CMMC Readiness Assessment
CMMC Phase 2 is live and primes are flowing requirements down to subcontractors right now. A CMMC readiness assessment reveals your true SPRS self-score, your full NIST SP 800-171 gap list, and a prioritized path to certification before a C3PAO ever shows up. Performed by a fully credentialed CMMC-RP team in Raleigh, North Carolina for Levels 1, 2, and 3.
Free and no obligation. Fixed-scope quote within two business days.
- Confirm your CMMC level
- Sketch your CUI enclave
- 30-day assessment outline
- Fixed quote in 2 business days
The Short Version
- A readiness assessment is a diagnosis, not a certification. It tells you exactly where you stand against NIST SP 800-171 before you spend a dollar on remediation or book a C3PAO.
- You walk away with five concrete artifacts: a scoped CUI boundary, a 110-control gap analysis, your real SPRS self-score, a prioritized POA&M, and a path-to-assessment roadmap.
- Petronella Technology Group covers all three CMMC levels - Level 1 self-assessment, Level 2 third-party, and Level 3 government-led - as Cyber AB Registered Provider Organization #1449.
- Typical timeline: readiness assessment in roughly 30 days, remediation in 60 to 90 days, and full path-to-assessment over 6 to 9 months depending on enclave size and starting score.
- Pricing is custom and scope-first. Scope depends on enclave size, CUI flow, asset count, and your current SPRS posture. Start with a free scoping consultation and the CMMC scoping worksheet.
What a CMMC Readiness Assessment Actually Is
A CMMC readiness assessment is a structured, evidence-based diagnosis of where your organization stands against the controls a C3PAO or government assessor will measure you against. It is the first move every serious defense contractor makes - because you cannot fix, budget for, or schedule what you have not measured.
Think of it as the difference between guessing your weight and stepping on a scale. Many contractors believe they are "mostly compliant" because they run modern endpoint protection and multifactor authentication. A readiness assessment turns that feeling into a number: your actual Supplier Performance Risk System (SPRS) self-score, calculated honestly against all 110 NIST SP 800-171 controls. For most organizations that have never done this formally, the first honest score is lower than expected, and frequently negative. That is normal, and it is far better to learn it now than in front of a Certified Third Party Assessment Organization.
The assessment is also a scoping exercise. Before any control is graded, a CMMC-RP from Petronella Technology Group works with your team to draw the boundary of where Controlled Unclassified Information (CUI) actually lives - the file servers, the Microsoft 365 tenant, the laptops, the removable media, and the cloud services that touch it. A tightly scoped CUI enclave is the single biggest lever on cost and timeline, because the 110 controls only have to apply inside that boundary, not across your entire enterprise network.
The five deliverables you leave with
- Scoped CUI boundary. A diagram and asset inventory of every system that processes, stores, or transmits Controlled Unclassified Information, with the enclave boundary drawn explicitly.
- NIST SP 800-171 gap analysis. All 110 controls assessed for current state - met, partially met, or not met - with the supporting observation for each finding.
- SPRS self-score. A defensible score posted or ready to post to the Supplier Performance Risk System, with the point-by-point calculation worksheet behind it.
- Prioritized POA&M. A Plan of Action and Milestones that ranks every gap by risk and effort so you remediate the highest-impact items first.
- Path-to-assessment roadmap. A sequenced plan with target dates connecting today's score to certification readiness.
Why a readiness assessment comes first
- It prices the project accurately. Remediation quotes built on a guess are wrong. A scored gap list lets us build a fixed-scope plan instead of an open-ended retainer.
- It protects your SPRS posture. Posting an inflated self-score creates False Claims Act exposure. The assessment produces a number you can defend.
- It sequences the spend. Not every gap costs the same to close. The POA&M lets you spend remediation dollars on the controls that move your score the most.
- It de-risks the C3PAO. A mock-graded environment means no surprises in the room that determines whether you keep your contracts.
- It is the prerequisite for everything else. The CMMC compliance program, the System Security Plan, and the certification itself all build on the assessment baseline.
It covers all three CMMC levels
The readiness assessment is scaled to the level your contracts require. Petronella consults at Level 1, Level 2, and Level 3, and the assessment determines which applies before scoring begins. The level cards below summarize the differences, and the section on DFARS clauses shows you how to read your own contracts to confirm which level you owe.
Foundational
For contractors that handle only Federal Contract Information (FCI), not CUI. Built on 17 basic safeguarding practices drawn from FAR 52.204-21.
- Annual self-assessment
- Senior official affirmation
- Light SSP and basic policies
Advanced
Required when CUI is processed, stored, or transmitted. Aligns to NIST SP 800-171. Most CUI-flowing contracts require Level 2 with a triennial third-party assessment.
