Audit-Ready Compliance, Built by Our CMMC-RP Team - Not a SaaS Dashboard

ComplianceArmor is the Done-For-You compliance program from Petronella Technology Group, Inc. Fixed prices for CMMC, HIPAA, PCI-DSS, and SOC 2. Built by four credentialed Cyber AB Registered Practitioners. You own every document forever. No subscription lock-in. Total budget transparent before you sign.

Get Your Free Readiness Score Calculate Your ROI Book a Discovery Call

Cyber AB Registered Provider Organization 4 CMMC-RP Practitioners Founded 2002 - Raleigh, NC Fixed Prices, No Surprise Invoices

Why most compliance projects blow past budget - and what we do differently

Compliance buyers tell us the same story over and over. They start with what looks like a clean fixed-price quote, sign a Statement of Work, then watch the bill double as "out of scope" hours, "additional control families," and "third-party audit fees" stack up. By the time they reach the C3PAO assessor or CPA firm, they have already spent six figures and the artifacts are still not audit-ready.

ComplianceArmor was built specifically to break that pattern. It is the productized Done-For-You wrapper around the four-person CMMC-RP-credentialed delivery team at Petronella Technology Group. Every package is bid at a hard dollar amount with the scope boundary, the disclaimers, and the third-party fees disclosed in the same visual block as the price - so the number you see is the number you pay us. The C3PAO assessment fee, the CPA attestation fee, and any QSA-led Report on Compliance are clearly broken out separately, never hidden.

The Four-Pillar ComplianceArmor Difference

No competitor in the market combines all four of these. That four-pillar combination is the differentiation moat behind every ComplianceArmor engagement.

1. Hard Prices

Every productized SKU has a published flat fee. No "starting at," no "depends on scope," no time-and-materials drift. If your environment falls outside the scope envelope we publish, we tell you that during the free Readiness Score - before you sign anything.

2. Two-Column Scope Honesty

Every framework page in this site shows what IS included and what is NOT included side by side. You will never have to dig through a 40-page SOW to find out the C3PAO fee, the CPA audit, or the QSA Report on Compliance is not in our number.

3. Total-Budget Transparency

We publish the typical third-party fees you will pay directly to the C3PAO, CPA, or QSA - in the same block as our price - so you can take a real total-budget number to your CFO on day one.

4. Document-Ownership Guarantee

Every artifact we deliver - System Security Plan, policies, procedures, Risk Analysis, Plan of Action and Milestones, evidence binder - is yours forever, in editable native formats, with no subscription required to read or use them. Cancel us next year and the documents stay yours.

The "What We Won't Do" Honesty Box: We will not sell you licenses you do not need. We will not tell you a Microsoft GCC High tenant is mandatory if your CUI scope does not require it. We will not promise certification - only an authorized Cyber AB C3PAO, an independent CPA, or a PCI-listed QSA can issue those, and they are deliberately separate from our work. We will tell you the truth about your total cost before you sign.

Frameworks Served

ComplianceArmor packages the documentation, control implementation, evidence collection, and assessment-readiness work for the four frameworks that drive 95%+ of regulated SMB compliance demand. Each engagement is delivered by Cyber AB Registered Practitioners under fixed-fee, fixed-timeline terms.

CMMC Level 1

CMMC Level 1 Self-Attestation, Done-For-You

From $6,997 · 21-day delivery · annual support $1,497/yr

For Department of Defense prime and subcontractors handling Federal Contract Information (FCI). We build all 17 FAR 52.204-21 controls, your System Security Plan, supporting policies and procedures, and a Supplier Performance Risk System (SPRS) attestation package - so you can self-affirm with confidence and keep your DoD prime contracts. See our CMMC compliance overview for the broader Level 1/2 picture.

Required disclaimer: Self-attested. Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO); RPOs are not assessors. CMMC Level 1 requires annual self-assessment. Petronella Technology Group provides documentation, implementation, and self-assessment support. Petronella Technology Group does not perform certified assessments.

