CMMC Compliance in Warner Robins, GA
CMMC Level 1, Level 2, and Level 3 readiness for the Warner Robins Air Logistics Complex supplier ecosystem. Gap assessment, remediation, SSP authoring, SPRS submission, and C3PAO audit preparation delivered by Petronella Technology Group's CMMC-RP team.
The Warner Robins Air Logistics Complex Ecosystem
Robins Air Force Base in Warner Robins, Houston County, Georgia is home to the Warner Robins Air Logistics Complex, one of three United States Air Force Air Logistics Complexes alongside Hill AFB in Utah and Tinker AFB in Oklahoma. The complex performs depot-level maintenance, repair, and overhaul, and runs supply-chain management for many of the Air Force's most strategic airframes. The depot work routinely flows Controlled Unclassified Information, including engineering drawings, parts specifications, and technical orders, down to the surrounding Middle Georgia supplier base.
Airframes Supported at WR-ALC
The Warner Robins Air Logistics Complex performs depot maintenance and supply-chain management for the F-15 Eagle, the C-17 Globemaster III, the C-5M Super Galaxy, the C-130 Hercules family, and the U-2 Dragon Lady. Each platform pulls a different shape of CUI into the supplier base, from precision-machined parts to avionics modules and software sustainment artifacts.
78th Air Base Wing and AFRC Headquarters
Robins also hosts the 78th Air Base Wing, the installation host unit, and the headquarters of Air Force Reserve Command. Civilian and contractor support roles span depot ops, base operating support, IT modernization, simulator sustainment, and engineering services. Contractor flows from these tenants drive CMMC scope for vendors across Houston County, Bibb County, and the broader Middle Georgia region.
Single-Site Industrial Scale
Robins Air Force Base is the largest single-site industrial complex in the state of Georgia. The installation supports tens of thousands of jobs across Air Force, Air Force Reserve, civilian, and contractor roles. Public-domain figures place the total workforce at roughly 25,000 personnel, with thousands more contractor seats inside the surrounding supplier ring along Highway 247 and the I-75 corridor.
Surrounding Middle Georgia Supplier Ring
Warner Robins anchors a defense supplier cluster reaching into Macon, Perry, Centerville, Byron, and Bonaire. Machine shops, composite fabricators, avionics integrators, software contractors, and depot-support service firms in these communities receive CUI-bearing work orders downstream of Robins. Each tier must independently prove its protection of that information through CMMC certification.
CMMC 2.0 for Aerospace MRO Subs
2-minute orientation to CMMC 2.0 for depot-maintenance and aircraft-parts subcontractors in Middle Georgia.
CUI Profiles of the Five WR-ALC Sustainment Lines
The Warner Robins Air Logistics Complex performs depot maintenance, repair, overhaul, and supply-chain management for five major airframe lines plus a long tail of mission systems. Each line generates a different Controlled Unclassified Information profile for the surrounding supplier base. Understanding which CUI shape your shop receives is the starting point for scoping a defensible CMMC Level 2 boundary.
F-15 Eagle
The F-15 Eagle has been a WR-ALC depot workload for decades and continues with the F-15EX Eagle II modernization. Subs supporting Eagle sustainment receive engineering drawings, structural-repair specifications, avionics integration data, and software sustainment artifacts. Much of this technical data carries both CUI and ITAR designations. A typical Eagle-line shop pulls controlled technical orders into its CAD environment, into its CAM toolpath generation, and into the inspection records that ship back with the part. Each of those flows must be inventoried during CUI scoping before a credible SSP can be authored.
C-17 Globemaster III
The C-17 Globemaster III strategic airlifter is sustained by WR-ALC across structural, propulsion, and mission-system depth lines. Suppliers supporting the C-17 line typically handle CUI in the form of repair-station technical orders, propulsion-system overhaul specifications, cargo-system component drawings, and supply-chain management data tied to the global C-17 fleet. The international Foreign Military Sales footprint of the C-17 also pulls subs into the ITAR regime when technical data flows toward allied operators.
