ComplianceArmor · CMMC Software

CMMC documentation that took weeks. Now ready in minutes.

A complete CMMC v2.0 documentation package — SSP, SPRS score, POA&M, 14 policies, 14 procedures, and 110 NIST 800-171 control narratives — scoped to your environment and formatted for DIBCAC and C3PAO.

Dr. Petronella explains the CMMC documentation package
Watch the 30-second CMMC explainer · Dr. Petronella
Schedule a CMMC demo Call 919-348-4912
Cyber AB Registered Practitioner Org | Four CMMC RPs on staff | Levels 1, 2 & 3 | 23+ Years
The old way
0
hours of senior compliance labor
The new way
Minutes
a complete, branded CMMC L2 package

That is what it takes a senior compliance team to author a CMMC Level 2 SSP from scratch — 110 NIST 800-171 control narratives, 14 policies, 14 matching procedures, the SPRS calculation, and the POA&M. ComplianceArmor produces the same package, scoped to your environment, in the time it takes to brief your team.

What an assessor expects to see

Every CMMC artifact in one package.

Branded. Editable. Yours forever. Formatted to DIBCAC and C3PAO expectations. No subscription, no platform lock-in, no DRM.

System Security Plan (SSP)

DIBCAC-formatted, with control narratives and asset inventory across all 110 NIST 800-171 controls.

SPRS Score Report

Calculated Supplier Performance Risk System score with a control-by-control breakdown of every deduction.

Plan of Action & Milestones

Official POA&M template with every gap, owner, target date, and remediation path documented.

14 Security Policies

One policy per NIST 800-171 control family (3.1 through 3.14), scoped and branded to your organization.

14 Operational Procedures

Step-by-step procedures with operator checklists matched to each policy. Ready for day-to-day execution.

Control-by-Control Gap Analysis

Every one of the 110 controls scored against your environment with remediation recommendations.

Evidence Checklist

Per-control list of artifacts a C3PAO will request: screenshots, logs, configs, training records, signatures.

CUI Boundary Documentation

Network architecture diagrams and CUI scope narrative so the assessor sees exactly what is in scope.

Control Mapping Matrix

Cross-framework CSV: every NIST 800-171 control mapped to CMMC L2/L3, NIST 800-53, NIST CSF, and ISO 27001.

Responsibility Matrix

Who owns what: platform, partner, MSP, and customer responsibilities mapped per control family.

Interview Prep Guide

The questions a C3PAO assessor asks per control family, with model answers tied to your SSP narratives.

Assessment Readiness Checklist

The day-of-assessment punch list: what to print, what to mock, who attends, what walks the assessor through.

Continuous Monitoring Plan

Cadence, tools, and reporting structure for ongoing CMMC posture across the three-year recertification window.

Folder Structure Script

Organizes your evidence repository to match the layout DIBCAC and C3PAO assessors expect to navigate.

Executive Summary

The board-ready, one-page version for primes, leadership, and the audit committee.

Output formats: PDF, editable Word, HTML, CSV, and ZIP. Branded with your logo. No platform lock-in.

CMMC v2.0 · ML1, ML2, ML3

Pick your maturity level. Get your package.

Three levels. Three productized packages. Fixed prices, fixed timelines, third-party assessment fees disclosed up front.

CMMC · Level 1

Foundational

From $6,997 flat

Self-assessment for FCI handlers. 17 FAR 52.204-21 controls.

  • 17 control narratives + SSP
  • Policies and procedures package
  • SPRS attestation prep
  • 21-day delivery
CMMC L1 is annual self-assessment. No third-party assessor required.
Most popular
CMMC · Level 2

Advanced (CUI)

From $24,997 flat

For DoD CUI handlers. All 110 NIST 800-171 controls, C3PAO assessment-ready.

  • SSP + POA&M + SPRS score
  • 14 policies + 14 procedures
  • 110 control narratives
  • 60-75 day delivery
C3PAO assessment fee runs $30K-$50K and is engaged separately. Disclosed up front.
CMMC · Level 3

Expert (APT-resilient)

Custom scoped

High-priority CUI for the most sensitive DoD programs. NIST 800-172 enhancements.

  • L2 baseline + 24 NIST 800-172 controls
  • DIBCAC-led assessment readiness
  • Architecture and threat modeling
  • Custom timeline
DIBCAC assessment is government-led. Engagement scoped after a discovery call.
How a CMMC engagement runs

From scoping call to assessor handoff.

A predictable, productized engagement. Every step has a deliverable. Every deliverable has a sign-off.

1

Scoping & CUI boundary

We map your CUI flows, asset inventory, and assessment boundary in a 60-minute working session.

2

Gap analysis & SPRS

All 110 NIST 800-171 controls scored. SPRS calculated. POA&M drafted. Roadmap signed off.

3

Documentation build

SSP, 14 policies, 14 procedures, control narratives, evidence checklist, all branded and reviewed.

4

Assessor handoff

Interview prep, mock walkthrough, evidence repository organized. We hand the package to your C3PAO.

We did this 240 times by hand for our own DoD-supplier clients before we built ComplianceArmor. The platform produces the package. Our four CMMC Registered Practitioners review every line.
Craig Petronella, Founder & CEO, Petronella Technology Group, Inc.

Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO) with four CMMC Registered Practitioners on staff — Craig Petronella, Blake Rea, Justin Summers, and Jonathan Wood. We have been writing CMMC and NIST 800-171 documentation since long before there was a platform.

Cyber AB Registered Practitioner Org 4 CMMC RPs on staff BBB A+ Since 2003 Inc. 5000 Read client reviews →
The Audit-Ready Promise

If your C3PAO finds a doc gap, we fix it free.

