CMMC Managed IT Services for Defense Contractors
Managed IT infrastructure engineered to meet Cybersecurity Maturity Model Certification (CMMC) requirements. Petronella Technology Group is a CMMC Registered Provider Organization (RPO) that builds, manages, and maintains compliant IT environments so defense contractors can win and retain DoD contracts.
What Is CMMC and Why Must Your IT Infrastructure Meet Its Requirements?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that defense contractors implement adequate cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC 2.0, finalized as 32 CFR Part 170 in October 2024, establishes three levels of certification that align with the sensitivity of information a contractor handles.
Unlike the previous self-attestation model under DFARS 252.204-7012, CMMC requires third-party assessments for contractors handling CUI at Level 2 and above. This means your IT environment will be inspected by a Certified Third-Party Assessment Organization (C3PAO) that verifies your implementation of all 110 security requirements in NIST SP 800-171 Revision 2. Contractors that fail assessment cannot bid on or continue performing DoD contracts containing CUI requirements.
The financial stakes are substantial. The defense industrial base (DIB) represents over $400 billion in annual contract spending. Contractors that cannot demonstrate CMMC compliance will lose access to this market entirely. For small and mid-size manufacturers, machine shops, engineering firms, and professional services companies in the DoD supply chain, CMMC compliance is an existential business requirement, and it starts with your IT infrastructure.
Critical distinction: CMMC is not just a cybersecurity certification. It is a contract eligibility requirement. Starting with the phased rollout in 2025, DoD solicitations will include CMMC level requirements. Without the required certification level, your company cannot compete for those contracts. A CMMC-aligned managed IT provider is the fastest path to achieving and maintaining the required certification level.
Level 1 Foundational
17 practices from FAR 52.204-21 protecting Federal Contract Information (FCI). Self-assessment with annual affirmation. Required for any contractor handling FCI. Covers basic controls like access control, identification and authentication, physical protection, system and communications protection, and system and information integrity.
Level 2 Advanced
110 practices from NIST SP 800-171 Rev 2 protecting Controlled Unclassified Information (CUI). Requires third-party assessment by a C3PAO for critical programs, or self-assessment for non-critical. This is the level most defense contractors handling CUI must achieve. Covers 14 security domains with detailed implementation requirements.
Level 3 Expert
110 NIST 800-171 practices plus 24 additional requirements from NIST SP 800-172 for enhanced protection against advanced persistent threats (APTs). Government-led assessment by DIBCAC. Required for contractors working on the most sensitive programs involving high-value CUI.
Specific Technical Controls Required for CMMC Compliant IT Infrastructure
CMMC Level 2 requires implementation of all 110 security requirements across NIST SP 800-171's 14 families. Each requirement has specific technical controls that must be implemented in your IT environment. Here are the most technically demanding domains and what they require from your managed IT infrastructure:
Access Control (AC): 22 Requirements
The largest domain in NIST 800-171. Your IT environment must limit system access to authorized users, processes, and devices (AC.L2-3.1.1). This includes role-based access control (RBAC) mapped to job functions, separation of duties for critical operations, session locks after 15 minutes of inactivity, control of remote access sessions with encrypted VPN tunnels, and wireless access restrictions using 802.1X authentication. Mobile devices require MDM enrollment with encryption enforcement and remote wipe. External system connections must be individually authorized and monitored.
Identification and Authentication (IA): 11 Requirements
Every user, process, and device must be uniquely identified and authenticated before accessing CUI systems. Multi-factor authentication is required for all local and network access to privileged accounts, and for all network access to non-privileged accounts (IA.L2-3.5.3). Passwords must meet minimum complexity requirements: 12+ characters, mixed case, numbers, and special characters. Replay-resistant authentication mechanisms are required for network access, and cryptographic authentication is needed for device and session authenticity.
Audit and Accountability (AU): 9 Requirements
Your IT infrastructure must create, protect, and retain system audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity (AU.L2-3.3.1). This requires a centralized Security Information and Event Management (SIEM) system that collects logs from all CUI-processing systems, correlates events across sources, and alerts on suspicious activity. Audit logs must be protected from unauthorized modification, and audit failures must generate alerts. Log retention must cover at least three years to support investigation timelines.
