CMMC Compliance Services: Levels 1, 2 & 3 | Petronella

Q: What does CMMC Level 2 compliance actually cost?

Our Level 2 Core engagement runs $38,000 to $85,000 for the assessment and remediation package depending on complexity, plus a $1,850 to $4,500 monthly retainer for ComplianceArmor, SSP maintenance, and continuous monitoring. Add $8,000 to $25,000 for the C3PAO third-party assessment fee itself, which is a separate cost paid to the authorized assessor.

Q: Can you work alongside our existing MSP or IT team?

Yes. We run co-managed engagements regularly. PTG owns the CMMC program plan and the technical controls that matter for the assessment while your internal team or incumbent MSP continues day-to-day operations. We document the division of responsibility in the SSP so the C3PAO sees a clear line of accountability.

Q: What is the SPRS score and how do you improve it?

The Supplier Performance Risk System score is a -203 to +110 value submitted to DoD that reflects how many NIST 800-171 controls you have implemented. Prime contractors increasingly use SPRS scores as a bid qualification filter. Our Phase 1 gap assessment produces your current SPRS score, and Phase 2-3 remediation moves you toward +110. Most Level 2 clients reach +110 after our engagement.

Q: We are a small subcontractor. Is CMMC really required?

If your prime handles CUI and you touch any of that CUI, Level 2 likely applies. If you only handle FCI, Level 1 self-attestation is the floor. Even 5-person subcontractors are now being dropped from bid lists for failing CMMC flow-down clauses. PTG has successfully certified small teams with proper enclave design to keep scope and cost proportional.

Definition

What Are CMMC Compliance Services?

CMMC compliance services are consulting, engineering, and documentation engagements that help defense contractors meet the Cybersecurity Maturity Model Certification (CMMC 2.0) requirements enforced by the Department of Defense. A complete program covers scoping, gap analysis, remediation, System Security Plan (SSP) authoring, POA&M management, SPRS score reporting, and C3PAO assessment readiness for Level 1, Level 2, or Level 3.

The DoD published the 48 CFR final rule in September 2025 that allows CMMC clauses in solicitations starting late 2025, with a phased rollout through 2028. Every prime and subcontractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must now demonstrate compliance to bid, win, and retain DoD business. Self-attestation for Level 1, third-party C3PAO assessment for Level 2 CUI work, and DIBCAC-led assessment for Level 3.

Petronella Technology Group was founded in April 2002 in Raleigh, North Carolina. Over 24+ years we have protected 2,500+ businesses, completed 340+ healthcare security audits, and held zero confirmed client breaches on our managed program. For defense contractors we combine that operational depth with CMMC-RP credentialing, a proprietary compliance automation platform (ComplianceArmor), and in-house digital forensics expertise — so you get a partner who both writes the plan and runs the controls.

Scope Your Level

CMMC Levels 1, 2, and 3 — What We Cover

The right CMMC level depends on what data your contract requires you to handle. We scope your environment first, then map your contract obligations to the precise control set you must meet.

Level 1 · FCI

Foundational

17 practices

Basic safeguarding of Federal Contract Information. Annual self-assessment with affirmation by a senior company official. Typical for subcontractors with FCI exposure but no CUI.

Access control basics
Authentication & identification
Media protection fundamentals
Physical access controls
System & communications protection

Level 2 · CUI · Most Common

Advanced

110 controls

Full NIST SP 800-171 Rev. 2 implementation. Required for any contractor handling Controlled Unclassified Information. C3PAO third-party assessment on a 3-year cycle with annual affirmations.

All 14 NIST 800-171 control families
SSP with 320+ implementation statements
POA&M for in-progress controls
SPRS score submitted to DoD
C3PAO assessment evidence package

Level 3 · Critical CUI

Expert

110 + 24

Level 2 baseline plus 24 enhanced controls from NIST SP 800-172, targeting advanced persistent threats. Government-led DIBCAC assessment. Typical for critical defense programs and CUI designated for higher protection.

Advanced threat hunting
Enhanced incident response playbooks
Deception & counter-reconnaissance
Supply chain risk management
APT-focused monitoring

Unsure which level applies? Share your contract language and we will map the DFARS 252.204-7012, 7019, 7020, and 7021 clauses to the right CMMC obligation. Read our in-depth CMMC Compliance Guide for a plain-language walkthrough, or use the free SPRS Score Calculator to benchmark where you are today.