CMMC Level 2 - Most Popular

CMMC Level 2 Audit-Ready and Done-For-You Managed

From $24,997 · Tier 1 docs · Tier 2 setup + monthly · 60–90 day delivery

For Department of Defense contractors handling Controlled Unclassified Information (CUI). Tier 1 delivers the full Audit-Ready Documentation Package: 110 NIST SP 800-171 controls, System Security Plan, Plan of Action and Milestones, full policy and procedure suite, control narratives, and the evidence binder a C3PAO expects. Tier 2 adds a Done-For-You managed program - SIEM, EDR, 24x7 Security Operations Center, and the implementation tooling - sized to your headcount. Tier 3 (Complete Sovereignty) adds a GCC High or PreVeil enclave and a dedicated virtual CISO for Defense Industrial Base primes. See the CMMC compliance software module for the documentation engine that powers this package.

Required disclaimer: C3PAO assessment fee ($30K–$50K typical) is separate. Only Cyber AB-authorized C3PAOs issue CMMC certificates; Petronella Technology Group does not. The independent CMMC Level 2 assessment required for certification is performed by a Cyber AB Authorized C3PAO under a separate engagement, priced separately from this package. Only the Cyber AB / Department of Defense issues CMMC certificates. Petronella Technology Group cannot guarantee assessment outcomes.

HIPAA

HIPAA Done-For-You

From $7,997 · 30-day delivery · annual support $2,997/yr

For covered entities and business associates. We build the full HIPAA program: Security Rule policies and procedures, Privacy Rule documentation, Breach Notification workflow, Business Associate Agreement template suite, full Risk Analysis aligned to NIST SP 800-66 Rev 2, and the workforce training package. HIPAA does not require an external auditor - the standard is self-attested annually. Pair with our HIPAA compliance hub, the HIPAA Security Rule guidance, and the HIPAA compliance software module already published by Petronella Technology Group.

Required disclaimer: No HHS-issued HIPAA certification exists. Engagement aligns documentation to NIST SP 800-66 Rev 2 and 45 CFR § 164.308(a)(1)(ii)(A) Risk Analysis. Self-attested. HIPAA Security Rule compliance requires a current Risk Analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A) and ongoing program maintenance. Petronella Technology Group provides documentation, implementation, and Risk Analysis services to support your compliance posture.

PCI-DSS v4.0.1

PCI-DSS v4 Done-For-You

From $9,997 · 45-day delivery · annual support $3,997/yr

For merchants and service providers eligible for SAQ-D self-assessment. We build the full PCI-DSS v4.0.1 program - all 12 requirement areas, scope-reduction analysis, network segmentation mapping, ROC-equivalent documentation, and SAQ-D preparation. If your acquirer requires a Level 1 Report on Compliance (ROC), the engagement with a PCI SSC-listed Qualified Security Assessor (QSA) is sold separately and runs $25K–$75K depending on environment. We coordinate the QSA hand-off but the ROC must be issued by the QSA, never by us. See the PCI DSS compliance software module for the documentation engine that powers this package.

Required disclaimer: SAQ-D self-assessment package, not a QSA-led Report on Compliance (ROC). Listed QSA required for ROC. PCI DSS validation requirements depend on your card-acceptance level and acquirer. Self-Assessment Questionnaires (SAQ) may be completed with Petronella Technology Group support; Reports on Compliance (ROC) for Level 1 merchants must be performed by a PCI SSC-listed Qualified Security Assessor (QSA) under a separate engagement. Petronella Technology Group is not a QSA firm.

SOC 2 Type I

SOC 2 Type I Audit-Ready Package

From $14,997 · 45-day delivery · annual support $5,997/yr

For SaaS providers, MSPs, and B2B technology firms. We build the full SOC 2 Type I package - Trust Services Criteria mapping, control descriptions, policies, system description, access reviews, change-management workflow, and the evidence binder a CPA examiner expects on day one. Your independent CPA firm performs the actual attestation; we make sure their fieldwork goes fast and clean. See the SOC 2 compliance software module for the documentation engine that powers this package.

Required disclaimer: SOC 2 attestation, not certification. Only an independent CPA firm can issue the report; CPA fee ($5K–$50K typical) is separate. The independent SOC 2 Type I examination must be performed by a licensed CPA firm under a separate engagement. Petronella Technology Group is not a CPA firm and provides readiness, implementation, and evidence-collection services only.