C-5M Super Galaxy
The C-5M Super Galaxy is the heavy strategic airlifter sustained by WR-ALC depot programming. Sub-tier suppliers handle controlled drawings for the unique large-cargo airframe structures, the upgraded propulsion plant, and the avionics modernization that produced the C-5M variant from the legacy C-5A and C-5B fleet. The combination of size and age makes parts manufacturing and structural repair an outsized portion of the Super Galaxy supplier flow.
C-130 Hercules Family
The C-130 Hercules family, including the C-130J Super Hercules and the legacy C-130H variants, is the broadest sustainment portfolio at WR-ALC by sub count. The Hercules ecosystem touches structural overhaul shops, propeller and engine sustainment subs, avionics and mission-system integrators, and the long tail of special-mission variant suppliers, including AC-130 gunship, EC-130 electronic-warfare, HC-130 personnel-recovery, and MC-130 special-operations support. Each variant inherits a distinct CUI scoping footprint.
U-2 Dragon Lady
The U-2 Dragon Lady high-altitude reconnaissance aircraft is sustained by WR-ALC depot work alongside its Lockheed Martin programmatic home. Subs supporting Dragon Lady sustainment typically handle highly sensitive sensor, mission-system, and platform technical data. This line tends to push contractors toward CMMC Level 3 obligations under NIST SP 800-172 because of the strategic intelligence value of the data flowing through the supplier base.
Mission Systems and the Long Tail
Beyond the airframe lines, WR-ALC sustains avionics, electronic warfare, software, cyber, and special-mission systems that ride across multiple platforms. The long-tail sub base supplying these mission systems is often the most overlooked piece of the WR-ALC supplier ring. Software sustainment contractors, embedded-systems firms, and small specialty shops in Macon, Perry, and Centerville frequently underestimate their CUI exposure until a prime asks for an SPRS score and a Level 2 commitment.
ITAR for Aircraft Parts Manufacturers Around Robins
The International Traffic in Arms Regulations governs the export of defense articles and defense services covered by the United States Munitions List. For Warner Robins aircraft parts manufacturers, ITAR sits next to CMMC, not on top of it. ITAR is administered by the State Department's Directorate of Defense Trade Controls. CMMC is a Department of Defense regime under 32 CFR Part 170. They are separate regulators with separate registrations and separate enforcement, but they overlap heavily in the technical controls a shop must run on the same engineering drawing.
What ITAR Requires
- Registration with the Directorate of Defense Trade Controls for any United States entity that manufactures or exports defense articles.
- An empowered official accountable for ITAR compliance, with documented policies covering technical data control, foreign-person access, and the deemed-export rule.
- Recordkeeping for at least five years on every transaction involving USML-controlled articles or technical data.
- Authorized exports moved under license, exemption, or one of the limited reuse mechanisms that ITAR allows.
Where ITAR and CMMC Overlap
- Encryption: CUI in transit and at rest must be FIPS 140 validated under CMMC, which is also the practical baseline for ITAR technical data.
- Identity and access: only United States persons authorized to receive ITAR technical data, mapped to the same role-based access that CMMC AC family requires.
- Media protection: physical drawings, prints, and removable media controlled under both regimes with the same media protection policy.
- Recordkeeping: ITAR five-year transaction history blends cleanly into the CMMC audit and accountability family if it is designed that way from the start.
Petronella Technology Group has built CMMC programs that satisfy ITAR side-by-side in the same control fabric. We are not an ITAR registered law firm and we do not file your DDTC registration. We do build the technical and documentation infrastructure that an ITAR-registered shop needs to operate the controls every audit, whether ITAR or CMMC, will look for.