5-Phase Program

How Our CMMC Compliance Services Work

Every engagement follows the same 5-phase program. It is built on patterns refined across dozens of defense contractor assessments and the 110 NIST 800-171 controls we have implemented in production, not slides.

Scoping & Gap Assessment

Map your data flows, identify FCI and CUI boundaries, and test every one of the 110 controls (plus 17 for Level 1) against current-state evidence.

Deliverable: Scoping Report + Gap Assessment

Remediation Plan & POA&M

Prioritize gaps by SPRS scoring weight, cost, and technical risk. Produce a phased POA&M with owners, costs, and target dates approved by leadership.

Deliverable: POA&M + Executive Summary

Engineering & Remediation

Our engineers deploy MFA, EDR, SIEM logging, boundary firewalls, FIPS-validated encryption, and enclave architectures — the technical controls that actually move your SPRS score.

Deliverable: Implemented Technical Controls

SSP, Policies & ComplianceArmor

ComplianceArmor generates your System Security Plan, 32+ required policies, and evidence library — then keeps them evergreen with continuous monitoring.

Deliverable: SSP + Policies + Evidence Library

C3PAO Prep & Post-Audit

Mock assessment, interview coaching, evidence walkthrough, and a live-fire tabletop incident response test. Post-certification we monitor controls to maintain your score year over year.

Deliverable: Audit-Ready Package

12–24

Weeks to Audit-Ready

110

NIST 800-171 Controls

~70%

Evidence Auto-Generated

320+

SSP Statements Produced

Need a CMMC gap assessment?

Book a 30-minute working session with a CMMC Registered Practitioner. We will review your contract language, scope your environment, and outline the fastest credible path to Level 2.

Schedule a Free CMMC Consultation

NIST 800-171 Coverage

The 14 Control Families We Implement

Every Level 2 assessment audits against the 14 control families below. Our engineers have production implementations for each of them — not just policy templates. Where useful we link to PTG detail pages so your team can see what is involved.

🔐

Access Control (AC)

Least privilege, remote access routing, MFA enforcement, session lockouts, and connection limits for privileged accounts across Windows, macOS, Linux, and cloud identity providers.

🎓

Awareness & Training (AT)

Role-based security awareness plus insider threat training. Delivered through PTG security awareness training with simulated phishing campaigns.

📜

Audit & Accountability (AU)

Authoritative time sources, log aggregation, tamper-resistant audit storage, and review cadence tracked in our SIEM and SOC workflow.

⚙️

Configuration Management (CM)

Baseline configurations, change control boards, least functionality, and a deny-by-exception software policy pushed via endpoint management.

🆔

Identification & Authentication (IA)

Phishing-resistant MFA (FIDO2 where possible), password policy, unique identifiers for every person and process, credential lifecycle controls.

🚨

Incident Response (IR)

Documented playbooks, tabletop testing, and 24/7 SOC-backed response. Craig is a NC Licensed Digital Forensics Examiner (License #604180-DFE).

🛠️

Maintenance (MA)

Controlled maintenance tools, sanitization of equipment, supervision of unscreened personnel, and MFA for all remote or vendor maintenance.

💾

Media Protection (MP)

CUI media marking, access restrictions, encrypted removable media, sanitization before disposal, and portable device controls.

👥

Personnel Security (PS)

Screening before access authorization, documented termination procedures, and evidence of CUI protection during role transitions.

🏢

Physical Protection (PE)

Facility access authorization lists, visitor escorts, monitored entry points, physical access logs, and alternate-site safeguards for remote workers.

📊

Risk Assessment (RA)

Annual risk assessments, vulnerability scans with prioritized remediation, and threat intelligence tied into the SOC analyst workflow.

✔️

Security Assessment (CA)

Control assessment plans, independent testing, POA&M management, and continuous monitoring evidence that survives the C3PAO interview.

🌐

System & Communications (SC)

Boundary protection, network segmentation, FIPS 140-validated cryptography for CUI in transit and at rest, and VoIP/mobile code controls.

🛡️

System & Information Integrity (SI)

Vulnerability remediation windows, malicious code protection, continuous monitoring via PTG Managed XDR, and real-time alert review.

