What is CMMC 2.0 and when does it take effect?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense's program to verify that defense contractors have implemented adequate cybersecurity controls to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC 2.0 has three levels: Level 1 (Foundational, 17 practices, self-assessment), Level 2 (Advanced, aligned with NIST 800-171, third-party assessment by C3PAO for critical CUI), and Level 3 (Expert, NIST 800-172, government-led assessment). The final rule was published in late 2024, and CMMC requirements are being phased into DoD contracts beginning in 2025. Contractors should be preparing now because the assessment process takes months and demand for C3PAO assessments already exceeds capacity. Call us at 919-348-4912 for a readiness assessment.

What is the difference between CMMC and NIST 800-171?

NIST SP 800-171 is a set of security requirements for protecting CUI in non-federal systems. DFARS 252.204-7012 has required contractors to implement these requirements since 2017. CMMC 2.0 Level 2 is based on the same NIST 800-171 requirements but adds a critical difference: third-party verification. Before CMMC, contractors self-attested to their compliance. Under CMMC, a Certified Third-Party Assessment Organization (C3PAO) independently verifies that the controls are actually implemented. Think of NIST 800-171 as the requirements and CMMC as the verification mechanism. If you are already fully compliant with NIST 800-171, you are well positioned for CMMC Level 2. If you have been self-attesting without actually implementing all controls, CMMC closes that gap.

How long does it take to become CMMC Level 2 compliant?

The timeline depends on your current cybersecurity posture. For organizations starting from a low SPRS score with significant gaps, the remediation process typically takes 6 to 18 months. Organizations already implementing most NIST 800-171 requirements may need only 3 to 6 months of focused effort to close remaining gaps and prepare documentation. The C3PAO assessment itself takes several weeks. We recommend starting the compliance process at least 12 months before you expect CMMC requirements to appear in your contract solicitations. Demand for C3PAO assessments is high and scheduling can add months to your timeline.

What is an SPRS score and why does it matter?

Your SPRS (Supplier Performance Risk System) score quantifies your NIST 800-171 compliance on a scale from -203 to 110. A score of 110 means all security requirements are fully implemented. Each unimplemented requirement deducts a weighted value of 1, 3, or 5 points. DFARS clause 252.204-7019 requires contractors to conduct a self-assessment, calculate their score, and submit it to the SPRS system. Contracting officers can view your score before awarding contracts. A low score signals cybersecurity risk. Submitting an inaccurate score can trigger False Claims Act enforcement under the DoJ Civil Cyber-Fraud Initiative. We help you calculate an accurate SPRS score, develop a realistic improvement plan, and implement the controls needed to reach 110.

Do subcontractors need CMMC certification?

Yes. CMMC requirements flow down to subcontractors at all tiers. If you are a subcontractor handling CUI on a DoD contract, you must achieve the CMMC level specified in the contract. If you only handle Federal Contract Information (FCI) and not CUI, you need CMMC Level 1. Prime contractors are responsible for ensuring their subcontractors meet the required CMMC level, which means primes are already asking subcontractors about their compliance status. If you want to remain competitive in the defense supply chain, CMMC compliance is not optional regardless of your tier.

What is FedRAMP and does my company need it?

FedRAMP (Federal Risk and Authorization Management Program) is required for cloud service providers that want to offer services to federal agencies. If your company provides a cloud-based product or service that federal agencies will use to process, store, or transmit government data, you likely need FedRAMP authorization. FedRAMP is based on NIST SP 800-53 controls and involves a rigorous assessment process including security package development, third-party assessment by a 3PAO, authorization by a sponsoring agency or the Joint Authorization Board, and continuous monitoring. Our advisory services help cloud service providers understand whether FedRAMP applies and navigate the authorization process efficiently.

Do ITAR contractors need additional cybersecurity beyond CMMC?

Yes. ITAR (International Traffic in Arms Regulations) imposes additional cybersecurity requirements beyond what CMMC and NIST 800-171 require. ITAR-controlled technical data must be accessible only to US persons, which means your access controls must verify citizenship or permanent residency status. Cloud environments must be hosted in the United States and operated exclusively by US persons, ruling out many standard cloud offerings. Violations carry severe penalties including criminal fines up to $1 million per violation and imprisonment up to 20 years. We implement ITAR-specific controls including US-person access restrictions, compliant cloud environments like Microsoft GCC High, geo-IP blocking, and data loss prevention systems that complement your CMMC compliance program.