Gap Analysis Tool

CMMC and NIST Gap Analysis - All 110 Controls

From $1,997 · 5-business-day delivery · 100% credit toward any DFY package within 90 days

Score every NIST SP 800-171 control, calculate your SPRS number on the official -203 to +110 scale, and generate a prioritized POA&M before you book a C3PAO. The CMMC gap analysis tool drives the same workflow a Cyber AB Registered Practitioner uses during a live engagement, so the deliverables you walk out with are the deliverables your assessor expects to see. Includes risk rating, cost estimate, and timeline per gap.

Required disclaimer: Gap analysis is an internal readiness exercise, not a certified assessment. Only Cyber AB-authorized C3PAOs issue CMMC Level 2 certificates and only DIBCAC issues CMMC Level 3 certificates. Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO); RPOs are not assessors and the gap analysis output is not a substitute for the formal independent assessment.

SSP Generator

System Security Plan Generator - DIBCAC Ready

From $2,497 · 7-business-day delivery · included with every Tier 1 CMMC L2 package

Generate a DIBCAC-ready System Security Plan covering all 110 NIST SP 800-171 requirements with control narratives, asset inventory, network boundary diagrams, and the implementation evidence pointers a C3PAO expects on day one. The SSP generator uses the official NIST SP 800-18 Rev 1 outline and produces both the executive SSP and the supporting appendices in PDF and editable Word formats.

Required disclaimer: The SSP is a living document that must reflect your actual environment. Petronella Technology Group provides the documentation framework, control narratives, and implementation evidence templates; your designated System Security Officer is responsible for accuracy and ongoing maintenance under DFARS 252.204-7012 and 32 CFR Part 117 NISPOM.

Privacy Add-On

CCPA + State Privacy Law Add-On

From $4,997 · bundled with any framework above

For businesses subject to California's CCPA/CPRA or any of the dozen-plus state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and the rest of the wave). The CCPA compliance software module generates the privacy notice, the data-subject-request workflow, the opt-out mechanisms, and the records-of-processing register your privacy program needs. Add it to a CMMC, HIPAA, PCI, or SOC 2 engagement and we will reuse the controls you already built.

Required disclaimer: No state issues a "CCPA certificate" - the standard is self-attested. Petronella Technology Group is not a law firm; the privacy notice and contractual templates we deliver are legal-format documents reviewed by counsel of record at engagement start, not a substitute for independent legal counsel.

Full Pricing - Every SKU, Every Disclosure

Same numbers you see anywhere else in this site. Same disclosures in the same block. Use this table as the single source of truth for budget conversations with your CFO.

SKU	Price	Delivery	What's Included	What's NOT Included (paid directly to third party)
Free Readiness Score	$0	15 minutes	Web tool - quick CMMC, HIPAA, or SOC 2 self-assessment with action list	Nothing - fully free lead magnet
Gap Assessment + Roadmap	$1,997	5 business days	Live interview, control-by-control gap report, 12-month remediation roadmap. 100% credit toward any DFY package within 90 days.	None at this stage
CMMC Level 1 DFY	From $6,997	21 days	17 FAR 52.204-21 controls, SSP, policies, SPRS attestation prep	None - Level 1 is self-attested. RPOs are not assessors.
CMMC Level 2 Tier 1 (Audit-Ready Docs)	From $24,997	60–75 days	All 110 NIST SP 800-171 controls, SSP, POA&M, full policy and procedure suite, control narratives, evidence binder	C3PAO assessment fee $30K–$50K typical, paid to a Cyber AB-authorized C3PAO. RPOs cannot issue certificates.
CMMC L2 Tier 2 - Small (5–25 employees)	From $24,997 setup + $5,997/mo	60–90 days	Tier 1 plus SIEM, EDR, 24x7 SOC, tooling, ongoing program management	C3PAO assessment fee $30K–$50K, paid separately
CMMC L2 Tier 2 - Medium (26–100 employees)	From $34,997 setup + $9,997/mo	60–90 days	Tier 1 plus SIEM, EDR, 24x7 SOC, tooling, ongoing program management	C3PAO assessment fee $30K–$50K, paid separately
CMMC L2 Tier 2 - Large (101–500 employees)	From $54,997 setup + $14,997/mo	75–120 days	Tier 1 plus SIEM, EDR, 24x7 SOC, tooling, ongoing program management	C3PAO assessment fee $30K–$50K, paid separately
HIPAA Done-For-You	From $7,997	30 days	Security Rule, Privacy Rule, Breach Notification, BAA suite, Risk Analysis aligned to NIST 800-66 Rev 2, training	None - HIPAA is self-attested. No HHS-recognized certification exists.
PCI-DSS v4 Done-For-You	From $9,997	45 days	All 12 PCI-DSS v4.0.1 requirement areas, scope-reduction analysis, ROC-equivalent docs, SAQ-D prep	QSA-led Report on Compliance $25K–$75K (Level 1 merchants only), paid to a PCI SSC-listed QSA
SOC 2 Type I Audit-Ready	From $14,997	45 days	Trust Services Criteria mapping, policies, system description, control narratives, evidence collection	CPA attestation fee $5K–$50K typical, paid directly to your independent CPA firm