Transparent Pricing

CMMC Compliance Service Tiers

Flat-fee engagements for the assessment and remediation work, plus a monthly retainer for ComplianceArmor, SSP maintenance, and ongoing monitoring. No long-term contracts.

Level 1 Starter

$12,500 one-time

For subcontractors handling FCI only. Gap assessment, remediation plan, SSP lite, and annual self-assessment support.

17-practice gap assessment
POA&M + remediation plan
FCI-focused SSP
ComplianceArmor Level 1 module (6 months)
Annual self-attestation coaching

Level 2 Core · Most Common

$38,000–$85,000 plus monthly retainer

Full 110-control implementation for CUI handlers. Includes engineering, SSP authoring, POA&M, SPRS submission, and C3PAO prep.

Full 110-control gap assessment
Remediation engineering package
SSP with 320+ statements
POA&M + SPRS scoring
ComplianceArmor continuous monitoring
C3PAO mock assessment + interview coaching

Level 3 Enterprise

Custom scoped engagement

Level 2 baseline plus 24 NIST 800-172 enhanced controls, threat hunting, deception tooling, and DIBCAC assessment readiness.

All Level 2 Core deliverables
24 enhanced 800-172 controls
Threat hunting + APT playbooks
Supply chain risk program
DIBCAC assessment support
vCISO engagement included

ComplianceArmor retainer for Level 2 engagements typically runs $1,850–$4,500 per month depending on user count and scope. We publish ranges instead of hiding behind "contact us" pricing because defense contractors deserve to budget honestly. Your exact quote depends on headcount, enclave architecture, cloud footprint, legacy system count, and whether you already have foundational controls in place.

Our Platform

Why ComplianceArmor Cuts CMMC Cost and Time

Roughly 70% of CMMC effort is documentation, evidence, and continuous proof — not engineering. Generic consultants deliver a Word document once, then leave you to maintain it. ComplianceArmor is PTG's proprietary platform that keeps your CMMC artifacts alive.

Automated SSP generation: ComplianceArmor assembles your SSP from control statements, network diagrams, and evidence uploads — and updates the document every time your environment changes.
Evidence collection on rails: Screenshots, log exports, configuration dumps, and vendor attestations land in a structured evidence vault mapped to every 800-171 control.
POA&M management: Tracks open items, assignments, target dates, and closure evidence. C3PAO-ready without a spreadsheet fire drill.
Continuous monitoring: Integrates with Microsoft Defender, EDR, SIEM, and identity providers to pull control evidence automatically instead of quarterly screenshot hunts.
Multi-framework support: One data model backs CMMC, HIPAA, SOC 2, PCI DSS, CCPA, and NIST CSF 2.0 — so your team does not repeat work when a new contract adds a framework.

Explore ComplianceArmor, the CMMC software module, and the SSP generator. As Craig Petronella details in the CMMC 2.0 Certification Guide, the difference between contractors who pass first-time and those who fail twice is almost always documentation discipline — which is exactly what the platform enforces.

Decision Matrix

PTG vs. Generic Consultant vs. DIY

Before you sign an engagement letter, read this side-by-side. Defense contractors routinely waste 6-12 months with consultants who deliver a beautiful SSP that cannot survive a C3PAO interview.

Dimension	PTG CMMC Services	Generic Consultant	DIY In-House
CMMC Registered Practitioner on staff	Yes — Craig Petronella CMMC-RP	Sometimes — often contract	Rarely
Engineers who implement controls	In-house SOC + infra team	Hands you a runbook	Your IT team
Automated SSP + evidence	ComplianceArmor	Manual Word/Excel	Spreadsheets
24/7 SOC + Managed XDR	Included	Separate vendor	DIY tooling
Digital forensics for incident response	NC Licensed DFE on staff	Third-party IR retainer	None
Typical time to audit-ready	12–24 weeks	20–36 weeks	12–24 months
Cost predictability	Flat-fee + monthly retainer	T&M hourly billing	Hidden opportunity cost
Post-certification monitoring	Evergreen retainer	New engagement each year	Drift guaranteed
Books / published thought leadership	15 books incl. CMMC 2.0 Guide	Marketing collateral	—
Track record	24+ yrs · 2,500+ clients · zero breaches	Varies	Your record
MSP integration	Single team runs IT + CMMC	Two vendors to coordinate	Your stack
30-day results promise	Measurable movement or first month free	No guarantees	—

Industry Focus

Defense Contractors We Serve

CMMC obligations touch more than aerospace primes. Any DoD supplier handling FCI or CUI must certify — and each industry has its own risk fingerprint.

