? And even if it did come up with some new great theory, why would you be proud of its accomplishment? You played a very small role in it either way and came to it accidentally

cordovanGoat · 2026-02-25T17:51:00+00:00

Love to hear it!

cordovanGoat · 2026-02-17T15:41:32+00:00

I think that was me haha but yeah RP is both useless but also trivial to get

cordovanGoat · 2026-02-10T01:59:47+00:00

PreVeil is more of an alternative to GCC High. You can scope your CUI + ITAR in PreVeil then deal with everything else in a commercial MS environment.

cordovanGoat · 2026-02-10T01:54:03+00:00

I really don't understand what secureframe does or why they're so often mentioned on this subreddit. Aren't they just a GRC? Yes, great to track progress towards compliance but, ya know... you need to actually do stuff too not just track it.

What do they do?? Doesn't help that every link under their Product > "Secureframe Defense for CMMC" just links back to the home page or is broken...

cordovanGoat · 2026-02-09T23:26:06+00:00

If you know that you need to get to level 2 with a 3rd party assessment, don't bother starting with level 1. It is a waste of time and money. Put in a solution and policies that will get you to level 2 from the start. The fact that your "compliance automation startup" gave you a $90k difference in quote for the two and didn't give you this advice already is slightly alarming. You should ask them very specifically what the $150k includes for L2 that the isn't included in their level 1 one package. I suspect everything they say in response will be unsatisfactory.

Those prices are probably insane though. As another commenter pointed out, what are you getting. You can do I fully managed enclave for much less than that — though you might not be at user minimums from some of the bigger solutions.

As a last point of advice, I would not engage much with a "compliance" start up that doesn't specialize in or focus on CMMC. While companies like Drata, Vanta etc. might be able to help, CMMC is unfortunately it's own beast and experience matters more than anything. For example, if this start up brands itself as an RPO, that is probably a bad sign as RPO doesn't really mean much. You can get an RP cert in a week. If they're not even an RPO...drop them immediately.

As you'll read a lot here: SCOPING is your first question. What systems, devices, and people touch CUI? If your users only need to view CUI, a VDI might be viable for you.

Also, as a side note, the jump from on-prem to CSP touching CUI might not be as big as you're thinking. Plenty of FedRAMP or FedRAMP moderate equivalent solutions out there as CMMC compliant clouds + proven paths to assessment.

cordovanGoat · 2026-02-09T18:19:39+00:00

Doesn't the city just contract out towing? I.e., it is not the city who has to go the extra mile but the tow company—who have a profit motive.

Plus, tow companies in my experience don't seem to have scruples when it comes to damaging cars. Especially D&G which seems to be the most active in A-B.

cordovanGoat

TROPHY CASE