Scope Adjustments - Transparent Up-Front, Not Surprise Change Orders

Every "From" price assumes a reasonable SMB scope: 1 location, 5–50 employees, single CUI type, no GCC High or PreVeil enclave, U.S.-only operations. Real engagements vary; rather than bury that in a quote later, we publish the adjustments here. Numbers below are added to (or subtracted from) the base "From" price during your discovery call. Final fixed fee is locked in writing before you sign - no change orders mid-project.

Scope variable	Adjustment	Why
Each additional physical location	+$3,500	Extra physical-safeguards documentation, site-specific CUI boundary mapping, additional interview prep
51–100 employees	+$5,000	Scaled access reviews, training distribution, evidence collection
101–250 employees	+$10,000	Larger org-chart complexity, more role mappings, expanded interview prep
251–500 employees	+$20,000	Multi-business-unit coordination, layered approval workflows
500+ employees	Custom-quoted	Enterprise scope; we will provide a fixed fee on the discovery call
GCC High or PreVeil enclave documentation	+$15,000	Enclave-specific architecture diagrams, sovereign-cloud control inheritance, additional interview prep
Multi-CUI-type or export-controlled CUI (ITAR, EAR)	+$5,000	Additional CUI handling procedures, type-specific control narratives
Specialized CUI (critical infrastructure, defense critical, NOFORN)	+$7,500	Enhanced control set, additional aggregation analysis
Existing ISO 27001, NIST CSF, or SOC 2 already in place	−$3,000	Maturity discount: documented controls reduce policy authoring effort
Existing approved CMMC L1 self-attestation (for L2 buyers)	−$3,500	Foundation already laid; we extend rather than rebuild

All adjustments are disclosed and locked into a written fixed-fee proposal before any work begins. Worked example: a 120-employee defense contractor with two locations, single-CUI scope, and existing ISO 27001 → CMMC Level 2 Tier 1 = $24,997 base + $3,500 (extra location) + $10,000 (101–250 employees) − $3,000 (ISO maturity discount) = $35,497 fixed fee. C3PAO assessment fee ($30K–$50K typical) is separate and paid directly to the C3PAO. We do not certify; only Cyber AB-authorized C3PAOs issue CMMC certificates.

Audit-Ready Maintenance (annual support, optional)

Year 1 is bundled at no additional charge if prepaid with the package; $4,997 if added later. Annual support keeps your documentation current as standards drift, refreshes your Risk Analysis, and updates control narratives as your environment changes.

Framework	Annual Support
CMMC Level 1	$1,497/yr
HIPAA	$2,997/yr
PCI-DSS v4	$3,997/yr
CMMC Level 2 Tier 1	$5,997/yr
SOC 2 Type I	$5,997/yr

Three-year prepay locks in 15% off per year (save 25% vs annual). CMMC L1 → L2 upgrade path: $6,997 credit toward L2 if upgraded within 12 months of L1 purchase.

