PTG CMMC 5-Point Assessment
Cybersecurity Maturity Model Certification (CMMC)
Petronella Technology Group is a CMMC Registered Practitioner Organization helping Raleigh-Durham and Triangle-area defense contractors achieve and maintain CMMC 2.0 compliance.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework designed to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across the Defense Industrial Base (DIB). CMMC 2.0 streamlined the original five-level model into three levels, aligning directly with existing NIST standards while adding mandatory third-party assessments for contractors handling sensitive defense data.
Every organization that does business with the DoD -- whether as a prime contractor, subcontractor, or supplier -- must meet the appropriate CMMC level to be eligible for contract awards. The final rule (32 CFR Part 170) was published in October 2024, and CMMC requirements are being phased into DoD contracts beginning in 2025.
Why CMMC Matters for Your Business
The DoD created CMMC because voluntary self-attestation under DFARS 252.204-7012 was not producing adequate cybersecurity postures across the supply chain. Adversaries continue to target the DIB, and the consequences of inaction are severe.
- Contract eligibility: Without the required CMMC level, your organization cannot bid on or receive DoD contracts. CMMC is a "go/no-go" requirement.
- Legal liability: The False Claims Act applies to cybersecurity attestations. Inaccurate SPRS scores or self-assessments can result in fines, contract termination, and debarment.
- National security: CUI theft undermines weapons systems, intelligence operations, and technological superiority. The DoD is holding contractors accountable for safeguarding this information.
- Competitive advantage: Early certification positions your company ahead of competitors who have delayed, especially in the Research Triangle Park (RTP) defense corridor.
CMMC 2.0 Levels
CMMC 2.0 organizes cybersecurity requirements into three maturity levels, each aligned with specific NIST standards and assessment types.
Foundational
Protects Federal Contract Information (FCI). Requires implementation of 17 practices from FAR 52.204-21. Annual self-assessment is permitted. This level applies to contractors that handle FCI but do not process, store, or transmit CUI.
Advanced
Protects Controlled Unclassified Information (CUI). Requires implementation of all 110 security requirements from NIST SP 800-171 Rev 2. For contracts involving critical national security information, a triennial third-party assessment by a C3PAO is required. Some Level 2 programs allow self-assessment.
Expert
Protects CUI against Advanced Persistent Threats (APTs). Builds on Level 2 with additional requirements from NIST SP 800-172. Triennial government-led assessments by DIBCAC are required. This level is reserved for the highest-priority programs.
How Petronella Technology Group Helps
As a CMMC Registered Practitioner (RP) organization, PTG provides end-to-end CMMC preparation services from our Raleigh, NC headquarters, serving defense contractors across the Triangle and throughout North Carolina.
Gap Analysis
Comprehensive readiness assessment against all 110 NIST SP 800-171 controls to identify gaps before your formal C3PAO assessment.
Remediation
Hands-on implementation of policies, procedures, and technical controls to close compliance gaps and build your System Security Plan (SSP).
Secure Enclave
CMMC-ready virtual workspace environments that isolate CUI processing and reduce your assessment boundary scope.
Continuous Monitoring
Ongoing managed security and compliance monitoring to maintain your certification between assessment cycles.
CMMC 2.0 Security Domains
CMMC 2.0 Level 2 encompasses 14 security domains derived from NIST SP 800-171. PTG helps you implement controls across every domain:
- Access Control (AC): Limit system access to authorized users, processes, and devices.
- Awareness and Training (AT): Ensure personnel understand security responsibilities.
- Audit and Accountability (AU): Create, protect, and retain system audit records.
- Configuration Management (CM): Establish and maintain baseline configurations.
- Identification and Authentication (IA): Verify identities of users and devices.
- Incident Response (IR): Establish processes to detect, report, and respond to incidents.
- Maintenance (MA): Perform timely maintenance on organizational systems.
- Media Protection (MP): Protect and control system media containing CUI.
- Personnel Security (PS): Screen individuals prior to authorizing system access.
- Physical Protection (PE): Limit physical access to systems, equipment, and facilities.
- Risk Assessment (RA): Periodically assess organizational risk.
- Security Assessment (CA): Assess, monitor, and correct deficiencies.
- System and Communications Protection (SC): Monitor, control, and protect communications.
- System and Information Integrity (SI): Identify, report, and correct system flaws.