DFARS 252.204-7012 and NIST 800-171 for Depot and MRO Subs
Every Warner Robins-area contractor handling Covered Defense Information already operates under DFARS clause 252.204-7012, which has been in effect since 2017. The CMMC Program Rule under 32 CFR Part 170 now layers third-party C3PAO assessment on top of that obligation through the DFARS 252.204-7021 clause. Depot maintenance contractors and MRO subcontractors should treat 7012 and CMMC as one continuous compliance program rather than two separate workstreams.
What 252.204-7012 Already Requires
- Implement the 110 security requirements of NIST SP 800-171 Rev. 2 across every covered contractor information system that touches CUI.
- Report cyber incidents that affect Covered Defense Information to DoD via DIBNet within 72 hours of discovery.
- Preserve and protect forensic images of any affected systems for at least 90 days for Air Force and DoD review.
- Flow the protection clause and reporting obligations down to every subcontractor that also touches the same CUI.
What CMMC Adds for WR-ALC Suppliers
- Third-party C3PAO certification of all 110 NIST 800-171 practices for Level 2 contractors that handle CUI in any form.
- Annual affirmation of continued compliance signed by a senior official, with criminal liability under the False Claims Act.
- SPRS score posting in the DoD Supplier Performance Risk System, scoring from minus 203 to positive 110 against the 800-171 baseline.
- Level 3 obligation adds 24 enhanced practices from NIST SP 800-172 for contractors supporting DoD's most sensitive sustainment programs.
Many Robins-area depot and parts subs also operate under ITAR obligations because the engineering drawings supporting F-15, C-5, C-17, C-130, and U-2 components are export-controlled. ITAR registration with the Directorate of Defense Trade Controls and CMMC certification are separate regimes, but they overlap heavily in technical controls. For the full multi-framework view, see our flagship CMMC compliance pillar.
CMMC Level 2 Readiness for Robins-Area Subs
Most Warner Robins suppliers handling CUI need CMMC Level 2 certification. Petronella Technology Group runs a four-phase engagement built around fixed-fee statements of work after the free initial assessment. Quotes are custom-scoped to the size of the CUI workforce, the maturity of the existing IT environment, and the boundary-reduction strategy. We do not publish per-month catalog rates because no two depot or MRO environments look the same.
Phase 1: Gap Assessment and CUI Scoping
From $7,500 for a comprehensive 110-control gap assessment, CUI scoping workshop, asset inventory, and prioritized remediation roadmap. Most Robins-area shops close Phase 1 in 4 to 6 weeks. The deliverables include an SSP outline, an initial POA&M with owner and milestone assignments, and a SPRS pre-score so leadership knows the starting position before remediation spend begins.
Phase 2: Remediation and Documentation
From $35,000 to $150,000 depending on workforce in scope and depth of technical remediation. This phase covers SSP authoring, the full 14-family policy set, procedure documents, MFA rollout, logging and SIEM integration, encryption posture, vulnerability management, and a CUI-segmented identity and file infrastructure. Typical Warner Robins engagements run 4 to 9 months.
Phase 3: Mock C3PAO Audit
From $12,500 for a full mock assessment mirroring the C3PAO scoring rubric. Our CMMC-RP practitioners walk every control, score each as Met, Not Met, or Partial, and stand up a remediation sprint for any gaps. Robins-area clients typically schedule mock audits 60 to 90 days ahead of the formal C3PAO engagement so there is room to close findings before the real assessment.
Phase 4: Ongoing Maintenance and Annual Affirmation
Custom-scoped retainer for continuous control monitoring, evidence refresh, POA&M updates, and annual affirmation support. CMMC certification is triennial, but the practices need to operate continuously. Your annual affirmation is signed under criminal penalty for false statements, and the maintenance scope is what keeps the underlying body of evidence aligned with the SSP through the three-year cycle.
All four phases are fixed-fee statements of work, scoped after the free initial assessment. There is no open meter and no per-seat hidden math. Call (919) 348-4912 or schedule a free CMMC readiness call to scope your Warner Robins engagement.