System and Communications Protection (SC): 16 Requirements
CUI must be encrypted at rest using FIPS-validated cryptographic mechanisms (SC.L2-3.13.11) and in transit using TLS 1.2 or higher (SC.L2-3.13.8). Network architecture must implement subnetwork segmentation to separate CUI-processing systems from general business networks. Boundary protection devices (firewalls, intrusion detection systems) must monitor and control communications at external and key internal boundaries. DNS filtering, email gateway security, and web content filtering add additional communication protection layers. Managed detection and response provides the continuous monitoring these requirements demand.
Configuration Management (CM): 9 Requirements
Baseline configurations must be established, documented, and maintained for all IT systems in the CUI boundary. Security configuration settings must follow hardening guidelines (CIS Benchmarks, DISA STIGs) and restrict users from installing unauthorized software. Changes to the IT environment must be tracked, reviewed, and approved through a formal change management process. Automated configuration monitoring tools must detect deviations from approved baselines and alert administrators.
Incident Response (IR): 3 Requirements
Your organization must establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities (IR.L2-3.6.1). Incidents must be tracked, documented, and reported to appropriate officials and, for CUI incidents, to the DoD via the DIBNet portal within 72 hours. Incident response plans must be tested at least annually. Your managed IT provider must have the forensic capabilities to preserve evidence chains and support DoD investigation requirements.
The remaining domains, including Awareness and Training, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, and System and Information Integrity, each add specific requirements that your managed IT provider must address. A provider that has not mapped their service delivery to all 110 NIST 800-171 requirements cannot support CMMC Level 2 certification.
Most defense contractors discover critical gaps too late. Our CMMC readiness assessment identifies every deficiency before the assessor arrives.
How Petronella Technology Group Delivers CMMC Compliant Managed IT
As a CMMC Registered Provider Organization (RPO), Petronella Technology Group understands the specific technical requirements that C3PAO assessors evaluate. Our managed IT services are structured around the NIST 800-171 control families, ensuring every aspect of your IT environment contributes to your CMMC certification. Here is what our CMMC managed IT services include:
CUI Boundary Definition and Scoping
We identify every system, network segment, and application that stores, processes, or transmits CUI. Proper scoping is the most impactful step in CMMC compliance because it determines the size and cost of your assessment boundary. We help contractors minimize their CUI boundary through network segmentation, data flow analysis, and CUI isolation strategies, reducing both compliance costs and attack surface.
NIST 800-171 Gap Assessment
We conduct a detailed assessment of your current IT environment against all 110 NIST SP 800-171 requirements, producing a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) that document your implementation status. The SSP describes how each requirement is met, and the POA&M tracks remediation timelines for any gaps. These documents are mandatory for CMMC Level 2 assessment.
Enclave Architecture and Network Segmentation
We design and implement a CUI enclave, a dedicated network segment with enhanced security controls that isolates CUI-processing systems from your general business network. This includes FIPS 140-2 validated encryption for data at rest and in transit, next-generation firewalls with intrusion prevention at enclave boundaries, dedicated Active Directory organizational units with CMMC-aligned group policies, and jump servers for administrative access. Proper enclave design reduces your assessment scope and strengthens your security posture.
Identity and Access Management with MFA
We deploy FIPS-compliant multi-factor authentication on all accounts accessing CUI systems. This includes hardware tokens or phishing-resistant authenticators (FIDO2/WebAuthn), conditional access policies tied to device compliance and network location, privileged access management (PAM) for administrative accounts with just-in-time elevation, and automated account provisioning/deprovisioning tied to personnel security processes.
SIEM and Continuous Monitoring
Our managed detection and response (MDR) service provides the continuous monitoring required by CMMC's Audit and Accountability domain. We deploy a SIEM platform that collects and correlates logs from all systems in the CUI boundary, with 24/7 analyst review of security alerts, automated threat intelligence correlation, and incident escalation procedures aligned with DoD reporting requirements. Log retention meets the three-year minimum for CMMC compliance evidence.