The ComplianceArmor Audit-Ready Guarantee

If your assessor finds a gap in any artifact we delivered, we fix it free within 30 days. If you fail certification because of our work, we refund 50% of the package fee.

This guarantee is the strongest signal we can send that we stand behind our deliverables. Certification outcomes are issued only by Cyber AB-authorized C3PAOs, independent CPA firms, or PCI SSC-listed QSAs - Petronella Technology Group is none of those. The guarantee is scoped to the artifacts we deliver, which is what we can actually control.

Bundles - Stack Frameworks, Save Real Money

Most regulated SMBs need two or three of these frameworks. The bundles do the math up front so you never have to assemble it yourself - and the document architecture is unified, which means one Risk Analysis, one set of policies, and one evidence binder serves all bundled frameworks.

CMMC L2 Tier 1 + HIPAA

$34,997

Save $5,000 (12.5% off)

For Defense Industrial Base healthcare suppliers, military medical contractors, and DoD-subcontracting health-tech companies.

HIPAA + SOC 2 Type I

$18,997

Save $4,000 (17% off)

For healthcare SaaS, telehealth platforms, EHR integrators, and B2B health-tech vendors selling to covered entities.

PCI-DSS + SOC 2 Type I

$19,997

Save $5,000 (20% off)

For payment processors, fintechs, and SaaS firms handling cardholder data alongside customer trust commitments.

HIPAA + PCI + SOC 2

$24,997

Save $7,994 (24% off)

The "no-brainer" anchor for healthcare-payment SaaS and any platform handling PHI plus card data plus SaaS trust criteria.

All bundle disclaimers carry forward from the individual frameworks: C3PAO assessment fees, CPA attestation fees, and QSA Report on Compliance fees are separate, paid directly to the third party, and disclosed in the individual SKU rows above.

How It Works - The Six-Step ComplianceArmor Process

Every engagement runs through the same six-step wizard, the same delivery rhythm, and the same evidence-collection workflow. The Done-For-You SaaS at petronella.ai/compliancearmor/ mirrors these steps so your team always knows where the project sits.

Free Readiness Score

Take the 15-minute self-assessment. Get a numeric score, a control-family heat map, and a clear list of what to fix first. No salesperson, no email follow-up trap.

Discovery Call + Gap Assessment

30-minute call with a CMMC-RP. If you want a deeper review, the $1,997 Gap Assessment delivers a full control-by-control gap report and 12-month roadmap. 100% credited toward any DFY package within 90 days.

Scope Lock + Fixed-Fee SOW

We agree on the assessment boundary, the in-scope systems, and the deliverable list. The Statement of Work has one number on it. No T&M. No surprise scope creep.

Documentation + Implementation Sprint

Our four-RP team builds the SSP, policies, procedures, Risk Analysis, control narratives, and evidence binder. For Tier 2 engagements we also stand up the SIEM, EDR, and 24x7 SOC.

Audit-Ready Hand-Off

You receive every artifact in editable native formats, the evidence binder pre-organized exactly the way assessors expect to see it, and a walk-through session for your internal team and your future C3PAO, CPA, or QSA.

Ongoing Audit-Ready Maintenance

Optional. Year 1 bundled if prepaid. Keeps your program current through standards drift, environment changes, and the inevitable annual self-attestation cycle.

Why the ComplianceArmor Team Is Qualified to Do This Work

Every deliverable is built by a Cyber AB Registered Practitioner (CMMC-RP). Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO). RPOs are not assessors, by deliberate Cyber AB design - and that separation is exactly what makes us trustworthy: we have no incentive to "find" or "miss" anything in your environment because we do not issue your certificate.

Craig Petronella

Founder & CEO

CMMC-RP
CCNA, CWNE
Digital Forensic Examiner #604180
Published author, multiple cybersecurity books

Blake Rea

Senior Compliance Architect

CMMC-RP
NIST SP 800-171 / 800-53 specialist
Defense Industrial Base focus

Justin Summers

Implementation Lead

CMMC-RP
SIEM, EDR, SOC architecture
Tier 2 managed program delivery

Jonathan Wood

Documentation & Risk Analysis Lead

CMMC-RP
HIPAA, SOC 2, PCI-DSS documentation
Audit-ready evidence binder specialist

Petronella Technology Group has been delivering managed IT and cybersecurity services from Raleigh, North Carolina since 2002. ComplianceArmor is the productized expression of that two-decade body of work. Pair it with our broader IT services, cybersecurity, cybersecurity audit, and security awareness training programs for full-stack defense.