The Software Layer That Accelerates Your Warner Robins Engagement
Petronella Technology Group runs every Warner Robins CMMC engagement on top of ComplianceArmor, our compliance documentation and evidence platform. ComplianceArmor is the tool that accelerates the consulting engagement. It is not a replacement for the CMMC-RP practitioner, the SSP, the C3PAO audit, or the human accountability behind every signed artifact. It is the software layer that takes the highest-leverage work, policy generation, control mapping, evidence collection, and audit-trail authoring, and compresses the time-to-deliverable so the consulting hours focus on the judgment calls a Robins-area depot or MRO contractor actually needs.
Policy and SSP Acceleration
ComplianceArmor generates the 14-family policy set and the SSP outline from a guided intake of your CUI environment. Our CMMC-RP practitioner then edits, redlines, and finalizes the artifacts. The starting position is no longer a blank Word document; it is a complete first draft tuned to the depot and MRO supplier patterns. From $497 fixed monthly software subscription, scoped during the engagement intake.
Control Mapping and Cross-Framework Reuse
ComplianceArmor maps the 110 NIST 800-171 controls to your existing ITAR, AS9100, ISO 9001, and NIST CSF programs so duplicate controls are inherited rather than rebuilt. For a typical Warner Robins parts manufacturer running ITAR and AS9100 already, the cross-framework reuse meaningfully reduces the Phase 2 remediation footprint and the documentation lift.
Evidence Repository and Audit Trail
ComplianceArmor tags every artifact, screenshot, log excerpt, configuration export, and training record to the control it evidences. The C3PAO assessor receives an evidence map with each artifact pre-linked to its 800-171 control. This is what cuts mock-audit findings in half on the second pass and what makes the formal C3PAO engagement run on time rather than into a remediation extension.
SPRS and Affirmation Workflow
ComplianceArmor computes your SPRS score against the published DoD scoring rubric, generates the evidence package that justifies each scored control, and produces the annual affirmation packet your senior official signs each year. The workflow is what keeps the triennial certification cycle aligned through every interim affirmation and every POA&M closure.
ComplianceArmor is bundled with every Warner Robins Level 2 engagement as the software backbone. From $497 fixed monthly software subscription. See the full ComplianceArmor platform overview for framework coverage and integration detail.
Level 1, Level 2, and Level 3 Support
Petronella Technology Group consults across all three CMMC levels. Level 1 covers 17 practices for contractors handling only Federal Contract Information, with annual self-assessment. Level 2 is the 110-control NIST 800-171 baseline for CUI handlers, with triennial C3PAO certification. Level 3 adds 24 enhanced practices from NIST SP 800-172 for contractors supporting DoD's most sensitive sustainment programs.
Level 1 (17 practices)
For Robins-area suppliers handling only Federal Contract Information. Annual self-assessment with SPRS submission. Good fit for smaller Middle Georgia vendors with limited DoD CUI exposure, such as office supply, janitorial, and non-technical base-operating-support contractors.
Level 2 (110 controls)
For contractors handling CUI. Triennial C3PAO certification with SSP, POA&M, and the full NIST 800-171 body of evidence. The default path for the majority of WR-ALC supply-chain subs, depot-maintenance contractors, and parts manufacturers receiving technical orders.
Level 3 (134 controls)
For contractors supporting DoD's Advanced Persistent Threat defense and the most sensitive sustainment programs. Adds 24 enhanced controls from NIST SP 800-172, including organization-wide threat hunting, supply-chain risk management, and defense-in-depth architecture requirements.
Not Sure Which Level?
The DoD contract specifies the required level. If you are not sure, we read the solicitation with you during the free initial assessment, map it to the exact CMMC level and scope you must carry, and document the rationale for your records.
Our MRO and Depot-Supply-Chain Angle
Petronella Technology Group is a Raleigh, North Carolina based managed service and security firm founded in 2002. We are a Cyber AB Registered Provider Organization, RPO #1449, verified at cyberab.org, with every consultant carrying the CMMC Registered Practitioner credential. Our practice has a structural advantage for the Warner Robins depot and MRO supplier base for three reasons that matter to engineering firms shipping work into a CUI environment.
