One Compliance Partner Across Every Framework You Have To Pass

CMMC 2.0 at Levels 1, 2, and 3. HIPAA Privacy, Security, and Breach Notification Rules. NIST SP 800-171 and 800-171A. NIST SP 800-172 enhanced security. NIST SP 800-53 at low, moderate, and high baselines. NIST Cybersecurity Framework 2.0. PCI-DSS v4.0.1. SOC 2 Type I and Type II readiness. HITRUST CSF. FedRAMP and StateRAMP. FISMA. FERPA. GLBA. CCPA. CJIS Security Policy. ITAR. IRS-1075. The SEC cybersecurity disclosure rules.

We are a CMMC-AB Registered Provider Organization, RPO #1449, verified at cyberab.org. The technical team holds CMMC-RP across the board. Craig Petronella additionally carries CCNA, CWNE, and Digital Forensics Examiner #604180.

Yes, and most of our engagements do exactly this. Defense contractors with international customers carry CMMC and ITAR together. Healthcare technology vendors carry HIPAA and SOC 2 Type II together. Financial services firms carry GLBA, SOC 2, and increasingly PCI-DSS together. Public-company customers add the SEC cybersecurity disclosure rules.

We map the controls once across all applicable frameworks, build one evidence library through ComplianceArmor, and run one campaign that satisfies every regime. Buyers who run two frameworks typically save 30 to 50 percent versus engaging two consultancies in parallel. Three-framework programs save closer to 60 percent.

No. C3PAOs certify CMMC. Independent CPA firms attest SOC 2. HITRUST-authorized external assessors handle HITRUST. Qualified Security Assessors handle PCI-DSS. Petronella does everything up to the assessor: gap analysis, System Security Plan and POAM authoring, technical remediation, evidence collection, mock assessment, and assessor handoff. Independence between the firm that builds the program and the firm that attests to it is required under every regime we work in - and we agree with the rule.

Gap assessments run 2 to 6 weeks across most frameworks. Remediation depends heavily on starting posture. A clean Microsoft 365 tenant with conditional access and EDR already deployed might reach CMMC Level 2 readiness in 60 to 90 days. A hybrid environment with legacy on-premises systems, no centralized logging, and inconsistent endpoint coverage can run 6 to 9 months. HIPAA and CCPA programs typically run 90 to 120 days from kickoff to attestation-ready. SOC 2 Type II includes a 6 to 12 month observation window after readiness, which is not negotiable - the framework requires the controls to operate for that long before the auditor can attest.

ComplianceArmor is Petronella's evidence-collection platform built around the frameworks our clients actually live in. It pulls continuous telemetry from Microsoft 365, Entra ID, your EDR, your patch-management system, your backup verification, and your identity provider, then maps each artifact to every framework control it satisfies. Generic GRC tools optimize for the questionnaire response cycle. ComplianceArmor optimizes for the evidence cycle - the part of compliance work that actually proves the control operates.

When the assessor walks in, the evidence library is already populated, dated, tagged to multiple frameworks, and ready to download. Audit prep becomes a review meeting, not a six-week scramble.

Pricing is engagement-specific and depends on framework count, scope size, current posture, environment complexity, and how much technical remediation the work requires. Gap assessment, SSP and POAM authoring, technical remediation, evidence library buildout, and mock assessment are scoped per environment. We do not publish fixed prices because the same framework can vary by an order of magnitude depending on starting point - a clean Microsoft 365 tenant is a different project than a multi-site hybrid environment with legacy systems.

Book a discovery call or call (919) 348-4912. The discovery is free and produces a written scope and quote within five business days.

NIST SP 800-171 is the technical control catalogue. CMMC Level 2 is the assessment framework that confirms a contractor has implemented those 110 controls. Both terms describe the same set of security requirements - NIST 800-171 is the regulation; CMMC is the audit mechanism the Department of Defense uses to verify compliance. DFARS clause 252.204-7012 is the contractual hook that brings both into a defense contract.

CMMC Level 1 covers a narrower seventeen-control set focused on Federal Contract Information, not CUI. CMMC Level 3 adds twenty-four enhanced security requirements from NIST 800-172 on top of the 110 base controls.

It depends on the data class. For most CMMC Level 2 environments, GCC High is the path that resolves the data-residency and FedRAMP-equivalence concerns - the commercial Microsoft 365 tenant does not meet the FedRAMP Moderate baseline that NIST 800-171 effectively requires for CUI processing. For CMMC Level 1 and FCI-only environments, the commercial tenant can be in scope with the right configuration. The decision affects everything downstream - licensing, identity architecture, third-party integrations, and the boundary diagram. We make the recommendation during Stage 01 gap analysis after looking at the actual data flow.

Petronella Technology Group is headquartered in Raleigh, NC, at 5540 Centerview Dr., Suite 200, but our compliance engagements run nationally. Most of the work is done remotely - SSP authoring, gap analysis, evidence collection through ComplianceArmor, policy review, and mock assessment are all delivered over secure collaboration channels. We send engineers on-site for assessor visits, tabletop exercises, and the initial boundary walk when the engagement warrants. Most clients see us in person two to six times across a six-month engagement.

The work shifts from build to sustain. Stage 03 of our methodology - Maintain - covers quarterly control review, continuous evidence collection, annual SSP and POAM refresh, vulnerability scanning, incident response readiness, and assessor liaison at the reassessment window. CMMC reassesses on a three-year cycle. SOC 2 Type II reassesses annually. HIPAA expects continuous reaffirmation through annual risk analysis. The evidence library you built in Stage 02 is the artifact that survives staff turnover, vendor changes, and platform migrations. Skipping the maintenance phase is how programs decay between audits.