How much does federal cybersecurity compliance cost?

Costs vary significantly based on your organization's size, current security posture, CUI scope, and target CMMC level. A small contractor with a limited CUI scope and existing security controls may invest $50,000 to $150,000 for CMMC Level 2 readiness. Larger organizations with broader CUI scope and significant gaps may invest $200,000 to $500,000 or more. Factors that affect cost include the number of employees handling CUI, whether a CUI enclave is needed, whether you use commercial cloud or GCC High, the extent of technology gaps, and the volume of policies and procedures that need to be developed. We provide a detailed cost estimate after our initial scoping assessment. Contact us at 919-348-4912 for a preliminary discussion.

Federal & Defense Industrial Base

Cybersecurity Built for Defense Contractors and DIB Suppliers

Petronella Technology Group serves DoD primes, defense subcontractors, and federal civilian suppliers operating under CMMC 2.0 (Levels 1, 2, and 3), DFARS 252.204-7012, NIST SP 800-171 Rev 2 and Rev 3, and ITAR. Twenty-three years of experience helping North Carolina contractors win awards, survive flow-down clauses, and protect Controlled Unclassified Information.

CMMC RPO #1449 | BBB A+ Since 2003 | NC DFE #604180

Schedule a CMMC Readiness Call Call (919) 348-4912

Who You Are

Federal contractors live with a different kind of risk

If you handle Controlled Unclassified Information for a Department of Defense prime, hold a federal civilian contract that touches FCI, or sit anywhere in the Defense Industrial Base supply chain, your cyber posture is no longer just a security question. It is a contract eligibility question, a False Claims Act question, and an export-control question all at once. We work with companies that have already been hit by all three.

The defense buyers we talk to every week are running engineering shops, machine shops, software teams, integration vendors, R&D suppliers, IT subcontractors, and professional services firms feeding Fort Liberty, Camp Lejeune, Cherry Point MCAS, Seymour Johnson AFB, MCAS New River, the SOFWERX ecosystem, and the broader RTP federal civilian footprint. They share three traits: a prime contract requirement they can read but cannot operationalize, a 90-day flow-down notice in the inbox, and a leadership team that knows non-compliance is now an existential business problem.

"My prime sent a flow-down clause and gave us 90 days"

Lockheed, RTX, Northrop, BAE, GD, L3Harris, and the second-tier integrators are pushing CMMC 2.0 expectations down their supply chain ahead of the official rule clock. You have one quarter to produce an SSP, an SPRS score, and a defensible POAM or you lose the work.

"We lost an RFP because we did not have an SPRS score"

SAM.gov contracting officers are pulling the Supplier Performance Risk System score before they award. A blank score, a stale score from 2024, or a self-assessment with implausible "implemented" answers all kill the bid before it gets to price.

"Our pre-award assessment came back with too many gaps"

DCMA reviewers and prime-led pre-award assessments compare your stated SPRS score to your control evidence. A 110 implementation claim with 35 unimplemented controls is a False Claims Act exposure, not a paperwork mismatch.

"We are exporting controlled technical data and our IT team is in India"

ITAR and EAR limit who can touch defense articles and technical data. Offshore IT, foreign nationals on the network, and unscoped cloud admins all create reportable violations. Most contractors discover this during their first audit.

DIB Threat Landscape

Why nation-state actors target your supply chain

The Defense Industrial Base is the persistent number-one target of state-sponsored cyber actors. APT groups attributed to China (APT41, APT10, MUSTANG PANDA), Russia (APT28, APT29), Iran (APT34, APT35), and North Korea (Lazarus, APT37) hunt CUI with patience that small commercial businesses rarely encounter. They do not phish for crypto-clipper paydays. They want your CAD files, your test data, your contract specs, your supplier list, your engineering change orders, and the credentials of the engineer cleared to read all of it.

The damaging campaigns of the last several years (SolarWinds, MOVEit, Sunburst-derivative supply chain attacks, the wave of compromises against Tier 2 and Tier 3 DIB suppliers, and the steady drumbeat of MSP intrusions used to pivot into defense customers) all share the same playbook: compromise the smallest reachable supplier, dwell quietly, and exfiltrate enough technical data to short-circuit a foreign program. Pre-award due diligence has tightened in response. Primes now ask for evidence, not attestations. The federal civilian agencies (DHS, DOE, GSA) are following the same path under NIST SP 800-53 alignment requirements.