Private AI Infrastructure Inside the Boundary
- We operate a private enterprise AI cluster used to accelerate policy authoring, evidence tagging, and control mapping without sending CUI to public model providers.
- The data-sovereignty posture aligns directly with CMMC, DFARS 7012, and ITAR. CUI never leaves the controlled boundary for AI assistance.
- The result is a meaningful reduction in SSP and policy authoring time per engagement, while keeping the human CMMC-RP practitioner accountable for every artifact.
Engineering Firms ICP
- Engineering firms are a priority industry vertical for Petronella Technology Group. MRO contractors, aerospace machine shops, composites fabricators, and avionics integrators all fit this profile cleanly.
- We understand the difference between bench drawings flagged CUI under DFARS and the same drawings flagged technical data under ITAR, and we run the controls so both regimes are satisfied in one program.
- Our practice has built CMMC enclaves alongside ISO 9001, AS9100, NIST 800-171, and ITAR programs without forcing teams to maintain four duplicate control sets.
- See our engineering firms practice for the full vertical view of how we deliver into MRO and parts-manufacturing environments.
Warner Robins Engagement Model: Remote First, Planned Onsite
Petronella Technology Group is headquartered at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Warner Robins is approximately a seven-hour drive south from our Raleigh office. We do not maintain a Middle Georgia branch and we will never claim otherwise. We run a remote-first delivery model from Raleigh with planned onsite trips for the engagement phases that genuinely require boots on the floor at Robins.
Onsite at Robins and Middle Georgia
- CUI boundary walk through the facility with IT, program-management, and operations stakeholders in the same room.
- Physical-security control inspection: media protection, visitor logs, video, badge access, and bay-by-bay segmentation for shops servicing F-15, C-17, C-5, C-130, and U-2 parts.
- Workforce awareness training delivered onsite for the in-scope team, with role-specific modules for engineers, machinists, and program managers.
- Incident response tabletop exercises run in person with the leadership team prior to the C3PAO engagement.
Remote from Raleigh HQ
- SSP, POA&M, and 14-family policy authoring with weekly review cadence over secure conferencing.
- Microsoft 365 GCC High and Azure Government landing-zone build, executed remotely with admin access.
- Evidence collection and artifact tagging into a shared, access-controlled repository that lives inside your boundary, not ours.
- Daily standup channel access for the Warner Robins program team during active remediation phases.
The travel cadence is built into every fixed-fee statement of work, including the per-trip travel and per-diem coverage. There are no surprise pass-through expenses. Onsite phases typically land at Phase 1 kickoff, midway through Phase 2 remediation, and again for the Phase 3 mock C3PAO audit.
A Typical Warner Robins Path to Level 2 Certification
Most Robins-area contractors arrive at Petronella Technology Group after a prime asks for proof of CMMC Level 2 readiness by a specific contract milestone. Here is the sequence we run, compressed to fit a typical 9-month award timeline. Contractors that already operate a mature ITAR or NIST CSF program can usually compress this further to 6 to 9 months.
CUI scoping workshop and asset inventory
110-control gap assessment with evidence plan
SSP v1.0 and POA&M aligned to NIST 800-171A
Technical remediation: MFA, logging, encryption, segmentation
Policy rollout, workforce training, tabletop exercises
SPRS score submission and mock C3PAO audit
Remediation of mock findings, evidence package sign-off
C3PAO assessment, issue resolution, certification award
Serving Warner Robins and the Middle Georgia Defense Cluster
Our Middle Georgia footprint reaches the communities that ring Robins Air Force Base and feed depot, supply-chain, and engineering work into the WR-ALC enterprise.
Cybersecurity Around the CMMC Boundary
CMMC certification is the gate, not the finish line. Most Robins-area contractors want the same Petronella Technology Group team running ongoing security operations so the controls keep operating year-round and through the triennial recertification.