CMMC Implementation Timeline
The DoD is phasing CMMC requirements into contracts over a multi-year rollout:
- Phase 1 (2025): CMMC Level 1 self-assessments and Level 2 self-assessments begin appearing in new contracts.
- Phase 2 (2026): Level 2 C3PAO assessments required for contracts involving critical national security CUI.
- Phase 3 (2027): Level 3 government-led assessments begin for highest-priority programs.
- Phase 4 (2028): Full CMMC inclusion in all applicable DoD contracts.
Organizations that wait until CMMC appears in their contract solicitation risk losing the contract entirely. PTG recommends beginning preparation at least 12 to 18 months before your anticipated assessment date.
SPRS Score and CMMC Readiness
Since November 2020, all DoD contractors handling CUI must have a current NIST SP 800-171 self-assessment score uploaded to the Supplier Performance Risk System (SPRS). Your SPRS score ranges from -203 to 110, reflecting your implementation status across all 110 security requirements.
PTG helps you conduct an accurate self-assessment, develop a realistic Plan of Action and Milestones (POA&M), and systematically close gaps to raise your SPRS score toward the maximum of 110 before your formal CMMC assessment.
CMMC Frequently Asked Questions
What is the difference between CMMC 1.0 and CMMC 2.0?
CMMC 2.0 streamlined the original model from five levels to three, eliminated CMMC-unique practices and processes, and aligned directly with NIST SP 800-171 (Level 2) and NIST SP 800-172 (Level 3). It also allows self-assessment for Level 1 and some Level 2 programs, reducing cost and complexity for smaller contractors.
Who needs CMMC certification?
Any organization that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of a DoD contract will need the appropriate CMMC level. This includes prime contractors, subcontractors, and suppliers throughout the defense supply chain.
How long does it take to prepare for a CMMC assessment?
Preparation timelines vary depending on your current cybersecurity posture. Organizations starting from scratch should plan for 12 to 18 months of preparation. Those with existing NIST SP 800-171 implementations may need 6 to 12 months to close remaining gaps and prepare documentation.
What happens if I fail my CMMC assessment?
If your organization does not achieve the required CMMC level, you will not be eligible for the contract requiring that level. You can remediate findings and schedule a reassessment, but this adds time and cost. CMMC 2.0 does allow limited Plans of Action and Milestones (POA&Ms) for some requirements, giving organizations time to close specific gaps after conditional certification.
What is a C3PAO?
A CMMC Third-Party Assessment Organization (C3PAO) is an entity authorized by the Cyber AB (formerly the CMMC Accreditation Body) to conduct CMMC Level 2 assessments. C3PAOs employ certified assessors who evaluate your organization's implementation of all 110 NIST SP 800-171 requirements.
Is PTG a C3PAO or an RPO?
Petronella Technology Group is a CMMC Registered Practitioner Organization (RPO) with CMMC Registered Practitioners (RPs) on staff. As an RPO, PTG helps organizations prepare for their CMMC assessment but does not conduct the formal assessment itself. This separation ensures objectivity in the assessment process.
How much does CMMC certification cost?
Costs depend on your organization's size, complexity, current cybersecurity maturity, and the CMMC level required. Preparation costs include gap analysis, remediation, policy development, technical implementations, and the formal C3PAO assessment fee. PTG provides tailored quotes based on your specific situation and scope.
Can I use a cloud environment to reduce my CMMC scope?
Yes. Using a FedRAMP Moderate (or equivalent) cloud environment to process and store CUI can significantly reduce your assessment boundary. PTG offers CMMC-ready secure enclave solutions that isolate CUI handling from your broader corporate network, simplifying your path to certification.
Start Your CMMC Journey Today
PTG's CMMC Registered Practitioners are ready to assess your readiness and build your path to certification.
Schedule a Free Consultation Call us: (919) 348-49125540 Centerview Dr., Suite 200, Raleigh, NC 27606
Why Choose Petronella Technology Group
Petronella Technology Group has been a trusted IT and cybersecurity partner for businesses across Raleigh, Durham, Chapel Hill, Cary, Apex, and the Research Triangle since 2002. Led by CEO Craig Petronella, a Licensed Digital Forensic Examiner, CMMC Certified Registered Practitioner, and MIT-certified professional in cybersecurity, AI, blockchain, and compliance, PTG brings deep expertise to every engagement.