Petronella Technology Group runs incident response engagements every quarter that involve at least one DIB supplier breach. The pattern is consistent: a Tier 3 subcontractor with a flat network, a single MSP with offshore admins, no network forensics capability, and no segmented enclave for CUI. By the time their prime calls them, the dwell time is measured in months. Our work as data breach forensics investigators on these cases informs every assessment we run for defense contractors today.

Regulatory Reality

CMMC, NIST, DFARS, ITAR: what actually applies to you

Federal cyber compliance is a stack, not a checklist. Each layer answers a different contract question, and missing one collapses the others. We map every client to the layers that actually apply (most contractors carry three or four simultaneously) so the program covers eligibility without paying for capability you do not need.

DoD Mandate

CMMC 2.0 Levels 1, 2, and 3

Level 1 covers Federal Contract Information with 17 basic safeguarding practices and an annual self-assessment plus an executive affirmation in SPRS. Level 2 applies whenever you handle CUI: 110 NIST SP 800-171 Rev 2 controls plus a triennial third-party assessment by a C3PAO, with annual affirmations in between. Level 3 sits on top of Level 2 for the most sensitive programs (a subset of NIST SP 800-172 enhanced security requirements) and requires a government-led DIBCAC assessment. We support readiness work across all three, including the few clients staring down a Level 3 trigger.

CMMC compliance overview

DFARS Clause

DFARS 252.204-7012, -7019, -7020, -7021

The 7012 clause requires "adequate security" (NIST SP 800-171 Rev 2 today, transitioning to Rev 3) plus a 72-hour incident report to DoD via DIBNet and 90-day media preservation. The -7019 clause requires SPRS posting. -7020 forces government access for verification. -7021 introduces the CMMC requirement directly into solicitations. If you have read your contract and are not sure which clauses you are bound by, that is exactly the conversation we have on the first call.

Map your DFARS exposure

CUI Standard

NIST SP 800-171 Rev 2 and Rev 3

Rev 2 (110 security requirements across 14 families) is the active baseline for CMMC Level 2. Rev 3 (97 requirements, restructured, with new families and a tighter privacy overlay) becomes the assessment standard on the published transition timeline. We build SSPs to Rev 2 today with explicit Rev 3 traceability so your evidence stays usable when the standard rolls forward.

NIST 800-171 service page

Federal Civilian

NIST SP 800-53 + FISMA + FedRAMP

Federal civilian contractors (GSA, DHS, DOE, VA, IRS, USDA suppliers) usually fall under NIST SP 800-53 control baselines, FISMA Moderate or High, and FedRAMP-authorized cloud requirements when CUI is in the cloud. We map these against your DoD obligations so a single control set carries multiple authorities.

NIST 800-53 controls

Export Control

ITAR & EAR for Technical Data

If your CUI includes export-controlled technical data (USML categories or EAR 600-series items), you carry an additional layer of access control: U.S.-person-only access, geofencing, no offshore admin, and explicit authorization for foreign nationals. ITAR violations carry criminal penalties; the SEC Section 38 of the Arms Export Control Act is not a paperwork problem.

False Claims

SPRS scoring & FCA exposure

The 2022 DOJ Civil Cyber-Fraud Initiative made False Claims Act enforcement against contractors with overstated SPRS scores a stated priority. Our SPRS work is conservative on purpose: every "implemented" answer maps to evidence we can show a DCMA reviewer or DoJ investigator without the answer changing.

Who We Work With

Defense subcontractors and federal suppliers across North Carolina

Most of our defense work sits in the Tier 2 and Tier 3 supplier band: companies that take subcontract awards from Lockheed, RTX, Northrop, GD, BAE, L3Harris, Booz Allen, Leidos, and SAIC, plus the dozens of smaller integrators flowing work down. Our clients build, design, machine, software-engineer, integrate, test, transport, and consult on defense systems. Their employee counts run from 8 to 800. Their CMMC obligation runs from Level 1 (basic FCI) to Level 2 (the bulk of CUI work) to a small but rising Level 3 trigger for cleared programs.

Fort Liberty (Bragg) ecosystem

Special operations support, language services, soldier-systems integrators, and engineering subs supporting USASOC, JFKSWCS, and 18th Airborne Corps program offices.