- Triennial C3PAO assessment
- Full SSP, POA&M, policy library
- SPRS score posted
Expert
For the most sensitive programs where Advanced Persistent Threats are a credible risk. Overlays NIST SP 800-172 on top of 800-171, assessed by the government (DIBCAC).
- Government-led assessment
- Enhanced security requirements
- Threat hunting and deception controls
Phase 2 Is Live and Requirements Are Flowing Down
CMMC is no longer a future planning exercise. The program is in its rollout phase, primes are writing CMMC requirements into subcontracts, and the contractual clauses that drive your obligations are already in your active agreements. A readiness assessment turns that pressure into a plan.
The compliance compulsion is real and it is contractual. The Department of Defense established CMMC to verify that the cybersecurity protections defense contractors have long been required to implement are actually in place. The verification mechanism rolls out in phases, and as it does, prime contractors pass their obligations down to every subcontractor that touches Federal Contract Information or Controlled Unclassified Information. If you are a subcontractor, your prime's deadline becomes your deadline. The questionnaire that lands in your inbox is not optional, and "we are working on it" is no longer a sufficient answer.
The clauses that create the obligation are already in your contracts. Pull every active and pipeline agreement and look for the four DFARS clauses below. Each one signals a different piece of your CMMC scope, and together they tell you what level you owe and what you must post in SPRS today.
Safeguarding and incident reporting
Mandates safeguarding of Covered Defense Information (which includes CUI) and rapid reporting of cyber incidents. The presence of this clause is the strongest single signal that CMMC Level 2 will apply to you.
SPRS score required
Requires you to post a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System. A readiness assessment produces the defensible score this clause demands.
DoD access and flow-down
Requires you to grant DoD access to verify your NIST SP 800-171 implementation and to flow these requirements down to your own subcontractors. This is the mechanism that pushes obligations through the supply chain.
The CMMC clause itself
Names the required CMMC level and the certification cadence directly. When this clause appears, the contract is explicit about the level you must achieve and maintain to remain eligible for award.
The cost of waiting is not abstract. Contractors who delay discover gaps too large to close before a deadline, lose award eligibility, or post a self-score they cannot defend and create False Claims Act exposure. A readiness assessment is the inexpensive, fast first step that prevents all three outcomes - it gives you a measured starting point, a defensible number, and the runway to remediate on a realistic schedule. For a deeper breakdown of what drives engagement cost, see the CMMC cost breakdown, and to understand the scoring math, see how the CMMC self-score is calculated.
Stop guessing your SPRS number. A free, no-obligation scoping call sizes the work and gives you a fixed-scope quote within two business days.
Book a free CMMC scoping consultationHow Petronella Runs a Readiness Assessment
The assessment itself is a focused, roughly 30-day engagement. It feeds directly into remediation and, eventually, certification readiness. Here is the phase structure and the artifacts each phase produces.
Scoping & Discovery
A kickoff workshop with your executive sponsor, IT lead, and compliance owner to identify which contracts impose CMMC and where CUI lives today.
- DFARS clause inventory
- CUI footprint sketch
- Enclave boundary candidates
- Signed assessment scope
Gap Analysis
A control-by-control assessment against NIST SP 800-171, combining asset discovery, evidence review, and interview-based control walkthroughs.
- Asset inventory and CUI flow map
- 110-control current-state matrix
- Evidence gaps documented
- Findings observations recorded
SPRS Scoring
Translation of the gap analysis into a defensible SPRS self-score with the supporting calculation, ready to post under DFARS 252.204-7019.
- 110-control point calculation
- Defensible SPRS self-score
- Calculation worksheet
- Submission guidance
Roadmap Handoff
A working session that delivers the prioritized POA&M and the path-to-assessment roadmap, with a fixed-scope quote for the remediation phase.
- Prioritized POA&M
- Path-to-assessment roadmap
- Remediation scope and quote
- C3PAO timing guidance
Ready to put a number on your readiness? Start with a free scoping consultation. No cost, no commitment, and you keep the scoping worksheet either way.
Book a free CMMC scoping consultationWhat separates a Petronella assessment from a template-driven checklist is that the same firm that scores you can also remediate the gaps and operate the controls afterward. The findings are written by a CMMC-RP who understands not just the language of NIST SP 800-171 but the engineering required to satisfy a control under interview - multifactor authentication scope, FIPS-validated cryptography, audit logging coverage, and configuration baselines. For a side-by-side look at the consulting role versus the assessor role, see our CMMC consultant overview, and for the control-to-control crosswalk see the CMMC to NIST mapping.
Why a Credentialed RPO and Not a Generic IT Firm
Anyone can call themselves a CMMC expert. The Cyber AB Marketplace is the only authoritative list of firms credentialed to prepare contractors for assessment. Petronella Technology Group is listed there as Registered Provider Organization #1449.