Vulnerability Management and Patch Compliance
We conduct regular vulnerability scanning of all systems in the CUI boundary, with remediation timelines aligned to DoD vulnerability management directives: critical vulnerabilities patched within 15 days, high within 30 days, moderate within 90 days. Our cybersecurity team validates patches before deployment, tests in staging environments, and documents remediation evidence for CMMC assessment artifacts.
CMMC Level 2 Domain Requirements and IT Implementation
CMMC Level 2 maps directly to NIST SP 800-171's 14 security families. This table shows each domain, the number of practices required, and the specific IT infrastructure capabilities your managed service provider must deliver. Petronella Technology Group covers every domain as part of our managed IT services.
| CMMC Domain | Practices | Key IT Infrastructure Requirements |
|---|---|---|
| Access Control (AC) | 22 | RBAC, session locks, remote access VPN, wireless 802.1X, mobile device management, external connection authorization |
| Audit & Accountability (AU) | 9 | Centralized SIEM, tamper-evident log storage, 3+ year retention, audit correlation, failure alerting |
| Awareness & Training (AT) | 3 | Role-based security training, insider threat awareness, phishing simulations, training record retention |
| Configuration Mgmt (CM) | 9 | CIS/STIG baselines, software whitelisting, change management, automated configuration monitoring |
| Identification & Auth (IA) | 11 | MFA (FIPS-compliant), 12+ char passwords, replay-resistant auth, device certificates, account lockout |
| Incident Response (IR) | 3 | IR plan with annual testing, 72-hour DoD reporting, forensic evidence preservation, DIBNet submission |
| Maintenance (MA) | 6 | Controlled maintenance scheduling, remote maintenance session monitoring, media sanitization before off-site repair |
| Media Protection (MP) | 9 | CUI media marking, storage control, transport encryption, NIST 800-88 sanitization, digital media access control |
| Personnel Security (PS) | 2 | Personnel screening before CUI access, account termination/transfer procedures within 24 hours |
| Physical Protection (PE) | 6 | Facility access control, visitor logs, equipment monitoring, physical access device management (keys, cards) |
| Risk Assessment (RA) | 3 | Periodic risk assessments, vulnerability scanning with remediation tracking, threat intelligence integration |
| Security Assessment (CA) | 4 | Annual security assessments, POA&M management, continuous monitoring, system interconnection agreements |
| System & Comm Protection (SC) | 16 | FIPS 140-2 encryption, network segmentation, boundary protection, DNS/email security, CUI transmission encryption |
| System & Info Integrity (SI) | 7 | Endpoint detection (EDR), malicious code protection, security alert monitoring, system patch management |
If they cannot map their services to every NIST 800-171 requirement, your CMMC certification is at risk. Let us assess where you stand.
Defense Contractors and DIB Organizations That Need CMMC IT Support
CMMC requirements apply to all organizations in the defense industrial base (DIB) that handle Federal Contract Information or Controlled Unclassified Information. The following industries and organization types represent the defense contractors we serve with CMMC compliant managed IT services:
Defense Manufacturers
Companies manufacturing components, assemblies, and systems for DoD programs. Manufacturing environments present unique CMMC challenges with operational technology (OT) networks, CNC machines with network connectivity, and CAD/CAM systems processing CUI technical drawings and specifications that require isolation from general business IT.
Machine Shops and Fabricators
Small and mid-size machine shops producing precision parts for defense prime contractors. These organizations often receive CUI in the form of technical data packages (TDP), engineering drawings, and manufacturing specifications. Even a 10-person machine shop needs CMMC Level 2 if they handle CUI from a DoD contract.
Defense IT and Software Companies
Software development firms building applications for DoD systems, IT service providers supporting defense programs, and technology companies handling CUI in code repositories, development environments, and deployment pipelines. DevSecOps environments require CMMC controls integrated into CI/CD workflows.
Professional Services
Engineering firms, consulting companies, accounting firms, and legal practices that access CUI as part of defense contract work. Professional services organizations typically handle CUI in documents, emails, and collaboration platforms, requiring strong data loss prevention (DLP) and email encryption controls.
