Independent Buyer's Guide · CMMC 2.0 & DIB Compliance
CUI Email Encryption for CMMC: What Actually Passes a Level 2 Assessment
By The Defense Compliance Report Editorial Team · Independent CMMC and DIB compliance research.
Last verified: · Next scheduled review: September 2026, or sooner if DoD, NIST, the Cyber AB, DFARS, or FedRAMP status changes.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the U.S. Department of Defense, DCMA DIBAC, NIST, the Cyber AB, or any U.S. government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This guide is educational and editorial — not legal, contractual, cybersecurity, or assessment advice.
Compensation status for each named provider is shown in the comparison table. If any status changes, the table is the first place we update it.
CUI email encryption for CMMC comes down to three requirements most contractors blur into one. If an email carries Controlled Unclassified Information (CUI), CMMC Level 2 requires you to protect it in transit (NIST SP 800-171 Revision 2 control SC.L2-3.13.8), protect it at rest (SC.L2-3.13.16), and use FIPS-validated cryptographywhenever encryption is what's protecting it (SC.L2-3.13.11). Ordinary email secured only by Transport Layer Security (TLS) doesn't get you there — and the gap is one of the most common findings on Level 2 assessments.
This guide explains which methods actually work, what FIPS-validated means (and why "FIPS-compliant" isn't), how much SPRS score exposure an unprotected CUI-email workflow creates, and what an assessor will actually want to see as proof. Sources are primary — NIST CSRC, acq.osd.mil, the Federal Register, and DoD's own scoring methodology.
The CUI email decision matrix: what passes, what fails
Every common way DIB contractors send CUI by email, scored on the two questions that actually decide the outcome — is the CUI itself encrypted at rest, and can the wrong party decrypt it? Anything that leaves CUI readable once it lands, or hands the keys to a cloud that isn't authorized to hold CUI, is a finding waiting to happen.
| Email method | CUI protected at rest? | Who can decrypt it? | FIPS-validated module? | Covers CUI-Specified (e.g., ITAR)? | Likely Level 2 outcome |
|---|---|---|---|---|---|
| Normal Outlook/Gmail, opportunistic TLS only | No — TLS covers the hop; protection then depends on the mailbox/platform | Your mail provider | Not for the message content | No | Likely finding |
| Normal email + enforced TLS to a known partner domain | Not at rest; depends on the partner protecting it too | Both mail providers | Only if the TLS modules are validated and you can prove it | No | In-transit only — likely gap |
| Microsoft 365 Commercial + Office 365 / Purview Message Encryption (OME) | Message is wrapped, but CUI is still processed in Commercial cloud | Microsoft (Commercial) | Modules exist; the environment is the problem | No | Likely gap for CUI |
| Self-managed S/MIME (your own certificates/PKI) | Yes — message-level, end to end | You (your keys) | Yes, if your module is validated | Possible, but key management is heavy | Can pass once configured & evidenced |
| End-to-end overlay on Commercial (e.g., PreVeil, Virtru — company-stated) | Company-stated end to end; CUI wrapped before it leaves the device | You / the overlay (zero-knowledge designs) | Company-stated FIPS-validated | Verify per product and data type | Can pass — verify the specifics |
| Microsoft 365 GCC High (native) | Yes — inside a U.S.-sovereign, FedRAMP High-level environment | Microsoft (U.S.-sovereign, screened U.S. persons) | Yes | Yes — built for CUI-Specified | Can pass once configured & evidenced |
| Keep CUI out of the email body; use a secure portal/file-transfer for the document | Yes — the CUI lives in the encrypted portal, not the inbox | You / the portal (verify) | Yes, if the portal uses validated modules | Verify | Can pass if the email body carries no CUI |
No method here "passes" on its own. Each outcome assumes the method is correctly configured, scoped, and documented — which is the whole game. Two questions decide almost every case: Is the CUI itself protected — not just the pipe it traveled through? And can the wrong party, including your cloud provider, decrypt it?
Not sure which row is yours? Run your setup through the CUI Email Path Checker below — or tell us your level, scope, and timeline.