How ComplianceArmor Compares

Side-by-side honesty for the CMMC Level 2 buyer - the most complex and highest-stakes decision most regulated SMBs face. The same shape applies for HIPAA, PCI-DSS, and SOC 2 buyers.

Dimension	ComplianceArmor Tier 2	Big 4 Consultancy	Boutique RP Firm	Vanta / Drata
Year-1 total (50-emp company)	~$155K + C3PAO	$200K–$400K + C3PAO	$80K–$150K + C3PAO	$15K/yr + you DIY everything else
Fully RP-credentialed team	Yes - 4 RPs	Variable	Sometimes 1–2	No
Includes 24x7 SOC	Yes	Sold separately	Rare	No
Includes SIEM & EDR	Yes	Sold separately	Rare	No
You own the documents forever	Yes	Usually	Yes	No - subscription
C3PAO fee disclosed up front	Yes - every page	Variable	Variable	Often unclear
Productized fixed price	Yes	No	Sometimes	Yes (limited scope)
Can we be your C3PAO?	No (by required Cyber AB separation)	No	No	No

Frequently Asked Questions

Do you actually certify us, or do we still need a C3PAO, CPA, or QSA?

You still need the independent third party. By design. CMMC certificates are issued only by Cyber AB-authorized C3PAOs. SOC 2 reports are issued only by independent CPA firms licensed to do attestation work. PCI-DSS Reports on Compliance for Level 1 merchants are issued only by PCI SSC-listed Qualified Security Assessors. HIPAA has no recognized certification at all - it is self-attested. ComplianceArmor delivers the documentation, controls, and audit-ready evidence binder that makes those independent third-party engagements go smoothly. We are deliberately not your assessor - that separation is what protects the integrity of your certificate and is required by Cyber AB Code of Professional Conduct.

What is actually included in each package?

Every framework page in this site uses a two-column "Yes / No" disclosure right next to the price. In short: we include the System Security Plan, all required policies and procedures, control narratives or implementation descriptions, the Risk Analysis or risk assessment, the Plan of Action and Milestones, the evidence binder, and a hand-off walk-through session. We do not include the C3PAO assessment fee, the CPA attestation fee, the QSA Report on Compliance fee, or any third-party software licenses you might need (Microsoft GCC High, Microsoft 365 E5, etc.) - those are paid by you directly to the third party at their listed market rate.

How is this different from Vanta, Drata, Secureframe, or other compliance SaaS?

Three big differences. First, those platforms are evidence-collection software with you as the implementer; ComplianceArmor is a Done-For-You service where four CMMC-RPs build your program for you. Second, those platforms hold your documents on their platform - when you cancel, you lose your documents. ComplianceArmor delivers every artifact in editable native formats that you own forever, regardless of whether you keep us on retainer. Third, those platforms target a broad horizontal market and do not ship deep CMMC Level 2 expertise out of the box; we are CMMC-RP-credentialed end to end. They are great for ongoing automated evidence collection if your team has the time. We are great for getting audit-ready when your team does not.

How much will it actually cost - total - to get certified?

For CMMC Level 2 the total Year-1 number for a 50-employee company is roughly: ComplianceArmor Tier 2 Medium ($34,997 setup + 12 × $9,997 monthly = $154,961) + C3PAO assessment ($30K–$50K typical) = approximately $185K–$205K all in. For HIPAA the total is just our $7,997 - there is no third party. For SOC 2 Type I the total is our $14,997 + your CPA's attestation ($5K–$50K). For PCI-DSS SAQ-D the total is just our $9,997; only Level 1 merchants need the QSA-led ROC. We publish these numbers up front because telling you the truth about total cost is the point.

What happens if we fail the assessment?

