Virtru
by Virtru
Covered
7
controls
Partial
2
controls
Gaps
3
controls
Overview
Virtru by Virtru is an email security solution that covers 7 NIST 800-171 controls (6% total coverage). It addresses key requirements in the email security domain for defense contractors pursuing CMMC compliance.
Implementation Notes
Deploy Virtru with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.
More Email Security Products
Implementation Guidance for Virtru
Configure Virtru to maximize NIST 800-171 coverage across Access Control (AC), System and Communications Protection (SC), and Audit and Accountability (AU) families. For AC-4 (Information Flow Enforcement), enable Virtru's Data Loss Prevention policies to automatically encrypt emails containing CUI based on content classification rules - configure RegEx patterns for ITAR, EAR, and contract-specific identifiers. Set up persistent protection policies ensuring encrypted emails remain protected even when forwarded outside the organization. For SC-8 (Transmission Confidentiality), configure end-to-end encryption for all outbound emails using AES-256 encryption with Virtru's key management service. Enable the Virtru Gateway to intercept and encrypt emails automatically based on domain rules and recipient validation. For AU-2/AU-3 (Audit Events/Content), activate comprehensive logging in the Virtru Control Center to capture encryption events, key access attempts, and policy violations. Generate compliance reports showing encryption coverage rates and access patterns for assessor evidence. Integration with Microsoft 365 or Google Workspace requires configuring mail flow rules to route CUI-containing emails through Virtru's encryption engine. Common misconfigurations include: failing to configure proper CUI identification rules leading to unencrypted sensitive data transmission, not enabling persistent protection causing data exposure after recipient forwarding, insufficient audit log retention periods, and overly broad encryption policies that impact business operations without security benefit.
Gap Analysis & Compensating Controls
Virtru's 6% coverage leaves significant gaps in critical NIST 800-171 control families. The most substantial gaps exist in System and Information Integrity (SI) family, particularly SI-4 (Information System Monitoring) and SI-7 (Software Integrity), which are heavily weighted in CMMC assessments. Virtru lacks endpoint detection capabilities and cannot monitor system-wide security events beyond email encryption activities. Recommended compensating controls include deploying Microsoft Defender for Endpoint or CrowdStrike Falcon to address SI-4 requirements, and implementing application whitelisting solutions like Windows Defender Application Control for SI-7 compliance. Access Control gaps include AC-2 (Account Management) and AC-17 (Remote Access), requiring identity management solutions such as Azure AD or Okta for comprehensive user lifecycle management and multi-factor authentication. Personnel Security (PS) controls are entirely unaddressed, necessitating HR process documentation and background check procedures. Document these gaps in your System Security Plan under 'Compensating Controls' section and create POA&M entries with target closure dates. Priority order for gap closure: 1) SI-4 monitoring capabilities (High CMMC weight), 2) AC-2 identity management (frequent C3PAO finding), 3) PS controls (administrative implementation), 4) Remaining AC controls. Budget 12-18 months for complete gap remediation across multiple security tools and process improvements.
Compliance Cost Estimate
Virtru licensing ranges from $8-15 per user per month depending on feature set and volume, with Enterprise plans starting around $12/user/month for organizations requiring advanced DLP and persistent protection features. Initial implementation costs typically run $15,000-25,000 for professional services including policy configuration, integration setup, and user training for mid-size defense contractors (100-500 users). Ongoing monitoring and administration requires approximately 0.25 FTE security analyst time monthly for policy tuning and compliance reporting. Annual compliance costs total $25,000-40,000 for a 200-user organization including licensing, support, and internal labor. Virtru's pricing is competitive within the email security category, positioned between basic solutions like Microsoft Purview ($2-5/user) and enterprise-grade platforms like Proofpoint ($20-30/user), offering strong value for persistent encryption capabilities specifically required for CUI protection in defense contracting environments.
Compliance Cross-References
Virtru directly supports DFARS 252.204-7012 requirements for CUI protection during transmission and storage, specifically addressing the mandate for encryption of CUI in transit via email communications. For CMMC Level 2, Virtru contributes to the Access Control (AC.L2-3.1.4) domain through information flow enforcement and System and Communications Protection (SC.L2-3.13.8, SC.L2-3.13.11) through transmission confidentiality and cryptographic key management. The solution satisfies CMMC assessment objectives AC.2.007 (Control information flows) and SC.2.179 (Implement cryptographic mechanisms), but requires supplemental tools for broader AC and SC objectives. FedRAMP control alignment includes SC-8 (Transmission Confidentiality) and SC-13 (Cryptographic Protection), with Virtru's FedRAMP Moderate authorization providing inherited controls for cloud-hosted email encryption services. CMMC assessors typically award full points for email encryption implementation when Virtru is properly configured with appropriate CUI identification policies. However, organizations must implement additional access controls, system monitoring, and personnel security measures to achieve comprehensive CMMC Level 2 compliance beyond Virtru's email-focused security capabilities.
Frequently Asked Questions
How many NIST 800-171 controls does Virtru cover?
Virtru covers 7 of 110 NIST 800-171 controls (6%), with 2 partially covered and 3 gaps.
Can Virtru alone satisfy CMMC Level 2?
No single tool covers all 110 NIST 800-171 controls. Virtru covers 6% and should be part of a layered security stack addressing the remaining controls.
What controls does Virtru not cover?
Virtru does not cover controls ia-3-5-1, pe-3-10-1, cm-3-4-1. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.
Map Your Full Security Stack
See NIST 800-171 control coverage for 80+ security products.
Open NIST Tool MapperTrack Virtru NIST 800-171 coverage updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days