Get matched →Unsure which CUI email path fits your setup?
Get matched →Can you actually email CUI under CMMC?
Yes — but not through uncontrolled, ordinary email. If an email body, an attachment, a reply chain, a mailbox, an archive, a gateway, a phone, or a backup processes, stores, or transmits CUI, that flow has to be protected and documented as part of your CMMC scope.
The rule stack, with dates that matter: the CMMC Program Rule (32 CFR Part 170) became effective . The 48 CFR DFARS acquisition rule that puts CMMC into actual contracts became effective , starting Phase 1 of a four-phase, three-year rollout via DFARS 252.204-7021 and DFARS 252.204-7025.
Here's what almost nobody tells small contractors: none of this is new. DFARS clause 252.204-7012— "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has required defense contractors to implement NIST SP 800-171 since . For Level 2, 32 CFR Part 170 maps the model to the 110 security requirementsin NIST SP 800-171 Rev. 2. Not knowing the old deadline isn't a defense. Contractors have been self-certifying in SPRS for years.
What counts as "CUI in email"?
More than you'd think. CUI can live in:
- The email body and any attachments.
- Replies and forwards — including CUI buried three messages deep in a thread.
- Previews and downloaded attachments that land on a laptop or phone.
- Subject lines and filenames — a part number, a drawing ID, or a program name can itself reveal CUI.
- Archives, journaling, and eDiscovery systems that silently keep copies.
- Backups and mobile sync (cached mail on a phone is still CUI at rest).
How CUI emails have to be marked
Marking is separate from encryption, and DoD is specific. Per the DoD CUI Program (dodcui.mil), an email containing CUI must carry "CUI" as the first and last line of the message, plus a CUI designation indicator blockidentifying the source and category. An email that doesn't contain CUI in the body but carries a CUI attachment should say so and include the properly marked attachment.
One detail that surprises people, straight from DoD's marking guidance: do notslap a "this email may contain CUI" disclaimer on everything. Vague "may contain" language isn't a marking — it's noise. Mark what is CUI; keep the sensitive detail out of the subject line. Not sure what qualifies as CUI in the first place? Start with our CUI basics guide — that answer changes everything downstream.
Why TLS (and normal Outlook/Gmail) isn't enough
"Our email uses TLS" is not, by itself, CMMC evidence. TLS encrypts a message while it travels between mail servers. The moment it's delivered, TLS protection ends — and the CUI's protection now depends on the recipient's mailbox, the platform's storage and key model, its archives, its backups, and any device it syncs to.
Three NIST SP 800-171 Rev. 2 requirements govern this. Getting them straight is the whole game:
- SC.L2-3.13.8 — implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, unless otherwise protected by alternative physical safeguards. This is the in-transit control.
- SC.L2-3.13.16 — protect the confidentiality of CUI at rest. A delivered CUI email doesn't stop being CUI.
- SC.L2-3.13.11 — when cryptography is used to protect CUI confidentiality, it must be FIPS-validated. This is the how — and it applies to both of the above.
TLS might satisfy the transit piece if it's configured and validated correctly. It does nothing for the at-rest piece. The question an assessor is really asking: Can you prove CUI followed an authorized, encrypted, validated path from sender to recipient — and that the systems storing it afterward are in scope and controlled? If you can't answer that with artifacts, you have a gap regardless of what's switched on.
The attachment trap
Email transport encryption is often validated. The attachment is not — and the attachment is where the CUI usually lives. A CUI drawing sent as a standard PDF rides through an encrypted channel and arrives as a plain, readable file on the other end. The channel was protected; the content never was. That gap is a documented assessment finding.
There's also a difference between opportunistic TLS and enforced TLS. Opportunistic TLS encrypts if both servers happen to support it and quietly falls back to plaintext if they don't. Enforced TLS requires it for specific domains — with connector rules, failure handling, and logs to prove it. If a user can bypass the encrypted route, or it can fail open without anyone noticing, the control fails operationally even when it looks fine on paper.