Camp Lejeune & MCAS Cherry Point

Aviation MRO, expeditionary logistics, marine systems engineering, and II MEF program suppliers with active DCMA oversight on their CUI handling.

Seymour Johnson AFB & F-15E supply

Avionics, ground support equipment, propulsion, and survivability vendors carrying DFARS clauses and ITAR-flagged technical data.

RTP federal civilian

EPA, NIH, USGS, NASA, and DOE national-lab contractors operating in Research Triangle Park under NIST SP 800-53 baselines.

GSA schedule holders

MAS contractors, 8(a) small businesses, SDVOSBs, and HUBZone firms with multi-agency BPA exposure.

DIB engineering firms

Architecture-engineering joint ventures, civil engineering subs supporting USACE, and design-build firms feeding NAVFAC and AFCEC. See our engineering-firm work.

Credentials That Matter to a CO

Why federal contracting officers take our calls

Pre-award due diligence is now part of the buying process, and your cybersecurity partner sits inside that diligence package. Petronella Technology Group earned credentials that matter to the people writing the contracts and reviewing the responses, not just the buyers comparing logos.

CMMC-AB Registered Provider Organization #1449 Verified at cyberab.org. Our team-wide CMMC Registered Practitioner roster covers Craig Petronella, Blake Rea, Justin Summers, and Jonathan Wood.

Forensics Bench NC DFE #604180 Craig Petronella holds North Carolina Digital Forensic Examiner license #604180, a credential that makes our DFARS 7012 incident-response work usable in court if the breach goes that far.

Track Record BBB A+ since 2003 Founded 2002. Same firm, same family, same address: 5540 Centerview Dr., Suite 200, Raleigh, NC 27606.

Engineering Bench CCNA & CWNE Network engineering credentials backed by hands-on enclave deployments. Not a paper-only compliance shop.

Real Buyer Scenarios

Three conversations we have every week

"Lockheed gave us 90 days to provide a CMMC L2 readiness plan or we lose the program."

This is the most common opening call. We start with a same-week scoping conversation, define the CUI boundary, run a focused gap assessment against NIST SP 800-171 Rev 2 controls, produce an SSP and POAM that satisfy the prime's pre-award reviewer, and post a defensible SPRS score. The work fits inside the 90-day window when started on day one.

"We bid on a SAM.gov solicitation and the CO disqualified us for a missing SPRS score."

SPRS is now a gating field, not a follow-up. We help contractors stand up an honest self-assessment in two to four weeks, post the score, and then build the remediation plan that supports the next bid cycle. We do not push contractors to inflate scores to win the next opportunity. False Claims Act exposure costs more than the contract.

"Our pre-award DCMA review found 30 control gaps. We have six weeks to close them."

We triage by SPRS impact (negative-value controls hurt your score most), focus the engineering team on the technical controls that move the score, and produce evidence packages auditors accept. Six weeks is tight. Eight weeks is realistic. We will tell you which gaps cannot be honestly closed in your window and how to position the POAM so the prime keeps you in the running.

"We are exporting controlled technical data and our outsourced IT is overseas."

This is an ITAR violation in progress. We help repatriate administration, lock the network to U.S.-person access, set up the enclave so the IT layer cannot see the controlled data, and produce a corrective action plan you can show DDTC if the regulator surfaces. We have run this engagement enough times to know how the disclosure conversation goes.

Want to see exactly what we deploy?

This page is the buyer-identity view. If you want the technical deliverable detail (CUI Enclave Reference Architecture, SSP authoring service, POAM management, SPRS scoring uplift, DFARS 7012 incident reporting workflow, and the per-CMMC-level deliverable matrix) those live on the deliverable companion page. Same firm, deeper technical layer.

See the federal-contractor stack we deploy →

FAQ

Defense contractor cybersecurity questions

Do I need CMMC Level 1, Level 2, or Level 3?

Read your contract. If you handle only Federal Contract Information (FCI) without any CUI markings, Level 1 (annual self-assessment, 17 controls) is your obligation. If you handle Controlled Unclassified Information at any point in the contract, Level 2 (110 controls, triennial C3PAO assessment) is the floor. Level 3 (additional NIST SP 800-172 enhanced controls, government DIBCAC assessment) is rare and reserved for the most sensitive programs. We do a contract-clause review on the first call so the answer is not a guess. CMMC overview.

How long does CMMC Level 2 readiness take?