The Audit-Ready Guarantee covers two scenarios. First, if your assessor finds a gap in any artifact we delivered, we fix it free within 30 days. Second, if you fail certification because of our work, we refund 50% of the package fee. The guarantee is scoped to artifacts we delivered because that is what we can control. We cannot guarantee certification outcomes - only the C3PAO, CPA, or QSA can - but we can guarantee our work product, which is what most failed assessments actually trace back to.

Do we own the documents you create?

Yes. Forever. In editable native formats. With no subscription required to read, modify, or use them. Cancel us next year and the documents stay with you. This is a deliberate counter-position to compliance SaaS lock-in, which is the most common complaint from former Vanta and Drata customers on G2.

How long does the engagement take?

CMMC L1 is 21 days. HIPAA is 30 days. PCI-DSS and SOC 2 Type I are 45 days each. CMMC L2 Tier 1 (docs only) is 60–75 days. CMMC L2 Tier 2 (managed) is 60–90 days, with the SOC and SIEM live by day 30. CMMC L2 Tier 2 Large (101–500 employees) is 75–120 days. These are real timelines, not aspirational ones - they are how long the actual artifact production and implementation work takes when the project is run end to end by an RP team.

Why is your team qualified to do this?

Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO). All four delivery practitioners - Craig Petronella, Blake Rea, Justin Summers, and Jonathan Wood - are CMMC-RP credentialed. Craig also holds CCNA, CWNE, and Digital Forensic Examiner #604180, and is a published cybersecurity author. The firm has delivered managed IT and cybersecurity services from Raleigh, North Carolina since 2002. Three of our four practitioners cross-train on HIPAA, SOC 2 Type I, and PCI-DSS v4.0.1 in addition to CMMC.

Can we cancel mid-engagement?

Yes. The fixed-fee Statement of Work has a defined deliverable schedule. If you cancel before final hand-off, you keep every artifact produced to date and we refund the unearned portion of the fee. We do not charge cancellation penalties because we are confident in the outcome - most cancellations we have seen are scope changes that turn into scope expansions, not exits.

Do you cover other frameworks?

The five productized frameworks above cover roughly 95% of regulated SMB demand: CMMC Level 1, CMMC Level 2 (three tiers), HIPAA, PCI-DSS v4.0.1, and SOC 2 Type I. We also support adjacent frameworks - NIST CSF, NIST SP 800-53, ISO 27001, FedRAMP Low/Moderate, FTC Safeguards Rule, and DFARS 252.204-7012 - under custom Statements of Work. Talk to us during the discovery call about your specific framework set.

What happens after we are certified?

Most certifications are annual or tri-annual cycles. Audit-Ready Maintenance keeps your documentation current as standards drift, refreshes your Risk Analysis, and updates control narratives as your environment changes. Year 1 is bundled if prepaid with the package; afterward it is a per-framework annual subscription. Three-year prepay locks in 25% savings versus year-by-year.

Is the C3PAO, CPA, or QSA fee negotiable?

Sometimes - but never with us. Those fees are paid directly to the third-party assessor and are entirely outside our scope. We can introduce you to C3PAOs we have worked with successfully, and we can help you scope the engagement to keep their fee at the lower end of the market range, but the actual fee is theirs to set. This is by deliberate Cyber AB design: separating the implementer (us) from the assessor (them) is what makes the certificate meaningful.

Ready to See Your Compliance Number?

Start with the free Readiness Score, run the ROI calculator to compare DIY vs Done-For-You cost, or book a 30-minute discovery call with a CMMC-RP. We will tell you the truth about your scope, your timeline, and your total cost - including the third-party fees that are not ours - before you sign anything.

Get Your Free Readiness Score Calculate Your ROI Call 919-348-4912

Or email [email protected] - we typically respond within one business day.

Petronella Technology Group, Inc. · 5540 Centerview Dr. Suite 200, Raleigh, NC 27606 · Cyber AB RPO

Prefer to send us a note?

Tell us your framework, your headcount, and your target assessment date. A CMMC-RP will reply with a fixed-fee bid and a real timeline within one business day. Or jump straight to our contact page for the full form.