Cyber AB Registered Provider Organization
An RPO is a company authorized by the Cyber AB, the official accreditation body of the CMMC ecosystem, to provide readiness, consulting, and advisory services to organizations preparing for CMMC. RPOs sign a code of professional conduct and their practitioners individually hold the CMMC-RP credential. You can verify any consultant at the official Cyber AB marketplace.
Real credentials, verifiable on the record
Every practitioner on the Petronella compliance team holds the CMMC-RP (Registered Practitioner) designation - not just the principal. Craig Petronella, the firm's founder, holds CMMC-RP alongside CCNA, CWNE, Digital Forensic Examiner (DFE) #604180, and is MIT-Certified in AI and Blockchain.
The forensic background is not decoration. A CMMC readiness assessment leans on audit logging, incident response, and evidence preservation that mirror the chain-of-custody discipline used in digital forensics. A practitioner who has actually collected an evidentiary disk image writes a sharper Incident Response Plan and a more honest gap finding than one who has only read about it. When an assessor asks how you would preserve logs after a suspected compromise, that answer comes from real casework, not a template.
Petronella Technology Group has operated as a North Carolina IT and security firm since 2002, with a BBB A+ rating since 2003, headquartered at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. That two-decade operating history matters during an assessment, because organizational maturity is itself a signal assessors weigh. Firms that stood up a CMMC division in the last eighteen months to chase the contract dollar work from a thinner bench than one that has been engineering, defending, and forensically investigating networks for more than twenty years.
AI plus compliance, built for the NC defense corridor
Petronella pairs CMMC readiness with a private AI security practice, which is increasingly relevant as contractors adopt AI tooling inside CUI environments and need that adoption mapped to controls rather than bolted on. The firm focuses on the North Carolina defense corridor - the contractors and engineering firms serving Fort Liberty (Fort Bragg), Seymour Johnson Air Force Base, Camp Lejeune, and the engineering and research community across the Research Triangle Park. Local presence means scoping workshops can be run on-site, and it means the team understands the specific contract types and CUI profiles common to the region.
What changes when your assessor is a real RPO
- Cyber AB listed and verifiable. Your procurement and contracts teams can pull the listing as an objective credential.
- Code of professional conduct. Constrains what the firm can claim about your readiness in proposals and to your primes.
- Curriculum-aligned vocabulary. The gap analysis, POA&M, and SPRS language match what assessors are trained to read.
- A clean referral path to C3PAOs. RPOs work alongside Certified Third Party Assessment Organizations constantly and know which assessors fit your contract type, geography, and CUI profile.
Framed by Timeline, Scoped by Your Environment
CMMC engagement cost is custom because no two CUI environments are alike. Rather than publish a number that would be wrong for your situation, Petronella scopes first and quotes a fixed price. What we can tell you up front is how the work is paced.
How the work is paced
- Readiness assessment - roughly 30 days. Scoping, the 110-control gap analysis, your SPRS self-score, and the prioritized POA&M and roadmap.
- Remediation - 60 to 90 days. Closing the highest-impact gaps from the POA&M, authoring the System Security Plan, and building out the policy library and technical controls.
- Full path to assessment - 6 to 9 months. From a cold start through certification readiness, including a mock C3PAO walkthrough and evidence package staging. Larger enclaves and Level 3 scopes extend this.
What drives the scope and quote
- Enclave size. A narrowly scoped CUI boundary is the biggest lever on cost - the 110 controls only apply inside it.
- CUI flow complexity. How CUI moves between on-premises systems, Microsoft 365, and cloud services.
- Asset and user count. The number of endpoints, servers, tenants, and people who touch CUI.
- Starting SPRS posture. A deeper hole takes longer to climb out of than a near-ready environment.
- Target level. Level 1 is lightest; Level 3 overlays NIST SP 800-172 and is heaviest.
The fastest way to a real number is a free scoping consultation. Twenty minutes with a CMMC-RP walking your DFARS clauses and CUI footprint typically gives us enough to size a fixed-scope quote within two business days. Come prepared by downloading the CMMC scoping worksheet, which captures your in-scope assets, users, and data flows before the call so the conversation is faster and more accurate. To browse the full compliance practice, see the compliance services overview.
CMMC Readiness Assessment: FAQ
The questions defense contractors ask most often before booking a readiness assessment.
What is a CMMC readiness assessment?
A CMMC readiness assessment is a structured diagnosis of where your organization stands against the controls a C3PAO or government assessor will measure. It scopes your CUI boundary, grades all 110 NIST SP 800-171 controls, produces your real SPRS self-score, and hands you a prioritized POA&M and a path-to-assessment roadmap. It is the inexpensive first step that lets you budget, sequence, and schedule the rest of the work accurately. It is not a certification - only a Certified Third Party Assessment Organization (C3PAO) or, for Level 3, the government can certify you.