What "FIPS-validated" actually means (and why "FIPS-compliant" fails)
"FIPS-validated" means the specific cryptographic module has been tested and listed on NIST's Cryptographic Module Validation Program (CMVP) with a certificate number. Using a FIPS-approved algorithm like AES-256 is not the same thing. "FIPS-compliant" and "FIPS-equivalent" are marketing words. "FIPS-validated" is the one that survives an assessment.
When a vendor tells you their product is "FIPS compliant," the correct response is a question, not a purchase order. Ask for:
- The CMVP certificate number (or proof the module is on the active validation list).
- The module name and version in use.
- Which part of the message path the module actually protects.
- Whether FIPS mode must be enabled — and the steps to confirm it's on.
- The Customer Responsibility Matrix (CRM) showing what the provider secures versus what you must configure.
Write the certificate number into your System Security Plan (SSP). "We use AES encryption" is not evidence. A certificate number is.
The FIPS 140-2 sunset, stated accurately
You'll see warnings that you "must be on FIPS 140-3 by September 2026 or you fail." That's an overstatement.Here's what NIST's CMVP actually says: FIPS 140-2 modules can remain active for five years after validation or until , when 140-2 validations move to the Historical List. The modules don't stop working — even on the Historical List, CMVP supports their purchase and use for existing systems, and federal agencies decide when to move to FIPS 140-3-only modules. The practical read for a defense contractor: validated is validated for now, but plan your move to FIPS 140-3 as part of normal refresh and confirm your providers' roadmaps. Don't panic-buy on a misread deadline.
How CUI email quietly changes your CMMC scope
If your email system processes, stores, or transmits CUI, that system becomes part of your CMMC Level 2 assessment scope. This is the expensive surprise. People think of email as invisible plumbing. CMMC treats it as an asset, and the scoping rule in 32 CFR 170.19 is built around systems and assets, not "the data is encrypted, so the system disappears."
Under 170.19, every asset falls into a category: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. The catch: encryption alone does not move a system out of scope. It controls risk; it doesn't create logical separation. A mailbox full of encrypted CUI is still a CUI Asset.
| Component | Why it can enter scope | Likely category (32 CFR 170.19) |
|---|---|---|
| Mailboxes | Store CUI message bodies and attachments | CUI Asset |
| Mail transport / connectors | Transmit CUI | CUI Asset |
| Email security gateway | Routes, scans, or protects CUI | Security Protection Asset |
| DLP / sensitivity-label system | Protects the CUI flow | Security Protection Asset |
| Archive / journaling / eDiscovery | Stores copies of CUI | CUI Asset |
| Backup system | Stores CUI email data | CUI Asset |
| Mobile devices | Cache and display CUI | CUI Asset |
| Local Outlook/Gmail sync (OST/PST) | Stores CUI on the endpoint | CUI Asset |
| MSP/MSSP tooling | Provides security functions for the CUI environment | Security Protection Asset (often an ESP) |
The key-custody question that decides your scope
If an external service provider stores, processes, or transmits your CUI, it gets pulled into the assessment conversation — and the practical signal is whether the provider can decrypt your CUI. Under the CMMC Assessment Process, when an in-scope External Service Provider (ESP) or Cloud Service Provider (CSP) handles CUI, the assessment team will expect you to show evidence for that provider — a FedRAMP Moderate authorization, FedRAMP Moderate equivalency, or a CMMC Level 2 status, as appropriate. DFARS 252.204-7012 separately requires an external CSP that stores, processes, or transmits covered defense information to meet FedRAMP Moderate-equivalentrequirements plus the clause's incident-reporting obligations.
That's why stock Microsoft 365 Commercial isn't your CUI answer on its own — Microsoft holds the keys and the Commercial environment isn't authorized for CUI, so the provider is squarely in the picture. It's also why end-to-end (zero-knowledge) designs change the math: if the provider can't decrypt your CUI, your boundary and evidence burden look different.
So before you scope anything, answer one question for every tool in the path: Can someone other than us decrypt this CUI? The answer reshapes your boundary, your evidence burden, and your bill.