Logistics and Supply Chain
Defense logistics companies, supply chain management firms, and distribution operations handling CUI related to military logistics data, inventory systems, shipping documentation, and supply chain specifications. These organizations often have distributed workforce challenges requiring secure remote access from warehouses and distribution centers.
Research and Development
R&D laboratories, university research centers with DoD grants, and technology research firms generating and handling CUI. Research environments require balancing the open collaboration culture of R&D with the strict access controls and information sharing restrictions mandated by CMMC and CUI marking requirements.
What Makes Petronella Technology Group Different from Generic MSPs
Most managed service providers have never seen a NIST 800-171 assessment, cannot explain the difference between FCI and CUI, and have no experience with DFARS clause 252.204-7012. Here is what sets Petronella Technology Group apart as a CMMC managed service provider:
CMMC Registered Provider Organization (RPO)
Petronella Technology Group is registered with the Cyber AB (the CMMC Accreditation Body) as a Registered Provider Organization. This designation means our organization and staff have completed required training, background checks, and have committed to the CMMC Code of Professional Conduct. We can provide pre-assessment consulting and preparation services that help contractors prepare for their C3PAO assessment without conflicts of interest.
We Build Assessment-Ready Environments
We do not just implement security controls. We build IT environments specifically designed to pass C3PAO assessments. This means every control has documented evidence, every policy has corresponding technical enforcement, and every requirement has a clear mapping between the SSP description and the actual system configuration. Our clients do not scramble to produce evidence when assessors arrive because we maintain assessment-ready documentation as part of our ongoing managed services.
Enclave Expertise Reduces Your Scope and Cost
The biggest cost driver in CMMC compliance is scope. More systems in the CUI boundary means more controls to implement, more evidence to produce, and higher assessment fees. We specialize in designing minimal CUI enclaves that isolate CUI-processing systems from general business IT, reducing your assessment scope by 60-80% in many cases. This translates directly to lower compliance costs and faster time to certification.
23+ Years of Regulated IT Experience
Founded in 2002, Petronella Technology Group has over two decades of experience building and managing IT environments for organizations in regulated industries. Our team understands not just the technical requirements of CMMC, but the practical challenges of implementing them in real business environments. We know how to balance security with productivity, and we design solutions that your workforce will actually use rather than bypass. Our compliance services span CMMC, HIPAA, PCI DSS, SOC 2, and NIST frameworks.
CMMC 2.0 Implementation Timeline and What Non-Compliance Means
Understanding the CMMC rollout timeline is critical for planning your IT infrastructure upgrades. Here is where the program stands and what contractors need to know:
Phase 1 (2025): Self-Assessments Begin
DoD begins including CMMC Level 1 self-assessment requirements in new solicitations. Contractors must complete self-assessments and submit results to the Supplier Performance Risk System (SPRS). Level 2 self-assessments may also appear for non-critical CUI programs. Contractors without passing scores cannot compete for these contracts.
Phase 2 (2026): C3PAO Assessments Required
DoD begins requiring Level 2 C3PAO assessments for contracts involving critical CUI. The limited number of certified assessors will create a bottleneck, so contractors must begin preparation now to secure assessment slots. Wait times for C3PAO assessments may extend to 6-12 months during peak demand.
Consequences of Non-Compliance
Without CMMC certification at the required level, contractors face: loss of eligibility for new DoD contracts, potential loss of existing contracts at option renewal, False Claims Act liability for inaccurate SPRS self-assessment scores (treble damages), DFARS 7012 breach reporting obligations, and loss of prime contractor relationships as primes require sub-tier CMMC compliance.
False Claims Act risk: The Department of Justice has launched the Civil Cyber-Fraud Initiative specifically targeting government contractors who misrepresent their cybersecurity compliance status. Submitting inflated SPRS scores or claiming NIST 800-171 compliance without actual implementation can trigger False Claims Act investigations with penalties up to three times the damages plus $11,000+ per false claim. Accurate self-assessment requires the kind of thorough technical validation that a CMMC-specialized managed IT provider delivers.
