u/TheHeyBuddy

Dear CMMCers,

I'm seeking input on companies/platforms based on your experiences with them. I have scoured this subreddit and I have read a lot of good things about Previel, we plan to meet with them this week.

We are most attracted to PreVeil at this point mainly for the combination of:

• price point
• case studies
• detailed SRM
• number of NIST 800-171 controls addressed
• plus affordable compliance prep support via Compliance Accelerator.

But for the sake of presenting ownership with more than just one option, I'm trying to find others that are comparable, e.g. Aeroplicity, Virtru, RegDOX, or others you might recommend. It just seems that none of them hit the sweet spot PreVeil does as described above.

For context: We are in Aerospace and Defense, going for Level 2 compliance, most likely needing C3PAO assessment. I'm the CMMC project manager for my company, new to CMMC and IT, working alongside an MSP that handles IT for us but who has limited experience with CMMC. We are a small machine shop that will have about 20 people handling CUI and about 20 PCs in scope, plus the need to print CUI and transport it via USB from PC to shop machines (specialized assets).

We will likely:

1. engage an RPO to help with scoping
2. implement the platform (e.g. PreVeil)
3. after we've made progress on policies/procedures/updated SSP/etc. we'll have the RPO check our work and provide remediation guidance

Appreciate your input!

Hi fellow CMMCers,

For those of you who have read Landoll's book (updated Oct 2025 version, or older versions) during your compliance efforts, I'm wondering if you have any feedback on the quality of the information included.

My first impression is that he did a good job referencing the official CFR and NIST texts, DFARS clauses, etc., and including the specific objectives for each control, but since I haven't read the whole book or all of the official texts (yet) I can't tell for sure. I'd like to use it as my primary resource/reference for rules and guidelines surrounding CMMC and objectives within each control, but if I am going to do that I want to make sure it's solid information.

To provide some context, I am new to CMMC and was hired by my company to manage the move towards compliance. We are a machine shop that handles CUI and will need level 2 certification, most likely with a C3PAO assessment.

After I started meeting with GCC High/GovCloud vendors I started realizing that if I want to truly compare these companies apples-to-apples I will need to understand exactly how their services work to help move my company towards compliance.

As a lot of you know, sales people from different GovCloud/RPO companies tend to tell a story of what we will need that may not line up exactly with the truth of the CMMC rules or what my company actually needs. Thus started my deep dive into the official texts, which are lengthy and technical.

Any feedback on the CMMC Assessment Handbook would be greatly appreciated!

If nobody has actually compared the official DoD/NIST texts to Landoll's handbook, then I will do it and post a follow-up here. This subreddit has been very helpful to me and I would be happy to contribute some value!

Keep calm and CMMC on.