The real cost of getting it wrong: your SPRS score
An unprotected CUI-email workflow doesn't just risk a finding — it carves measurable points off the SPRS score that gates your eligibility. The Supplier Performance Risk System is the DoD database where you post your NIST SP 800-171 self-assessment score. You start at 110, and the DoD Assessment Methodology (acq.osd.mil) subtracts a weighted value — 1, 3, or 5 points— for each requirement you haven't fully met. The floor is −203. There is no partial credit, with exactly two exceptions: 3.5.3 (multifactor authentication) and 3.13.11 (FIPS-validated cryptography), which allow a reduced deduction for partial implementation.
| Control (CMMC practice) | What it requires for CUI email | SPRS points at risk |
|---|---|---|
| SC.L2-3.13.8 | Cryptographic mechanisms to prevent CUI disclosure in transit | 3 |
| SC.L2-3.13.11 | FIPS-validated cryptography to protect CUI confidentiality | 5 (or 3 if partially implemented) |
| SC.L2-3.13.16 | Protect the confidentiality of CUI at rest | 1 |
| SC.L2-3.13.10 | Establish and manage cryptographic keys | 1 |
| AC.L2-3.1.19 | Encrypt CUI on mobile devices / mobile platforms | 3 (if CUI email is read on phones) |
The math: the core email cluster — 3.13.8, 3.13.11, 3.13.16, and 3.13.10 — puts up to 10 points at risk from one unprotected workflow. If your team reads CUI email on phones, add 3.1.19 for up to 13 points. On a 110-point scale where the floor sits below zero, that's not a rounding error.
The FIPS trap specifically: 3.13.11 is one of only two requirements with partial-implementation scoring. It costs the full 5 pointsif you're not using cryptography to protect CUI at all, and 3 points if you areencrypting but the module isn't FIPS-validated. So "we use AES-256" often still costs you 3 points.
And a policy that says you'll encrypt CUI doesn't count. You have to actually do it, and prove it. A binder full of intentions scores zero. Your SPRS score is visible to DoD personnel and gates you under DFARS 252.204-7020 — a prime cannot award you a subcontract involving covered defense information unless you have a current Basic Assessment posted in SPRS.
Interactive tool
CUI Email Path Checker
Tell us your platform, CUI type, and phone usage — we map the controls you're touching and estimate your SPRS exposure in about 60 seconds.
Select all three options above to see your control exposure and recommended path.
Which CUI email path fits your environment?
The safest path depends entirely on where your CUI actually lives. There is no universal answer, and the vendor with the loudest ad isn't it. But first, the honest part.
One thing no vendor will lead with:there is no single sentence in CMMC that says "buy this encrypted email product and you're compliant." Every option below still requires you to map your CUI flow, configure the environment, write the SSP and CRM, and produce evidence. Any product sold as a one-click "CMMC compliant" button is the wrong partner.
Path 1 — Keep CUI out of email; use a secure portal for the document.
Best for narrow CUI workflows and teams that can treat email as a notification channel. The risk: a user pastes CUI into a subject line or body, or a link preview or filename leaks it. Strongest scope-control position if people actually follow it.
Path 2 — A CUI enclave or secure collaboration portal.
Best for small DIB contractors with a handful of CUI users, fast containment, and supplier collaboration. The enclave becomes your CUI environment. The risk: people keep working in normal email anyway, and the enclave still needs identity, endpoint, logging, SSP, and CRM evidence.
Path 3 — An end-to-end encryption overlay on Microsoft 365 Commercial or Google.
Best for organizations that want to protect CUI without ripping out their existing environment. Tools like PreVeil and Virtru position themselves here (company-stated). PreVeil states it provides end-to-end encryption and FIPS-validated cryptography and stores CUI in a U.S.-sovereign AWS GovCloud environment; Virtru states it is FedRAMP Authorized at the Moderate level with FIPS 140-2 validated encryption and lets you hold your own keys. Verify all of that yourself — see the snapshot below.
Path 4 — Microsoft 365 GCC High.
