Meet and exceed CMMC requirements for secure file transfer

Protect controlled unclassified information (CUI) from unauthorized access with end-to-end encryption to prepare your organization for Cybersecurity Maturity Model Certification (CMMC).

Prepare for CMMC compliance requirements with secure file transfer


Handling CUI means you must implement safeguards for covered defense information from DFARS 252.204-7012 and meet requirements within NIST SP 800-171 for protecting the confidentiality of CUI in nonfederal systems. Unfortunately, everyday data and document sharing applications, such as email, put CUI’s confidentiality at risk, especially in cloud environments.

DropSecure empowers your organization to securely transfer data and documents with end-to-end encryption. Our secure file transfer platform protects CUI from unauthorized access everywhere it’s shared, with user-friendly end-to-end data and document encryption that support NIST and DFARS requirements for protecting CUI.

End-to-End Encryption
DropSecure military-grade encryption is based on randomly generated FIPS-140 validated AES 256-bit symmetric keys, generated fresh for every file version saved on the platform. Keys are protected by multiple layers of wrapping so only the parties with explicit data access can decrypt. DropSecure offers zero-knowledge encryption so that we cannot access your data even if we wanted to.

Government cloud
For CMMC-regulated organizations, DropSecure runs on the highest-security AWS GovCloud (US) designed to host sensitive data, regulated workloads, and address the most stringent U.S. government security and compliance requirements.

Secure Sharing
Enable seamless, secure CUI sharing throughout contracting and supply chain collaboration workflows, while maintaining persistent control and visibility.

  • Control default settings for when links expire
  • Auto-delete files so you don’t keep sensitive data on the cloud when not needed.
  • Links sent to unregistered users are protected by one time passcode automatically.
  • Track user IP addresses from user activity logs.
  • Receive automatic notifications when your files are accessed

Granular access control
Track and control access to accounts and files with administrative tools for granular access control, user management, account security, and oversight.

  • Administrators can Enforce multi-factor authentication (MFA) for all registered users.
  • Granular access control available to ensure least privileges for shared folders
  • Reset user passwords (DropSecure does not have access)
  • Access all files sent/received by anyone in the department

DropSecure CMMC practice support checklist PDF

CMMC PracticeDescriptionHow DropSecure helps with compliance
Access Control (AC)
AC.1.001Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).Only authorized recipients get access to documents. Even DropSecure cannot access your documents, allowing you to achieve the highest compliance possible.
AC.1.002Limit information system access to the types of transactions and functions that authorized users are permitted to execute.We have extensive roles based access control (RBAC) so only authorized users can execute.
AC.2.008Use non-privileged accounts or roles when accessing nonsecurity functions.Yes, only privileged accounts have access to security functions.
AC.2.005Provide privacy and security notices consistent with applicable CUI rules.Yes. All end users are notified of changes
AC.2.007Employ the principle of least privilege, including for specific security functions andprivileged accounts.Everything is private by default and only accessible by authorized recipients.
AC.2.009Limit unsuccessful login attempts.This policy is configurable. Account administrator can determine how many unsuccessful attempts are allowed before locking the account.
AC.2010Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.After the session timeout, users will need to re-authenticate
AC.3.012Protect wireless access using authentication and encryption.Regardless of the transport mode everything is protected via authentication and encryption
AC.3.014Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.Yes, all data and documents, even filenames are encrypted with AES-256 based symmetric encryption and the keys are then protected by Asymmetric encryption.
AC.3.017Separate the duties of individuals to reduce the risk of malevolent activity without collusion.Yes, administrators can define different roles and access levels for CUI, reducing the risk of collusion.
AC.3.018Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.Yes, any functions not accessible are protected and reported in logs
AC.3.019Terminate (automatically) user sessions after a defined condition.Yes, sessions are automatically terminated after a default 30 mins of inactivity.
Audit and Accountability (AU)
AU.2.041Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.Each user gets a unique ID and all actions are tracked
AU.2.042Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.All audit activity is available online. Administrators have full visibility of all account activity.
AU.2.043Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.All times are recorded in UTC and can be converted to the user’s local time zone when needed.
AU.2.044Review audit logsThe DropSecure platform enables system administrators and CUI managers to review logged events. The logs cannot be deleted or modified.
AU.3.045Review and update logged eventsThe logs can be reviewed but not updated or deleted.
AU.3.046Alert in the event of an audit logging process failure.To be implemented
AU.3.048Collect audit information (e.g., logs) into one or more central repositories.DropSecure can push the logs to your SIEM systems
AU.3.049Protect audit information and audit logging tools from unauthorized access, modification, and deletion.Logs are only viewable by Administrators and CUI managers.
AU.3.050Limit management of audit logging functionality to a subset of privileged users.Logs in DropSecure platform are protected from editing and deletion
AU.3.051Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.Logs can be exported to a SIEM system for further analysis and correlation with other events.
AU.3.052Provide audit record reduction and report generation to support on-demand analysis and reporting.Logs can be exported to a SIEM system for further analysis and correlation with other events.
Security Assessment (CA)
CA.2.157Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.DropSecure's government solution runs on AWS government infrastructure which is SOC compliant.
CA.2.158Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.DropSecure continuously monitors its services and they are running on AWS government cloud which is SOC compliant.
CA.2.159Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.DropSecure continuously monitors its services and they are running on AWS government cloud which is SOC compliant.
CA.3.161Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.DropSecure continuously monitors its services and they are running on AWS government cloud which is SOC compliant.
CA.3.162Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.DropSecure continuously monitors its services and they are running on AWS government cloud which is SOC compliant.
CA.4.163Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement.DropSecure continuously monitors its services and they are running on AWS government cloud which is SOC compliant.
Configuration Management (CM)
CM.2.061Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.DropSecure can provide the configuration information for its government cloud.
CM.2.062Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.DropSecure employs extensive RBAC (role based access controls) to provide only the required access to necessary individuals
CM.2.064Establish and enforce security configuration settings for information technology products employed in organizational systems.DropSecure employs extensive RBAC (role based access controls) to provide only the required access to necessary individuals
CM.2.066Analyze the security impact of changes prior to implementation.Any changes go through extensive testing and security assessment.
Systems and Communications Protection (SC)
SC.3.177Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.Yes, we use AES-256 encryption which is FIPS 140-2 validated.
SC.3.185Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguardsAll data and documents, even filenames, are encrypted with AES-256 based symmetric encryption and the keys are then protected by asymmetric encryption.
SC.3.190Protect the authenticity of communications sessions.All exchanges happen via SSL
SC.3.191Protect the confidentiality of CUI at rest.Due to our end-to-end encryption, data is protected at rest by default.
We are here to help.
Contact Support

Our security goes beyond compliance

Criminal Justice Information Services (CJIS) Health Insurance Portability and Accountability Act SOC for Service Organizations Federal Information Processing Standard (FIPS) Publication Defense Federal Acquisition Regulation Supplement (DFARS) Payment Card Industry Data Security Standard General Data Protection Regulation

Secure cloud sharing starts with DropSecure

With DropSecure, the keys to unlock your data are never shared with anyone you didn't intend to share with, including us. That means you get real privacy behind our military-grade encryption and file transfer technology. Discover the most secure way to share your documents.

Awards and Achievements