CMMC

Virtru products and services support regulatory compliance under a number of security control frameworks. This document describes how Virtru products support compliance with the DoD Cybersecurity Maturity Model Certification (CMMC), which is based on the NIST 800-171 control framework. CMMC is designed to protect sensitive information and is now being incorporated into Department of Defense solicitations via DFARS 252.204-7021.

Program Background

Executive Order 13556 designates the National Archives and Records Administration (NARA) as the “Executive Agent” for protecting “Controlled Unclassified Information” (CUI) used by federal agencies. The DoD’s Cybersecurity Maturity Model Certification (CMMC) program extends that mandate to the defense supply chain, requiring contractors to demonstrate how they safeguard both CUI and Federal Contract Information (FCI).

The security requirements mapped to CMMC Level 2 align directly with NIST Special Publication 800-171 r2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” These requirements define the safeguards nonfederal systems must implement to ensure CUI confidentiality.

To unify oversight, the Department of Defense consolidated the CMMC 2.0 model documents and assessment guides in 2023 and, with rulemaking complete, is incorporating the requirements into contracts through DFARS 252.204-7021—meaning the Defense Industrial Base (DIB) is now seeing CMMC clauses appear broadly.

CMMC 2.0 Levels

• Level 1 – Foundational (FCI only): Aligns with FAR 52.204-21 safeguards. Organizations perform annual self-assessments and post scores to SPRS.
• Level 2 – Advanced (CUI): Mirrors all 110 NIST SP 800-171 controls. Prioritized contracts require a triennial C3PAO assessment while non-prioritized contracts allow annual self-assessments, each accompanied by an SPRS score submission.
• Level 3 – Expert (CUI + enhanced threats): Adds a subset of NIST SP 800-172 requirements focused on advanced persistent threat mitigation. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will perform government-led assessments once the supporting guide is finalized.

Virtru’s Role

Virtru’s primary role in customer networks focuses on the encryption of messages and files, and the ability to attach access control policies to them. These policies control the access granted to specific users and groups, as well as optional watermarking, forwarding prevention, and access expiration dates. Virtru also provides tools supporting auditing and monitoring of these operations. Virtru provides support for controls in the following NIST SP 800-171 control families: Access Control, Audit & Accountability, and Systems & Communications Protection.

As a Cloud Service Provider (CSP), Virtru maintains a FedRAMP Moderate Authorization to Operate (ATO) that covers the Virtru Data Security Platform. CMMC Level 2 requires that any external CSP processing, storing, or transmitting CUI maintain a FedRAMP Moderate authorization, so leveraging Virtru services keeps customers aligned with that expectation.

The Virtru platform provides the ability to assert policies around access control, including the ability to revoke access or specify an expiration date. In addition to supporting DLP and other compliance goals, these policies can support several specific CMMC controls when properly configured and used. The use of Virtru products and services does not by itself guarantee compliance with any security framework, but Virtru offers powerful capabilities that can play a key role in customers' security and compliance programs.

Customers with complex regulatory requirements are encouraged to work with their Sales and Support contacts, to ensure that their system is specified and configured properly to provide the desired control support.

Details of Virtru Control Support for CMMC

Virtru has created a CMMC Shared Responsibility Matrix that documents the CMMC controls that can be supported through the use of Virtru products, and which aspects of the referenced controls are the customer’s responsibility, which are Virtru’s, and which are a shared responsibility between the two. The support matrix incorporates the original NIST framework language.

Please reach out to your account manager or submit a request via the Virtru Support Center if you would like to discuss where Virtru fits in your CMMC program.

CMMC Readiness Resources

The links below gather the official references that teams most often ask for while preparing their CMMC program. Use them to orient conversations with internal stakeholders, integrators, or assessors as you move from planning to validation.

Important Disclaimer

Virtru is not a CMMC consultant and is providing these resources for reference. Treat this section as a starting point for your due diligence and confirm all interpretations with your internal compliance owners or an accredited advisor.

Authoritative Program Hubs

Resource	Why it matters
Cyber AB Website	Overview of the Cyber AB (formerly the CMMC Accreditation Body), news releases, and governance updates that set expectations for the ecosystem.
Cyber AB Marketplace	Directory of Registered Practitioners (RPs), Registered Provider Organizations (RPOs), and Certified Third-Party Assessment Organizations (C3PAOs) when you need outside support.
CMMC Assessment Process	Cyber AB narrative of how scoping, readiness, assessment, and sustainment flow for both self-assessments and third-party assessments.

DoD Guidance & Documentation

Resource	Why it matters
CMMC Overview (DoD CIO)	Official Department of Defense description of the framework, current rulemaking status, and FAQs.
CMMC Resources & Documentation	DoD document hub containing the current CMMC 2.0 model documents, assessment guides, and scoping guidance.
Level 1 Scoping Guide	Defines FCI asset boundaries and identifies which systems are in scope for Level 1 self-assessment.
Level 1 Assessment Guide	FAR 52.204-21-aligned controls, evidence expectations, and scoring rubric for annual self-assessments.
Level 2 Scoping Guide	Categorizes assets (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets) to define CUI boundaries and reduce assessment scope.
Level 2 Assessment Guide	Maps every NIST SP 800-171 requirement to assessment objectives, methods, and artifacts for self-assessments or C3PAO engagements.
Level 3 Scoping Guide	Extends Level 2 scoping with additional considerations for enhanced security environments subject to DIBCAC assessment.
Level 3 Assessment Guide	Covers NIST SP 800-172 enhanced requirements and DIBCAC government-led assessment procedures.
NIST SP 800-171A	Assessment procedures for 800-171—defines how each control is evaluated and what evidence assessors expect.
SPRS Score Submission	Supplier Performance Risk System (SPRS) portal for the NIST SP 800-171 DoD Assessment Methodology, scoring worksheets, and submission instructions. Required for both self-assessments and C3PAO engagements.
CMMC FAQ	Official DoD answers to common questions about CMMC requirements, timelines, assessment processes, and program implementation.

Planning Templates

Template	How to use it
POA&M Template	Standardized Plan of Action & Milestones worksheet for tracking remediation tasks, responsible parties, and closure dates.
SSP Template (Reach out to your account manager or support@virtru.com)	NIST System Security Plan outline that mirrors the 800-171 control families and helps you document boundaries, inheritance, and implemented safeguards. Prefilled with example Virtru control details.
Virtru CMMC Shared Responsibility Matrix	Maps which practices Virtru covers natively, which are shared, and which remain on the customer so you can document inheritance and shared controls in your SSP/POA&M.

Incident Reporting

Resource	Why it matters
DoD Cyber Incident Reporting (DIBNet)	Overview from DC3/DCISE explaining the Defense Industrial Base cyber program and reporting expectations under DFARS 252.204-7012. Contractors must report cyber incidents within 72 hours.