Cybersecurity Services
Managed detection and response, security operations support, and continuous monitoring tuned to the CMMC controls your contract flows down. Our SOC partnerships keep the alerts mapped to the 14 control families.
CMMC Practice Overview
The broader CMMC practice page covers all three levels, the C3PAO assessment methodology, and the Petronella Technology Group delivery model end to end across our North Carolina home base and the regional defense supplier markets we serve.
Flagship CMMC Compliance Pillar
The flagship CMMC pillar walks through the program rule, the 32 CFR Part 170 framework, the 14 control families, and the SPRS scoring rubric in depth. A useful primer for engineering leaders who want to brief their board before approving a Level 2 engagement.
Engineering Firms Practice
The engineering firms practice page covers MRO contractors, aerospace machine shops, composites fabricators, and avionics integrators. It explains how Petronella Technology Group runs CMMC alongside ITAR, AS9100, and ISO 9001 without duplicate control sets.
Frequently Asked Questions
Does Petronella Technology Group work with WR-ALC depot supply-chain subs?
Yes. The Warner Robins Air Logistics Complex flows CUI down through a deep supplier ring across Houston County and Middle Georgia. Petronella Technology Group runs CMMC Level 1, Level 2, and Level 3 engagements for depot-maintenance subs, parts manufacturers, avionics integrators, software sustainment contractors, and engineering services firms supporting the F-15, C-17, C-5, C-130, and U-2 sustainment programs at WR-ALC.
How does CMMC interact with ITAR for aircraft parts manufacturers?
CMMC and ITAR are separate regimes that overlap heavily in technical controls. CMMC governs the protection of CUI under DFARS 252.204-7012, with C3PAO third-party assessment under 32 CFR Part 170. ITAR governs export of defense articles and technical data under the United States Munitions List, administered by the Directorate of Defense Trade Controls. A typical Robins-area parts shop will run both programs in parallel because the same engineering drawings can be flagged CUI under DFARS and technical data under ITAR. Our practice builds the CMMC body of evidence in a way that satisfies both regimes without duplicating the underlying controls.
What CMMC level does a typical Warner Robins MRO sub need?
The DoD contract specifies the required level. A typical depot-maintenance sub or parts manufacturer handling controlled technical data falls under CMMC Level 2 with 110 NIST 800-171 controls and C3PAO certification. Smaller suppliers that only touch Federal Contract Information may qualify for Level 1 self-assessment. Contractors supporting the most sensitive sustainment programs may carry Level 3 obligations with the 24 enhanced practices from NIST SP 800-172.
What is a realistic CMMC Level 2 timeline for a Robins-area manufacturer?
Most Warner Robins manufacturers without an existing 800-171 program need 12 to 18 months from gap assessment to a clean C3PAO Level 2 assessment. Contractors who already operate a mature ITAR or NIST CSF program can compress that to 6 to 9 months. The most common delay we see is internal CUI boundary disputes; identifying who actually touches CUI inside a depot or MRO shop is harder than it sounds, especially when engineering drawings flow into the same shared drives as commercial parts work.
Are you onsite at Robins or remote?
Both. Petronella Technology Group runs a remote-first model from our Raleigh, North Carolina headquarters with planned onsite trips for the engagement phases that require it. The roughly seven-hour drive south is built into every fixed-fee statement of work. Onsite phases typically land at Phase 1 kickoff, midway through Phase 2 remediation, and again for the Phase 3 mock C3PAO audit. We do not maintain a Middle Georgia branch office and we will never claim otherwise.
How is Petronella Technology Group qualified to deliver CMMC?
We are a Cyber AB Registered Provider Organization, RPO #1449, verified on the public Cyber AB marketplace at cyberab.org. Every consultant on the team holds the CMMC Registered Practitioner (CMMC-RP) credential. Founder Craig Petronella holds CMMC-RP, CCNA, CWNE, Digital Forensics Examiner #604180, and is MIT-Certified in AI and Blockchain. The firm has been BBB A+ accredited since 2003 and was founded in 2002 as a Raleigh-based managed service and security firm.