Best for Microsoft-heavy shops where CUI lives in Outlook, Teams, SharePoint, and OneDrive, and the right call for CUI-Specified data such as ITAR. Because this is the single biggest follow-up question on this topic, it gets its own section next.
Path 5 — Google Workspace with FedRAMP-authorized services and the right controls.
Potentially defensible for Google-native teams that lock down to authorized services, set data regions, and use Google's client-side encryption and Assured Controls. The risk: not every feature inside an edition sits within the authorized boundary, so admins have to verify service scope and switch off what isn't covered.
Path 6 — Self-managed S/MIME.
Best for organizations with the PKI discipline to manage certificates, keys, revocation, and identity. Message-level and end to end. The risk: key management is a real, ongoing job, and it fails quietly when neglected.
Source-checked provider snapshot
A source-checked snapshot — what to know, how strong the source is, and what to confirm before you talk to anyone. We don't rank vendors. Verify every status on the FedRAMP Marketplace and Cyber AB Marketplace.
| Provider | Category & best fit | FedRAMP / FIPS status (verify on Marketplace) | Verification type | Ask before you hire | Compensation |
|---|---|---|---|---|---|
| PreVeil | CUI enclave / secure email & file overlay; small–mid DIB avoiding a full GCC High migration | Company-stated FIPS-validated cryptography; states FedRAMP Moderate Equivalency; hosts CUI in AWS GovCloud | Company-stated only | CMVP cert #, “can you decrypt our CUI?”, CRM, scope letter | None as of June 8, 2026 |
| Virtru | Secure email / data-centric encryption overlay; Outlook/Gmail shops wanting client-side encryption and key control | Company-stated FedRAMP Authorized (Moderate); FIPS 140-2 validated module | FedRAMP Marketplace–listed (verify level) | CMVP cert #, exact FedRAMP level, control-coverage scope | None as of June 8, 2026 |
| Microsoft 365 GCC High | U.S.-sovereign environment; Microsoft-heavy DIB; CUI-Specified / ITAR | U.S.-sovereign, FedRAMP High level (runs on Azure Government) | Microsoft-published / FedRAMP Marketplace–listed | Migration scope, license count, who owns SSP/CRM tasks | None as of June 8, 2026 |
| Kiteworks | Secure portal / managed file transfer; keeping CUI out of the inbox entirely | FedRAMP Authorized (Moderate) | FedRAMP Marketplace–listed (verify level) | CMVP cert #, where CUI is stored, recipient access model | None as of June 8, 2026 |
Provider capabilities are company-stated and labeled that way. Verify CMVP certificate numbers, FedRAMP status and level, and CRM coverage independently before procurement.
Still deciding between an overlay, an enclave, and GCC High? Tell us your current platform, CUI flow, level, and timeline.
Get matched →Do I need GCC High to email CUI under CMMC?
Not automatically. GCC High can be the right path for Microsoft-heavy DIB environments and for CUI-Specified or export-controlled scenarios, but CMMC does not say every contractor emailing CUI must buy GCC High. The decision turns on your CUI category, your contract, your Microsoft environment, your key custody, your FedRAMP and FIPS evidence, and whether CUI lives in Outlook, Teams, SharePoint, and OneDrive or in a separate enclave.
Here's the nuance Microsoft itself draws. Microsoft says GCC High is its recommended platform for CMMC Level 2 and Level 3, and that GCC is not suitable to hold CUI-Specified — such as ITAR and Nuclear — because that data requires U.S. sovereignty that GCC High provides. GCC High runs on Azure Government, a physically separated, U.S.-only cloud. For basic, non-export-controlled CUI, you have more room: an end-to-end overlay, a secure enclave, or in some cases GCC can be defensible if it's configured, documented, and your prime agrees. What's not defensible in anyone's framing — Microsoft's included — is assuming any of these is compliant "out of the box."
One caution on the export-controlled question: don't treat every CUI-Specified category as a blanket "must buy GCC High." Check the specific data category, your contract requirement, and the platform's documentation. ITAR and Nuclear are clear U.S.-sovereignty triggers; other categories may have more flexibility. For the broader environment decision, see our deep dives on Azure Government for CMMC and AWS GovCloud for CMMC.