Assessment slots are limited and preparation takes 6-12 months. Start now to secure your DoD contract eligibility.
How We Bring Defense Contractors to CMMC Compliant IT
Achieving CMMC certification requires a structured approach that addresses technical controls, documentation, and organizational processes simultaneously. Here is our proven path from initial assessment to certification readiness:
CUI Flow Analysis and Scope Definition
We map every location where CUI enters, moves through, is stored in, and exits your organization. This CUI data flow analysis defines your assessment boundary and identifies opportunities to reduce scope through network segmentation and data isolation. We review your contracts, DFARS clauses, and CUI marking guides to ensure accurate CUI identification.
NIST 800-171 Assessment and SPRS Scoring
We evaluate your current IT environment against all 110 NIST 800-171 requirements and calculate your accurate SPRS score. We produce a complete System Security Plan (SSP) and Plan of Action and Milestones (POA&M) with specific remediation timelines. Your SPRS score is submitted to the DoD's Supplier Performance Risk System as required by DFARS 252.204-7019.
Enclave Build and Technical Remediation
We design and deploy your CUI enclave with all required technical controls: FIPS-validated encryption, MFA, SIEM, EDR, network segmentation, hardened baselines, and continuous monitoring. We implement controls in priority order based on SPRS score impact, closing the highest-value gaps first to maximize your score improvement rate.
Policy, Training, and Evidence Collection
We develop or update all required security policies mapped to NIST 800-171 families, deliver role-based security training with CUI handling procedures, and establish evidence collection processes that capture assessment artifacts automatically. This includes screenshot evidence, configuration exports, log samples, and training records organized by requirement number for efficient C3PAO review.
Pre-Assessment Validation and C3PAO Preparation
Before your C3PAO assessment, we conduct a mock assessment that mirrors the actual evaluation methodology. We review every requirement's evidence package, verify technical controls are operational, and conduct practice interviews with your team. This pre-assessment identifies and resolves any remaining gaps so your official assessment proceeds smoothly.
Ongoing Compliance Maintenance
CMMC certification requires continuous compliance, not just point-in-time readiness. Our managed IT services include ongoing monitoring, quarterly vulnerability scanning, annual security assessments, SSP and POA&M maintenance, and change management processes that evaluate the CMMC impact of every IT modification. We keep you assessment-ready every day between certification cycles.
CMMC Managed IT Services FAQ
What CMMC level does my company need?
Your required CMMC level depends on the type of information you handle. If your contracts only involve Federal Contract Information (FCI), Level 1 with 17 practices is sufficient. If your contracts involve Controlled Unclassified Information (CUI), which includes technical drawings, specifications, test data, or any information marked CUI, you need Level 2 with 110 practices. Level 3 applies only to contractors working on the most sensitive DoD programs with enhanced security requirements. Check your contract clauses, specifically DFARS 252.204-7012, 7019, 7020, and 7021, to determine your CUI obligations. When in doubt, contact us for a contract review at 919-348-4912.
How long does it take to become CMMC Level 2 compliant?
Timeline depends on your current security posture. Organizations starting with a low SPRS score (below 50) typically need 12-18 months to implement all 110 controls, develop documentation, train staff, and build assessment evidence. Organizations with existing security programs (SPRS score above 80) may need 6-9 months for gap remediation and documentation. The C3PAO assessment itself takes 1-4 weeks depending on organization size. We recommend starting at least 12 months before you anticipate needing certification to account for remediation complexity and assessor availability. Our CMMC compliance guide provides additional timeline details.
Can I use cloud services like Microsoft 365 for CMMC compliance?
Yes, but only specific cloud configurations meet CMMC requirements. Standard Microsoft 365 Business plans do not satisfy CMMC Level 2. You need Microsoft 365 GCC (Government Community Cloud) or GCC High for CUI processing. GCC High is required when your contracts involve ITAR data or specific CUI categories. The cloud service must meet FedRAMP Moderate baseline (or equivalent) per DFARS 252.204-7012. We configure and manage GCC/GCC High tenants with CMMC-aligned security settings, conditional access policies, data loss prevention rules, and audit logging that meets all 110 requirements.