What does CMMC compliance cost a Warner Robins contractor?
From $7,500 for the Phase 1 gap assessment, from $35,000 to $150,000 for Phase 2 remediation depending on workforce size and scope, from $12,500 for the Phase 3 mock C3PAO audit, and a custom-scoped retainer for Phase 4 ongoing maintenance and annual affirmation. Every Robins-area engagement is custom-scoped after the free initial assessment. We do not publish per-month catalog rates because no two CUI environments at the depot or MRO level look the same.
Can you help with the SPRS score submission?
Yes. Every Warner Robins engagement includes calculation of your Supplier Performance Risk System score against the 110 NIST 800-171 practices, using the DoD published scoring rubric. The score ranges from minus 203 to positive 110. We coach your designated official through the SPRS submission and provide the underlying evidence package supporting each scored control. The evidence map is what the C3PAO uses on assessment day, so the SPRS score and the audit posture are aligned by design.
Do you support CMMC Level 3 for the most sensitive Robins sustainment programs?
Yes. Level 3 adds 24 enhanced practices from NIST SP 800-172 on top of the 110 Level 2 controls. The enhanced practices target Advanced Persistent Threat resilience and include organization-wide threat hunting, supply-chain risk management, and defense-in-depth architecture. Petronella Technology Group consults on all three CMMC levels for contractors supporting Air Force Reserve Command, WR-ALC depot sustainment, and the most sensitive aircraft modernization programs at Robins.
Does ComplianceArmor replace the CMMC-RP consultant?
No. ComplianceArmor is the software backbone that accelerates the engagement. It generates the SSP scaffolding, maps controls across frameworks, holds the evidence repository, and runs the SPRS and affirmation workflow. The CMMC-RP practitioner at Petronella Technology Group still owns the judgment calls, the redlines, the scope decisions, the C3PAO readiness sign-off, and the human accountability behind every artifact. From $497 fixed monthly software subscription, bundled into the Warner Robins engagement scope.
How do you handle ITAR and CMMC together for a Robins aircraft parts shop?
We build the technical infrastructure and documentation set in a single control fabric that satisfies both regimes. Encryption, identity and access, media protection, recordkeeping, and audit trails are mapped to both NIST 800-171 and the practical ITAR control expectations at the same time. We are not an ITAR registered law firm and we do not file your DDTC registration. We do build the technical environment and the documentation packet your ITAR-registered shop needs to operate the controls.
How does your private AI infrastructure differ from a commercial AI consulting tool?
Petronella Technology Group operates a private enterprise AI cluster used inside the CUI boundary to accelerate policy authoring, evidence tagging, and control mapping. CUI never leaves the controlled boundary for AI assistance. This sits in contrast to commercial AI tools that send the input to a public model provider, which is incompatible with DFARS 252.204-7012, with ITAR technical data control, and with CMMC boundary scoping. The data-sovereignty posture is what makes private infrastructure a fit for the WR-ALC supplier base.
SPRS Scoring for Warner Robins Suppliers in Detail
The DoD Supplier Performance Risk System holds the assessment score that every CMMC contractor posts against the 110 NIST SP 800-171 practices. The published rubric assigns a starting score of 110, then subtracts points for any control that is not fully implemented. The score ranges from minus 203 at the floor to positive 110 at the ceiling. Warner Robins suppliers come to the SPRS process with very different starting positions, and the gap assessment is where we identify each subtraction line item and map it to a closure plan.
How SPRS Subtractions Work
- Each NIST 800-171 control carries a point weight of 1, 3, or 5 depending on the assessed risk to Controlled Unclassified Information.
- A control with a partial implementation is scored according to the DoD assessment guide; some allow partial credit, others are binary.