Is Office 365 Message Encryption (OME) enough for CUI?
Don't treat OME in Microsoft 365 Commercial as automatically sufficient for CUI. OME can protect message delivery and route external recipients to a portal — but the assessment question isn't "is the message wrapped?" It's whether the whole environment supports the CUI workflow: the key model, where the CUI is stored and processed, the audit trail, the FedRAMP and FIPS evidence, and your documented scope. In Commercial, the CUI is still processed in an environment that isn't authorized for CUI and where Microsoft holds the keys, so OME alone generally leaves a gap. The clean answers remain the same: GCC High, or an end-to-end approach where the provider can't decrypt your CUI.
What evidence will an assessor actually want?
A C3PAO — a Certified Third-Party Assessment Organization — doesn't assess a logo. It assesses implementation. For CUI email encryption, your evidence has to show the real CUI flow, the encryption mechanism, the FIPS validation, the configuration, the logs, and who owns what.
| The claim you're making | The evidence that supports it | Control it maps to |
|---|---|---|
| "CUI email is encrypted in transit." | Mail-flow diagram, connector/transport rules, TLS or S/MIME or portal config, test-message logs | SC.L2-3.13.8 |
| "Our cryptography is FIPS-validated." | CMVP certificate number, vendor documentation, FIPS-mode setting, module name/version | SC.L2-3.13.11 |
| "We manage our keys." | Key owner, rotation, revocation, recovery/escrow, customer-managed-key documentation | SC.L2-3.13.10 |
| "Delivered CUI is protected at rest." | Mailbox/storage encryption, archive and backup encryption, endpoint cache controls | SC.L2-3.13.16 |
| "Normal email doesn't carry CUI." | DLP rules, no-CUI email templates, training records, periodic reviews | Scope control (170.19) |
| "Our provider shares responsibility." | CRM, SSP provider section, FedRAMP package, contract/SLA, incident-support terms | ESP/CSP scoping |
| "Our people follow the process." | Training records, workflow screenshots, a sanitized sample transaction, monitoring logs | Operating effectiveness |
The through-line: evidence beats assertion, every time.Hand an assessor the artifact in the right-hand column and you can stand behind that specific claim. Describe what you intended instead, and you can't stand behind anything.
Have the tool but not the proof package? Start with our CMMC readiness checklist — mapped to SC.L2-3.13.8, 3.13.11, 3.13.16, 3.13.10, and AC.L2-3.1.19, plus the SSP entries, CRM questions, screenshots, and logs that back each one.
What to do if CUI is already in your inbox
Treat it as a containment problem, not as permission to keep using normal email. One stray message isn't a failed assessment. But it is a process gap, and process gaps are what assessors find. Move fast and clean.
A simple 48-hour playbook:
- Don't forward the uncontrolled message. Save only what your policy requires.
- Identify whether CUI is in the body, an attachment, the subject line, the filename, or a quoted reply chain.
- Move the CUI into your approved CUI channel (enclave, portal, or validated path).
- Reply with a no-CUI message redirecting future CUI to the approved channel.
- Log the event for process improvement.
- If it keeps happening, tighten DLP rules and retrain.
A reply you can adapt:
"Thanks — for CUI handling, please send controlled attachments through our approved secure channel going forward. To avoid exposing CUI in normal email, I'm not including the attachment or technical details in this reply."
Short, professional, and it fixes the workflow instead of perpetuating it.