Every ComplianceArmor CMMC engagement carries the Petronella Technology Group Audit-Ready Promise. If a C3PAO assessor identifies a gap in any artifact we produced, we fix it at no charge within 30 days. If a CMMC L2 assessment fails because of our documentation work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.

Important disclosure. Petronella Technology Group, Inc. is a Cyber AB Registered Provider Organization (RPO). The independent CMMC Level 2 assessment required for certification is performed by a Cyber AB Authorized C3PAO under a separate engagement, priced separately from this package. Only the Cyber AB and the U.S. Department of Defense issue CMMC certificates. Petronella Technology Group does not perform certified assessments and does not promise assessment outcomes.

Frequently asked

CMMC questions buyers ask before booking a demo.

What is the difference between DIBCAC and a C3PAO?

DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center — a government team inside the DoD that performs assessments for the highest-tier programs and for CMMC Level 3. A C3PAO (Certified Third-Party Assessment Organization) is a private firm authorized by the Cyber AB to perform CMMC Level 2 assessments. Most defense contractors handling CUI engage a C3PAO for L2; only a small number of programs trigger a DIBCAC-led L3 assessment. Our documentation is formatted for both.

What is the difference between CMMC ML1, ML2, and ML3?

Level 1 (Foundational) covers Federal Contract Information (FCI) and requires the 17 controls from FAR 52.204-21. It is annual self-assessment.

Level 2 (Advanced) covers Controlled Unclassified Information (CUI) and aligns to all 110 controls in NIST SP 800-171 Rev 2. Most programs require a triennial C3PAO assessment.

Level 3 (Expert) applies to the highest-priority CUI programs. It layers an additional 24 controls from NIST SP 800-172 on top of L2 and is assessed by DIBCAC.

How is the SPRS score calculated, and what number do I need?

SPRS (Supplier Performance Risk System) starts every contractor at 110. For each of the 110 NIST 800-171 controls not implemented, points are deducted — either 1, 3, or 5 points depending on the control's risk weight, so the score can range from −203 to +110. Many DoD primes now require an SPRS score above a stated threshold (often +88 or higher) before they will issue a subcontract. ComplianceArmor produces a SPRS score with a control-by-control breakdown of every deduction so you know exactly where to remediate first. Want a quick estimate of where you stand today? Run our free SPRS Score Calculator in 90 seconds.

Who actually needs CMMC?

Any organization in the Defense Industrial Base (DIB) supply chain that holds, processes, or transmits Federal Contract Information or Controlled Unclassified Information for the DoD. That includes prime contractors, subcontractors at any tier, manufacturers, R&D firms, IT and managed-service providers supporting DoD environments, and many professional services firms with DoD clients. CMMC requirements flow down through the entire supply chain via DFARS 252.204-7012 and the new DFARS 252.204-7021 clauses.

What is included in the CMMC documentation package?

For CMMC Level 2: a System Security Plan (SSP) with 110 control narratives, the SPRS score with deduction breakdown, the Plan of Action & Milestones (POA&M), 14 security policies, 14 operational procedures, gap analysis, evidence checklist, CUI boundary documentation, control mapping matrix, responsibility matrix, interview prep guide, assessment readiness checklist, continuous monitoring plan, folder structure script, and executive summary. Branded, editable, and delivered in PDF, Word, HTML, CSV, and ZIP. Yours forever.

How long does a CMMC engagement take?

The documentation package itself ships in minutes once your scope is signed off. Total engagement timelines: CMMC Level 1 in 21 days, CMMC Level 2 in 60 to 75 days, Level 3 scoped per engagement. Compare to four to eight weeks of senior staff time per artifact, or twelve to twenty-four weeks for a boutique consultancy doing it from scratch.

What does it cost, end to end?

CMMC Level 1 from $6,997 flat, 21-day delivery, no third-party assessor required.

CMMC Level 2 documentation package from $24,997 flat, 60-75 day delivery. The required C3PAO assessment fee runs $30K-$50K and is engaged separately — we disclose that on every pricing card so the total budget is transparent up front.

CMMC Level 3 is custom-scoped after a discovery call. DIBCAC-led assessment is government-administered.

How is this different from Drata, Vanta, or Hyperproof?

Those are self-serve SaaS dashboards where your team still writes the SSP, the POA&M, and the policies. ComplianceArmor is a done-for-you engagement run by a Cyber AB Registered Provider Organization. Petronella Technology Group writes the package for you, scoped to your CUI environment, reviewed by four CMMC Registered Practitioners. You get an outcome and a binder, not a dashboard. Read the side-by-side breakdown on the CMMC compliance guide or the ComplianceArmor hub.

Industry-specific guides

CMMC, scoped for your vertical.

Same productized engagement, with the SSP, CUI boundary, and policies pre-scoped for the way your shop actually runs. Pick your vertical:

CMMC for Drone Manufacturers

UAS/UAV makers, Blue UAS qualification, NDAA Section 889 sourcing, ITAR-overlapped autopilot data.

CMMC for Shipbuilders

NAVSEA primes and Tier 2 / Tier 3 marine subcontractors, hull-form CUI, weld qualification, ITAR overlap.

CMMC for Software Contractors

Source code as CUI, secure SDLC, CI/CD attestation, SBOM under EO 14028, government developer access.

CMMC for Aerospace Suppliers

AS9100D-aligned. Lockheed, Boeing, Northrop, RTX, L3Harris flow-down. ITAR + AS9100D + CMMC, one engagement.

Stop authoring the SSP. Start the CMMC assessment.

Schedule a 30-minute demo. We will scope your CMMC environment live, walk through the deliverables, and quote your engagement on the call.

Schedule a CMMC demo Call 919-348-4912

Related: ComplianceArmor hub · SSP Generator · CMMC Gap Analysis · CMMC Compliance Guide · CMMC Consultant