- The score is posted with cryptographic validation in SPRS by your designated official, against your CAGE codes.
- The score is visible to contracting officers across DoD and is used to inform contract award decisions, especially in competitive sustainment work.
Typical Robins Starting Scores
- A shop with no formal program typically sees an SPRS pre-score below zero, often in the negative-50 to negative-100 range, when honestly assessed.
- A shop already running an ITAR or AS9100 program typically sees a positive starting score, frequently in the 30 to 60 range, because of inherited controls.
- The end-state target for any Level 2 contractor is positive 110, which represents full implementation of every 800-171 control.
- The closure plan from the gap assessment is what bridges the starting score to the 110 ceiling, by control, by owner, by milestone.
Why Warner Robins Subs Choose Petronella Technology Group
CMMC is a long engagement. Choosing a delivery partner is not a single transaction; it is a multi-year working relationship that has to survive remediation, mock audits, formal C3PAO assessment, annual affirmations, and the triennial recertification cycle. Warner Robins suppliers tell us they choose Petronella Technology Group for four reasons, and we put them on the page because they will stay true through the life of the engagement.
Practitioner Credentials
- Cyber AB Registered Provider Organization, RPO #1449, verified at cyberab.org on the public marketplace.
- Every consultant on the team holds the CMMC Registered Practitioner (CMMC-RP) credential issued through the Cyber AB.
- Craig Petronella holds CMMC-RP, CCNA, CWNE, and Digital Forensics Examiner #604180 from the National Computer Forensics Institute.
- Craig is also MIT-Certified in Artificial Intelligence and in Blockchain, which informs how we use AI inside the CUI boundary.
- BBB A+ accredited since 2003, founded 2002 as a Raleigh-based managed service and security firm.
Engagement Approach
- Fixed-scope, fixed-fee statements of work after the free initial assessment. No open meters, no surprise pass-throughs.
- Written deliverables that your engineering team can edit. The SSP is a Word document, not a slide deck.
- Transition plan that trains your staff to maintain the body of evidence after certification, so the program does not rot between recertifications.
- Referral to an independent C3PAO when you are ready for the formal assessment. We do not self-assess what we build; assessor independence matters.
- Cross-framework reuse with ITAR, AS9100, ISO 9001, and NIST CSF so a parts manufacturer already running adjacent regimes does not pay twice for the same control.
Explore More
What to Bring to the Free Readiness Call
The free CMMC readiness call is most useful when both sides come prepared. We use the conversation to scope the engagement, anchor the Phase 1 statement of work, and identify the first decisions a Warner Robins or Middle Georgia contractor needs to make before remediation spend begins.
The Contract Language
Bring the contract clause that triggered the CMMC requirement, the DFARS 252.204-7012 flowdown text, and the DFARS 252.204-7021 CMMC clause if it has been added to your solicitation. The exact language tells us the required level and the assessment deadline.
The Existing Programs
If you already operate an ITAR program, an AS9100 quality system, an ISO 9001 quality system, or a NIST CSF program, bring the policy index. Inherited controls reduce the Phase 2 remediation footprint, sometimes substantially for a Robins-area MRO contractor.
The Workforce Picture
Bring a rough head count of the team that touches CUI in your environment, and a rough head count of the broader workforce. The ratio is the single biggest variable in scoping the Phase 2 budget and in deciding whether an enclave makes sense for your specific shop.
The IT Stack Sketch
Bring a one-page sketch of your current IT stack. Are you on commercial Microsoft 365, on Google Workspace, or already on Microsoft 365 GCC High? Is the file server on-premises, in Azure, or in a hybrid model? Knowing this in advance is what lets us scope realistic Phase 2 numbers on the first call.
Start Your Warner Robins CMMC Journey
Schedule a free CMMC readiness call for your Warner Robins or Middle Georgia organization. Our CMMC-RP certified team guides depot and MRO suppliers from gap analysis through C3PAO certification.