If your assessment or contract is 30, 60, or 90 days out
When the clock is short, the fastest defensible move is almost always to contain the CUI flow and build evidence — not to start a sprawling migration you won't have time to operate. Phase 2 begins — when mandatory Level 2 C3PAO certification assessments expand to a far wider set of contracts. That urgency is real. The wrong response to it is a panic purchase.
| Timeline | Best move | What to avoid |
|---|---|---|
| 30 days | Stop uncontrolled CUI email, move active CUI to an approved channel, document the interim workflow, gather evidence | A full tenant migration you can't operate before assessment |
| 60 days | Stand up a portal or enclave or a controlled email path, update SSP/CRM, train users, collect logs | Buying a tool before you've drawn the data-flow diagram |
| 90 days | Compare enclave vs. GCC High vs. Google Workspace vs. overlay, implement, test, collect evidence | Assuming a license purchase equals readiness |
| 6–12 months | Build the durable collaboration architecture and a standing evidence program | Over-scoping the whole enterprise before mapping where CUI actually lives |
Which provider category should help — and which shouldn't
Match the provider category to the problem you actually have, not to whoever quoted you first. This is where contractors waste the most time and money.
| Your situation | The right category first | Don't start here |
|---|---|---|
| "We don't know where our CUI lives." | Readiness firm / Registered Provider Organization (RPO) + scoping consultant | A C3PAO |
| "CUI is in our email and files; our MSP is generic." | A CMMC-capable MSP/MSSP + a readiness lead | A product-only vendor |
| "We need a contained CUI path fast." | A CUI enclave or secure collaboration provider + RPO | A default full-cloud migration |
| "We're Microsoft-heavy; CUI lives in Outlook/Teams/SharePoint." | A GCC High implementation partner + MSP/MSSP | An infrastructure-only cloud shop |
| "We're Google-native." | A Google Workspace compliance implementer + readiness | A Microsoft-only migration partner |
| "We have tools but our evidence is scattered." | GRC / evidence-workflow software + readiness documentation | Buying yet another platform |
| "We're assessment-ready." | An authorized C3PAO | The same firm that just remediated you |
One rule that protects you: don't ask your assessor to design or fix your environment. Under the CMMC Code of Professional Conduct and the Cyber AB's conflict-of-interest rules, a C3PAO cannot provide consulting, readiness, remediation, or implementation services to an organization it assesses — a C3PAO that helped build your environment can't turn around and certify it. If you're weighing whether to self-assess or hire a C3PAO in the first place, see our breakdown of self-assessment vs. C3PAO assessment.
What we actually verified for this page
We didn't summarize other people's summaries. We read the primary sources and cross-checked the claims that matter.
| What we verified | Source type | Last verified |
|---|---|---|
| CMMC Program Rule effective date (Dec 16, 2024) | Federal Register / eCFR | |
| DFARS acquisition rule effective date (Nov 10, 2025); Phase 1 = Nov 10, 2025–Nov 10, 2026; Phase 2 begins Nov 10, 2026 | Federal Register / 32 CFR 170.3(e) | |
| CMMC Level 2 → NIST SP 800-171 Rev. 2 mapping (110 requirements) | 32 CFR Part 170 / NIST CSRC | |
| SC.L2-3.13.8 / 3.13.11 / 3.13.16 / 3.13.10 / 3.1.19 control text | NIST SP 800-171 Rev. 2 / CMMC Assessment Guide L2 | |
| SPRS point values (1/3/5; −203 floor; partial credit only for 3.5.3 & 3.13.11) | DoD NIST SP 800-171 Assessment Methodology | |
| DFARS 252.204-7012 NIST 800-171 baseline (Dec 31, 2017 deadline); 252.204-7020 SPRS / subcontract rule | Acquisition.gov | |
| FIPS 140-2 → 140-3 transition (Sept 21, 2026; Historical List) | NIST CMVP | |
| CUI email marking requirements | DoD CUI Program (dodcui.mil) | |
| GCC vs GCC High for CUI / CUI-Specified | Microsoft Learn | |
| C3PAO conflict-of-interest rule | Cyber AB Code of Professional Conduct | |
| Microsoft GCC/GCC High, Virtru, Kiteworks FedRAMP status | FedRAMP Marketplace (verify current status/level) | |
| PreVeil FedRAMP / FIPS / CMMC claims | Provider-stated; CMVP certificate, CRM, and product boundary not independently verified here |
This page is independent editorial analysis, not legal, contractual, or compliance advice. Verify the specifics against the cited primary sources and your own contract.