With BBB accreditation since 2003 and more than 2,500 businesses served, PTG has the experience and track record to deliver results. Craig Petronella is an Amazon number-one best-selling author of books including "How HIPAA Can Crush Your Medical Practice," "How Hackers Can Crush Your Law Firm," and "The Ultimate Guide To CMMC." He has been featured on ABC, CBS, NBC, FOX, and WRAL, and serves as an expert witness for law firms in cybercrime and compliance cases.
PTG holds certifications including CCNA, MCNS, Microsoft Cloud Essentials, and specializes in CMMC 2.0, NIST 800-171/172/173, HIPAA, FTC Safeguards, SOC 2 Type II, PCI DSS, GDPR, CCPA, and ISO 27001 compliance. Our forensic specialties include endpoint and networking cybercrime investigation, data breach forensics, ransomware analysis, data exfiltration investigation, cryptocurrency and blockchain analysis, and SIM swap fraud investigation.
The PTG Compliance Process
Achieving and maintaining regulatory compliance requires a structured, repeatable process. PTG has developed a proven compliance methodology refined over more than two decades of helping businesses navigate complex regulatory requirements. Our process begins with a comprehensive gap assessment that evaluates your current policies, procedures, and technical controls against the specific requirements of your target framework. This assessment identifies exactly where your organization stands and what needs to be done to achieve compliance.
Following the gap assessment, PTG develops a prioritized remediation roadmap that outlines every action item needed to close identified gaps. We categorize items by risk level and effort required, allowing organizations to address the most critical deficiencies first while planning for longer-term improvements. Our consultants work alongside your team to implement technical controls, develop required policies and procedures, create employee training programs, and establish the documentation and evidence collection processes needed to demonstrate compliance during audits and assessments.
Compliance is not a one-time project but an ongoing commitment. Regulations evolve, threats change, and business environments shift. PTG provides continuous compliance monitoring services that track your compliance status in real time, alert you to emerging gaps, and ensure that your security controls remain effective. We conduct regular internal audits, update policies as regulations change, and prepare your organization for external audits or assessments. Our goal is to make compliance a natural part of your business operations rather than a periodic scramble to meet audit deadlines.
For organizations subject to multiple compliance frameworks, PTG takes a unified approach that maps overlapping requirements across frameworks. Rather than implementing separate programs for each regulation, we build a comprehensive security and compliance program that satisfies multiple requirements simultaneously. This integrated approach reduces costs, eliminates redundant processes, and provides a clearer picture of your overall security and compliance posture, making it easier to manage ongoing obligations and demonstrate compliance to auditors, clients, and business partners.
Our Approach to Cybersecurity
At Petronella Technology Group, cybersecurity is not just about installing antivirus software or setting up a firewall. We take a comprehensive, layered approach to security that addresses people, processes, and technology. Our methodology is built on industry-standard frameworks including NIST Cybersecurity Framework, CIS Controls, and MITRE ATT&CK, ensuring that your security program is aligned with the same standards used by Fortune 500 companies and government agencies. Every engagement begins with a thorough assessment of your current security posture, followed by a prioritized remediation roadmap that addresses your most critical risks first.
Our security operations team provides continuous monitoring through our Security Information and Event Management platform, which correlates events across your entire environment to detect threats in real time. When a potential threat is identified, our analysts investigate and respond immediately, often containing threats before they can cause damage. This proactive approach dramatically reduces the risk of successful cyberattacks and provides the rapid response capability that is essential in today's threat landscape.
We believe that employee awareness is one of the most important layers of defense. Human error remains the leading cause of data breaches, and no amount of technology can fully compensate for untrained employees. PTG provides comprehensive security awareness training programs that educate your team about phishing, social engineering, password security, data handling, and incident reporting. Our training programs include simulated phishing campaigns that test employee readiness and identify areas where additional education is needed, helping organizations build a strong security culture from the ground up.
Beyond prevention, PTG prepares organizations for the reality that breaches can occur despite the best defenses. Our incident response planning services help businesses develop, document, and test response procedures so that when an incident does occur, your team knows exactly what to do. From tabletop exercises to full incident simulations, we ensure that your organization is prepared to respond quickly and effectively, minimizing damage, preserving evidence, and meeting all regulatory notification requirements within required timeframes.
Ready to Get Started?
Contact Petronella Technology Group today for a free consultation. Serving Raleigh, Durham, Chapel Hill, and the Research Triangle since 2002.
(919) 348-4912 Schedule a Free Consultation5540 Centerview Dr., Suite 200, Raleigh, NC 27606