CUI Compliant
0 NIST 800-171 gaps detected. FedRAMP Moderate authorized. Supports 27 of 110 CMMC Level 2 controls. Adds end-to-end encryption as an overlay to Gmail and Outlook.
Virtru Email Encryption
by Virtru
FedRAMP Status
FedRAMP Authorized
Impact Level
Moderate
Category
Authorized: September 10, 2020
Overview
Virtru is a FedRAMP Moderate authorized email encryption plugin for Gmail and Outlook. It adds end-to-end encryption, access controls, and audit logging to existing email platforms. More affordable than full GCC High migration but covers fewer controls than PreVeil.
CUI Risk Assessment
FedRAMP Moderate authorized. Supports 27 of 110 CMMC Level 2 controls. Adds end-to-end encryption as an overlay to Gmail and Outlook.
Using Virtru Email Encryption in a Defense Contractor Environment
Virtru Email Encryption serves as a practical overlay solution for defense contractors handling CUI via email communications, particularly technical specifications, SOWs with performance requirements, and contractor personnel records. Within CMMC Level 2 boundaries, Virtru operates as an encryption service that processes CUI but doesn't store it long-term, requiring careful boundary definition in your SSP. The FedRAMP Moderate authorization covers Virtru's infrastructure, but contractors must implement compensating controls including DLP policies to prevent CUI transmission to unauthorized recipients, email retention policies aligned with contract requirements, and user access reviews for encryption key management. DCMA assessors typically focus on whether Virtru's encryption keys are properly managed within the authorization boundary, how CUI is marked before encryption, and whether audit logs capture sufficient detail for incident response. Key assessment areas include verification that encryption occurs before transit, confirmation that decryption keys aren't accessible to unauthorized users, and demonstration that the email encryption process doesn't inadvertently create CUI spillage to commercial platforms.
Deployment & Architecture
Deployment Model: Cloud SaaS (vendor-hosted)
Virtru Email Encryption operates within a FedRAMP-authorized boundary. CUI can be processed within the authorization scope, but contractors must verify their specific use case falls within the system's security boundary as documented in the SSP.
Implementation Guide
For compliant Virtru deployment, contractors need 4-6 weeks for proper configuration including policy engine setup for automatic CUI encryption, user training on classification markings, and integration testing with existing email systems. Critical steps include configuring data loss prevention rules to prevent unencrypted CUI transmission, establishing key management procedures for departing personnel, and updating incident response playbooks for encrypted email breaches. Data considerations include ensuring encrypted email archives remain accessible for contract audit requirements and establishing procedures for emergency key escrow. User training must cover proper CUI marking before encryption, understanding of Virtru's access controls, and procedures for revoking access to previously sent encrypted emails. SSP updates must reflect Virtru as a system component processing CUI, include network flow diagrams showing encrypted email paths, and document the encryption key management process. If migrating away due to insufficient controls, consider PreVeil for stronger end-to-end security or GCC High migration for comprehensive compliance, allowing 3-6 months for full transition including user migration and policy reconfiguration.
Configuration Checklist
- 1ISSO: Define Virtru within CMMC authorization boundary and update SSP to reflect encrypted email processing (Week 1)
- 2IT Admin: Configure Virtru policy engine to automatically encrypt emails containing CUI markings and technical specifications (Week 2)
- 3Security Admin: Implement DLP rules preventing transmission of unencrypted CUI and establish audit log collection for SIEM integration (Week 2)
- 4ISSO: Develop key management procedures including emergency escrow and departing employee key revocation processes (Week 3)
- 5Training Coordinator: Conduct user training on CUI marking requirements before encryption and Virtru access control features (Week 3-4)
- 6IT Admin: Test integration with existing email retention systems and verify encrypted email backup procedures (Week 4)
- 7ISSO: Update incident response procedures for encrypted email compromise scenarios and establish forensics procedures (Week 4)
- 8Compliance Officer: Document Virtru configuration in CMMC assessment evidence packages and prepare assessor demonstrations (Week 5-6)
Compliance Cross-References
Virtru Email Encryption primarily addresses NIST 800-171 control families SC (System and Communications Protection) through its encryption capabilities and AU (Audit and Accountability) via comprehensive email tracking. The solution triggers DFARS 252.204-7012 requirements as it processes CUI but provides compliant safeguarding through FedRAMP-authorized infrastructure. For CMMC assessment, Virtru impacts the Access Control (AC) domain through granular permission management, System and Communications Protection (SC) through end-to-end encryption, and Audit and Accountability (AU) through detailed email access logging. Assessors will evaluate Virtru's implementation across these domains, particularly focusing on whether encryption keys are properly managed within the contractor's environment and whether audit logs provide sufficient detail for incident response and compliance reporting requirements.
Other FedRAMP Authorized Email Tools
Related Compliance Assessments
Frequently Asked Questions
Does Virtru make Gmail compliant for CUI?
Virtru adds encryption and access controls that address some NIST 800-171 requirements, but the underlying Gmail infrastructure remains non-FedRAMP. Virtru is a partial compliance solution best combined with other controls.
How does Virtru compare to PreVeil?
Virtru covers 27 CMMC controls vs PreVeil 102 controls. Virtru is simpler to deploy but provides less comprehensive compliance coverage. Both are FedRAMP authorized.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack Virtru Email Encryption compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days