Frequently asked questions
Is encrypted email required for CMMC Level 2?
If CUI is sent by email, it must be protected during transmission under NIST SP 800-171 Rev. 2 requirement 3.13.8, and if cryptography is used to protect the confidentiality of CUI, it must be FIPS-validated under requirement 3.13.11. In practice, emailing CUI requires validated encryption.
Is TLS enough for CUI email under CMMC?
TLS alone is generally not enough. It protects a message in transit but leaves the CUI's at-rest protection to the mailbox, archive, backup, and synced devices, and opportunistic TLS can fall back to plaintext. TLS can be part of a defensible path only when it's enforced, validated, documented, and paired with at-rest protection.
Do I need GCC High to email CUI?
Not automatically. GCC High is the right call for CUI-Specified data such as ITAR, which requires U.S. data sovereignty. For basic, non-export-controlled CUI, an end-to-end overlay, a secure enclave, or in some cases GCC may be defensible if it's configured, documented, and agreed with your prime.
Is Office 365 Message Encryption (OME) enough for CUI?
Not on its own in Microsoft 365 Commercial. OME can wrap a message, but the CUI is still processed in a Commercial environment where Microsoft holds the keys and which isn't authorized for CUI. You generally need GCC High or an end-to-end approach where the provider can't decrypt your CUI.
What does "FIPS-validated" mean?
It means the cryptographic module is tested and listed on NIST's Cryptographic Module Validation Program (CMVP) with a certificate number. Using a FIPS-approved algorithm like AES-256 is not sufficient — "FIPS-compliant" is not the same as "FIPS-validated."
Does the FIPS 140-2 sunset mean my email encryption stops being compliant in September 2026?
No. On September 21, 2026, FIPS 140-2 validations move to the CMVP Historical List. The modules keep working, and CMVP still supports their use for existing systems; federal agencies decide when to move to FIPS 140-3-only modules. Plan a move to FIPS 140-3 as part of normal refresh.
How many SPRS points do I lose if CUI email is unprotected?
Up to about 10 from the core cluster — SC.L2-3.13.8 (3), 3.13.11 (5), 3.13.16 (1), and 3.13.10 (1) — plus up to 3 more (AC.L2-3.1.19) if CUI email is read on phones, for as much as 13 points from a single unprotected workflow.
Are email gateways, archives, and backups in scope?
They can be. If a gateway, archive, eDiscovery system, or backup processes, stores, or transmits CUI, it's part of your CUI data-flow analysis under 32 CFR 170.19 — typically as a CUI Asset or a Security Protection Asset.
Can I put CUI in the subject line?
Keep the actual CUI out of the subject line. Per the DoD CUI Program, mark CUI emails with "CUI" as the first and last line plus a designation indicator block — and don't add a vague "may contain CUI" disclaimer.
How do I send CUI to a subcontractor?
Use an end-to-end tool that lets the recipient open the CUI without joining your tenant, a secure portal link, or enforced TLS to a partner you've confirmed also protects CUI at rest. A consumer password-protected zip or an unmanaged guest account isn't a validated solution — tools like 7-Zip and standard zip encryption are common findings precisely because the module isn't FIPS-validated.
Can a C3PAO tell me which email product to buy?
Don't rely on your assessor to design or remediate your environment. Under the CMMC Code of Professional Conduct, a C3PAO can't provide consulting or implementation services to an organization it assesses, so keep readiness and remediation separate from the formal assessment.
Need help deciding what type of CMMC provider you need?
Before you talk to a vendor, answer three questions: Where does our CUI actually live? Who can decrypt it? And what evidence proves the path?If you can't answer all three with confidence, start with scoping and readiness before you buy software — it's the cheapest mistake to avoid.
When you're ready, tell us your level, scope, and timeline and we'll match you with source-checked CMMC provider options. Whether you need a secure enclave, an encryption overlay, a GCC High implementation partner, or just a readiness review to map where your CUI lives, we'll point you to the right category — with the questions to ask before you sign anything.