✈️

Aerospace & Defense Primes

Level 2 or Level 3 obligations, CUI handling, export-controlled data (ITAR/EAR), and multi-tier subcontractor oversight.

🏭

Manufacturing & Machining

Precision parts suppliers, CNC shops, metal treatment houses — often first-time CMMC and still running legacy OT equipment. See PTG manufacturing.

🧪

Engineering & R&D Firms

Design contractors and specialty engineering shops. Heavy CAD, simulation, and shared-drive risk. See PTG engineering firms.

🔬

Research & Testing Labs

University-affiliated labs and contract research. DFARS 7012 plus federal grant obligations layered together.

⚖️

Law Firms Serving DoD Clients

Outside counsel holding CUI on behalf of contractor clients. See PTG law firms for specialized CMMC + attorney-client privilege work.

💻

Software & SaaS Vendors

Cloud providers and ISVs supplying DoD. FedRAMP-adjacent work, enclave architecture, and shared responsibility model documentation.

Hard-Won Lessons

Four CMMC Pitfalls That Kill Timelines

Treating CMMC as a paperwork project

C3PAO assessors interview engineers and walk the environment. A pretty SSP with no matching evidence fails. Our program ties every control statement to an evidence record before the interview.

Missing the enclave decision

Trying to bring the entire corporate network into CMMC scope triples cost. We help you design CUI enclaves in Microsoft 365 GCC High, Azure Government, or on-prem — so the assessed boundary is as small as possible.

Skipping the mock assessment

Contractors who pass first-time almost always run a mock C3PAO assessment. Those who fail skip it to save time. Every PTG engagement includes a mock and an interview coaching round.

Letting the SSP go stale after certification

Your SPRS score requires annual affirmation. Environments drift. ComplianceArmor detects drift and refreshes the SSP in minutes instead of weeks so your affirmation is never a guess.

Not sure you need Level 2 yet?

Start with the free PTG SPRS Score Calculator. Benchmark your current state in under 10 minutes and see the exact gap to a passing CMMC Level 2 score.

Talk to a CMMC-RP

Why PTG

What Makes PTG Different for CMMC

CMMC-RP credentialed leadership. Craig Petronella is a CMMC Registered Practitioner, author of the CMMC 2.0 Certification Guide and the Ultimate Guide to CMMC, and a published author with 15 titles on cybersecurity and compliance.
24+ years of operational security. PTG was founded in April 2002. We have protected 2,500+ businesses and completed 340+ healthcare security audits without a confirmed breach on our managed program.
Digital forensics in-house. Craig holds NC DFE License #604180-DFE. If you experience an incident during your CMMC program, you are not rebuilding a vendor list — we already hold the credentials to investigate.
ComplianceArmor platform. Most CMMC consultants do not have proprietary tooling. We built ours because we refused to let clients drift out of compliance six months after certification.
Managed IT + cybersecurity + CMMC under one team. Single invoice, single point of accountability. No finger-pointing between your MSP, your MSSP, and your CMMC consultant.
BBB A+ accredited since 2003. Twenty-three years of BBB accreditation is a durability signal no startup consultancy can match.
Media and courtroom credibility. Craig has been featured on NBC, ABC, CBS, FOX, and WRAL as a cybersecurity expert, and regularly serves as a cybersecurity expert witness in federal and state matters.
Local to the Mid-Atlantic defense corridor. Based in Raleigh, North Carolina, minutes from Research Triangle Park and within the Fort Liberty / Seymour Johnson AFB service region.

"Craig takes the time to understand our business model, not just our technology stack. It makes his recommendations more strategic and tailored to our actual goals." — Daniel Lee, TrustIndex verified review

"Reliable, trustworthy, and efficient. I've worked with a lot of companies, but this one stands out for their commitment to quality service." — Maru Khuy, TrustIndex verified review

Service Area

Serving Defense Contractors Across the Triangle and Nationwide

Headquartered in Raleigh, we serve the Research Triangle region plus defense contractors across North Carolina and the continental US. On-site support in the Triangle; remote and hybrid engagements nationwide.