For a contractor with no prior NIST SP 800-171 work, six to twelve months is realistic, with most of that spent on technical control implementation, evidence collection, and policy production. Contractors already running aligned controls can compress to three to six months. We will not promise twelve weeks for a from-scratch L2 program. The C3PAO will see through it and your prime will too.

Are you a C3PAO? Can you give us our certification?

No. CMMC certification (the third-party assessment that issues the certificate) must be performed by a Certified Third-Party Assessment Organization, and the rule prohibits the same organization from doing both readiness work and the assessment for the same client. Petronella Technology Group is a Registered Provider Organization (RPO #1449), which is the role designed for the readiness, gap-assessment, SSP authoring, and remediation work that gets you to assessment-ready. We hand off to your chosen C3PAO when the program is ready.

What is the difference between SPRS, NIST 800-171, and CMMC?

NIST SP 800-171 is the security control standard. SPRS (Supplier Performance Risk System) is the DoD database where you post a numeric score representing your implementation level against those controls. CMMC is the certification framework that requires an independent third party to verify the score for Level 2 and government to verify it for Level 3. Same controls, three different audiences for the answer.

What happens to my SPRS score if I am not fully implemented?

Each unimplemented control deducts points (1, 3, or 5 depending on weight) from a starting score of 110. Negative scores are common for contractors with no prior 800-171 work. The honest SPRS score plus a credible POAM with realistic milestone dates is a far better answer than an inflated 110 that cannot survive a pre-award review. Contracting officers and primes have learned to read the difference.

What is the 72-hour incident reporting clock under DFARS 7012?

If you have a "cyber incident" affecting CUI, you report it to DoD via DIBNet within 72 hours of discovery. You also preserve forensic media for at least 90 days. Most contractors discover during the breach that they have no incident response runbook, no DIBNet account, and no forensic capability. Our DFARS 7012 readiness work covers all three (runbook, DIBNet enrollment, forensic playbook) before the call to DC3 ever happens. Data breach forensics.

Do you work with federal civilian contractors or only DoD?

Both. Federal civilian (GSA, DHS, DOE, NIH, EPA, USDA, NASA) work usually maps to NIST SP 800-53 control baselines plus FISMA categorization, and FedRAMP requirements when the data sits in the cloud. Many of our DIB clients also carry civilian-side awards, and we run unified compliance programs that satisfy both authorities from a single control set.

We do ITAR work. Can you support that?

Yes, with the caveat that ITAR is not the same conversation as CMMC. ITAR adds an export-control overlay (U.S.-person-only access, technical-data segregation, no offshore admin, geofencing, foreign-national authorization). We design CUI enclaves with ITAR controls baked in, and we audit existing environments for the violations most contractors do not realize they carry (offshore MSPs being the most common). We do not provide DDTC legal advice; for the registration and licensing side we coordinate with your trade-compliance counsel.

Are you in Raleigh? Do you travel to my facility?

Yes to both. Petronella Technology Group is headquartered at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Most of the technical work runs remote with periodic on-site visits during boundary-definition, evidence-collection, and pre-assessment phases. For Fort Liberty, Camp Lejeune, Cherry Point, and Seymour Johnson supplier work, on-site is the norm. We travel for clients across the Carolinas and nationwide.

Adjacent services for federal contractors

CMMC Compliance Pillar

Levels 1, 2, and 3 readiness program detail.

NIST SP 800-171

Rev 2 control implementation and Rev 3 transition planning.

NIST SP 800-53

Federal civilian baseline and FedRAMP-aligned controls.

Data Breach Forensics

DFARS 7012 incident response and 90-day media preservation.

Network Forensics

Lateral-movement reconstruction for DIB intrusion investigations.

Engineering Firms

Defense-aligned A/E and design-build supplier cybersecurity.

Deliverable View →

The companion page: stack, enclave architecture, deliverables.

All Industries

Other regulated verticals we serve.

Bring us your contract clause and we will tell you what compliance really costs

Forward the DFARS clause, the flow-down notice, or the SPRS request from your prime. We will read it, scope the work honestly, and quote a CMMC readiness path that fits your timeline and budget. No marketing fluff and no inflated SPRS scores.

Schedule a Defense-Contract Cyber Call Call (919) 348-4912

Petronella Technology Group · 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 · CMMC RPO #1449 · BBB A+ Since 2003