What is the difference between a CMMC RPO and a C3PAO?
A Registered Provider Organization (RPO) like Petronella Technology Group provides consulting, preparation, and managed IT services to help contractors achieve CMMC compliance. We can assess your current state, implement controls, build documentation, and prepare you for assessment. A Certified Third-Party Assessment Organization (C3PAO) conducts the official CMMC assessment that results in certification. RPOs and C3PAOs must be separate organizations to prevent conflicts of interest. We prepare you; the C3PAO certifies you. This separation ensures assessment integrity and is enforced by the Cyber AB.
What happens to my existing contracts if I do not get CMMC certified?
CMMC requirements will be phased into new solicitations and contract renewals. Existing contracts without CMMC clauses continue as written. However, when those contracts come up for re-competition or option renewal, DoD may add CMMC requirements. Additionally, prime contractors are increasingly flowing CMMC requirements down to subcontractors in advance of the formal mandate to reduce their supply chain risk. If you lose certification eligibility, primes will find alternative suppliers. Starting CMMC preparation now protects your current contract base and positions you for future opportunities.
How much does CMMC managed IT cost compared to regular managed IT?
CMMC managed IT typically costs 30-50% more than standard managed IT services due to the additional security controls, monitoring capabilities, documentation requirements, and compliance management overhead. For a 25-user defense contractor, expect $200-$400 per user per month for fully managed CMMC-compliant IT services. This includes endpoint management, SIEM/SOC monitoring, vulnerability management, backup, help desk, compliance documentation, and quarterly assessments. The cost is significantly less than building an in-house security team (a single cybersecurity engineer costs $120,000+ annually) and is a fraction of the revenue at risk from losing DoD contract eligibility.
Do you handle the POA&M process for remediation items?
Yes. Plan of Action and Milestones (POA&M) management is a core component of our CMMC managed IT services. We track every open item with specific remediation actions, responsible parties, milestones, and completion dates. Under CMMC 2.0, limited POA&M items are permitted at the time of assessment, but they must be closed within 180 days. We prioritize POA&M remediation to minimize the number of open items before your C3PAO assessment and actively work to close any remaining items within the required timeline.
Can you help if we are a subcontractor to a prime defense contractor?
Absolutely. Subcontractors face the same CMMC requirements as prime contractors when they handle CUI. In many cases, subcontractors have more challenging compliance environments because they work with multiple primes, each with different CUI handling requirements. We help subcontractors define their CUI boundary, implement controls that satisfy multiple prime contractor requirements simultaneously, and manage the flow-down provisions in their subcontract agreements. We also help negotiate appropriate CUI marking and handling responsibilities between primes and subs.
Explore Our Complete Compliance and IT Service Portfolio
CMMC managed IT services are one component of a comprehensive defense contractor compliance program. Explore our related services to build a complete security and compliance posture:
CMMC Compliance Guide
Comprehensive CMMC compliance program: gap assessment, SSP development, POA&M management, and C3PAO preparation for defense contractors.
Managed IT Services
Complete IT infrastructure management including help desk, network monitoring, endpoint management, and strategic IT planning for Raleigh-area businesses.
Managed Detection and Response
24/7 threat detection, investigation, and response meeting CMMC's continuous monitoring requirements with SIEM and SOC capabilities.
Cybersecurity Services
Vulnerability management, penetration testing, security assessments, and architecture design aligned with NIST 800-171 and CMMC requirements.
Compliance Services Hub
Multi-framework compliance support spanning CMMC, HIPAA, PCI DSS, SOC 2, NIST, and ISO 27001 for organizations with overlapping regulatory requirements.
PCI DSS Compliance
For defense contractors that also process payment card data, our PCI DSS services address both CUI protection and cardholder data security simultaneously.
As a CMMC RPO with 23+ years of regulated IT experience, Petronella Technology Group builds the compliant IT infrastructure defense contractors need to win and retain DoD contracts.
Petronella Technology Group, Inc. • 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 • 919-348-4912