How long does a readiness assessment take?
The assessment itself is typically a 30-day engagement: roughly one week of scoping and discovery, about two weeks of control-by-control gap analysis, and a final week to translate findings into an SPRS self-score and a prioritized roadmap. Larger or multi-site environments extend that. Remediation that follows usually runs 60 to 90 days, and the full path to certification readiness from a cold start is generally 6 to 9 months.
Do I need a C3PAO, or is this assessment enough?
They serve different purposes. A readiness assessment, performed by a Registered Provider Organization like Petronella Technology Group, prepares you and tells you where you stand. A C3PAO performs the formal Level 2 certification assessment that yields your CMMC status with the Department of Defense. Cyber AB independence rules generally prevent the same firm from both preparing and certifying you for Level 2 in the same window, so Petronella prepares you and refers you to an appropriate C3PAO for the formal assessment. Level 1 is self-assessed, and Level 3 is assessed by the government (DIBCAC).
What is an SPRS score and why does it matter?
The Supplier Performance Risk System (SPRS) holds the NIST SP 800-171 self-assessment score that DFARS 252.204-7019 requires you to post. The score starts at 110 and deducts points for each unmet control, with 1, 3, or 5 point weights depending on the control. Many contractors are surprised that an honest first score is negative - that is common and not a verdict. The score matters because primes and contracting officers look at it, and because posting an inflated number creates False Claims Act exposure. A readiness assessment produces a score you can actually defend. See how the CMMC self-score is calculated.
What is the difference between Level 2 self-assessment and a certified assessment?
Under the CMMC program, some Level 2 contracts permit a self-assessment while others require a certified third-party assessment by a C3PAO, depending on the sensitivity of the CUI involved and the contract terms. A readiness assessment is valuable in either case, because both paths require the same underlying NIST SP 800-171 implementation, the same defensible SPRS score, and the same System Security Plan. The difference is who validates the result. Petronella's assessment prepares you for whichever path your contract specifies.
What is CUI, and how do I know if I handle it?
Controlled Unclassified Information (CUI) is government information that requires safeguarding but is not classified. You typically handle CUI if your DoD contract includes DFARS 252.204-7012 or if you receive documents marked with banners such as "CUI//SP-PROP," "CUI//SP-PRVCY," or "CUI//SP-CTI." If you handle only Federal Contract Information (FCI) - basic, non-public contract performance information with no covered marking - Level 1 is likely your destination. The scoping phase of a readiness assessment confirms exactly what you hold and where it lives.
Do you work with small contractors and subcontractors in North Carolina?
Yes. Many small contractors carry the same CMMC obligation as their prime, because flow-down requirements under DFARS 252.204-7020 pass CUI handling responsibility down the supply chain. Petronella Technology Group is based in Raleigh and focuses on the North Carolina defense corridor - contractors and engineering firms serving Fort Liberty (Fort Bragg), Seymour Johnson Air Force Base, Camp Lejeune, and the Research Triangle Park community. We size engagements to the organization and frequently work with firms in the 5 to 50 employee range that have a single CUI enclave.
What does a readiness assessment cost?
Pricing is custom and scope-first. The cost depends on your enclave size, CUI flow complexity, asset and user count, current SPRS posture, and target CMMC level. Rather than publish a number that would be wrong for your environment, Petronella scopes first and quotes a fixed price. Start with a free scoping consultation and the CMMC scoping worksheet, or call (919) 348-4912 to walk through the variables. For the factors that move the quote, see the CMMC cost breakdown.
Book Your Free CMMC Scoping Consultation
Tell us about your contracts and your CUI footprint. A CMMC-RP from Petronella Technology Group will walk your DFARS clauses, sketch your enclave, and outline the readiness assessment - at no cost and with no obligation.
What happens after you submit
A credentialed CMMC-RP reviews your details and reaches out to schedule a short scoping call. There is no charge for the consultation and no commitment to engage.
- We confirm which CMMC level your contracts require
- We sketch your CUI enclave and the controls in scope
- We outline the roughly 30-day readiness assessment
- You receive a fixed-scope quote within two business days
Prefer to come prepared? Download the CMMC scoping worksheet first, or reach a CMMC-RP directly by phone.
Call (919) 348-4912
Know Your SPRS Score Before the C3PAO Does
Petronella Technology Group is Cyber AB Registered Provider Organization #1449. Book a no-cost scoping consultation to walk your DFARS clauses, scope your CUI enclave, and start a CMMC Level 1, 2, or 3 readiness assessment - then move into remediation with a defensible number in hand.