Raleigh Durham Cary Chapel Hill Apex Morrisville Research Triangle Park Wake Forest Holly Springs Fuquay-Varina Greensboro Winston-Salem Charlotte Fayetteville Wilmington Nationwide Remote

Local to CMMC contractors near Fort Liberty, Seymour Johnson AFB, MCAS Cherry Point, and the broader Mid-Atlantic defense industrial base. Explore CMMC compliance in Raleigh, Durham, Fayetteville, or Charlotte.

Frequently Asked

CMMC Compliance Services FAQ

How long does a CMMC Level 2 engagement take?

For contractors with a well-documented environment, functional MFA, and an existing MDR or SIEM, 12 to 16 weeks is typical. Contractors starting from scratch, running legacy systems, or carving out a CUI enclave usually need 20 to 24 weeks. We publish a realistic timeline after the Phase 1 scoping session — before any engineering work begins.

What does CMMC Level 2 compliance actually cost?

Our Level 2 Core engagement runs $38,000–$85,000 for the assessment and remediation package depending on complexity, plus a $1,850–$4,500 monthly retainer for ComplianceArmor, SSP maintenance, and continuous monitoring. Add $8,000–$25,000 for the C3PAO third-party assessment fee itself, which is a separate cost paid to the authorized assessor. DIY equivalents run $150,000–$400,000 in internal engineering time and elapsed productivity.

Are you a C3PAO? Can you certify my company?

No. Under CMMC 2.0 the consultant who implements and the C3PAO who certifies must be separate parties. PTG is a Registered Practitioner Organization working alongside CMMC-AB accredited C3PAOs. We prepare you, run the mock assessment, and coordinate scheduling — the formal certification is delivered by the C3PAO. We have long-term working relationships with several and can recommend a C3PAO matched to your industry and location.

Can you work alongside our existing MSP or IT team?

Yes. We run co-managed engagements regularly through our co-managed IT program. PTG owns the CMMC program plan and the technical controls that matter for the assessment while your internal team or incumbent MSP continues day-to-day operations. We document the division of responsibility in the SSP so the C3PAO sees a clear line of accountability.

Do you help with GCC High migration?

Yes. Many contractors need to move CUI workloads to Microsoft 365 GCC High or Azure Government to simplify the CMMC boundary. We scope, plan, and execute the migration as part of Phase 3 engineering, and the resulting environment is documented in your SSP. See our CMMC vs. GCC High comparison for the decision framework.

What is the SPRS score and how do you improve it?

The Supplier Performance Risk System (SPRS) score is a -203 to +110 value submitted to DoD that reflects how many NIST 800-171 controls you have implemented. Prime contractors increasingly use SPRS scores as a bid qualification filter. Our Phase 1 gap assessment produces your current SPRS score, and Phase 2-3 remediation moves you toward +110. Most Level 2 clients end at +110 after our engagement. You can benchmark yourself right now with our free SPRS Score Calculator.

What happens after we are certified?

CMMC certification lasts three years but requires annual affirmation by a senior company official. Environments drift, contracts change, and CUI moves. Our monthly retainer keeps ComplianceArmor evidence current, the SSP refreshed, and the POA&M moving so the annual affirmation is backed by real evidence instead of guesswork. We also run a tabletop exercise and an SSP refresh in the 60 days before each annual affirmation.

We are a small subcontractor — is CMMC really required?

If your prime handles CUI and you touch any of that CUI, yes, Level 2 likely applies. If you only handle FCI, Level 1 self-attestation is the floor. Even 5-person subcontractors are now being dropped from bid lists for failing CMMC flow-down clauses. We have successfully certified small teams — the key is enclave design so the scope stays small and the cost stays proportional.

Ready to start your CMMC program?

Book a free 30-minute consultation with Craig Petronella or a senior member of our CMMC team. We will review your DFARS clauses, scope your environment, and outline the fastest credible path to certification.

Schedule Your Free CMMC Consultation Or Call 919-348-4912

Last Updated: April 2026 · Written by Craig Petronella, CMMC Registered Practitioner and author of the CMMC 2.0 Certification Guide. Reviewed against CMMC 2.0 Final Rule (48 CFR) and NIST SP 800-171 Rev. 2.