CMMC Data Protection for DoD Contractors

The DoD contractor's CUI problem

If your contract has DFARS 252.204-7012 in it, and as a DoD subcontractor you almost certainly do, you are obligated to provide adequate security for Controlled Unclassified Information that "is collected, developed, received, transmitted, used, or stored." That single sentence is where most contractors quietly fail their first assessment, because CUI moves through more systems than the program manager realizes.

Where CUI actually flows in a small-to-mid DoD shop:

• Inbound from the prime: drawings, statements of work, contract addenda, ITAR-flagged attachments, government furnished information arriving as email attachments to engineering@, contracts@, or a shared inbox.
• Internal collaboration: engineers passing CAD files, machinists annotating travelers, project managers updating program schedules, finance reconciling cost data tied to a covered defense article.
• Outbound to subcontractors: your own tier-3 suppliers, plating shops, heat treaters, specialty coating houses, who are now flowed down with the same DFARS clause.
• Shadow IT: engineers emailing CAD files to personal Gmail to work from home, mobile devices syncing to consumer cloud, the "old" laptop a recently-departed employee still has at their house.

Every one of those flow points is an assessor question. The fix is not a single product; it is an architecture decision (where does CUI live?), a control implementation (how is access enforced?), and a documentation trail (where is the evidence?). Petronella Technology Group, Inc. starts with the CUI flow diagram during Phase 1: before anyone signs an enclave license or migrates a mailbox, because the flow diagram drives the architecture, not the other way around.

And one more thing the brochures don't say plainly: GCC High alone is not always the right answer. Microsoft GCC High is the FedRAMP High lineage tenant required when CUI flows through Microsoft 365 services that handle covered data. It is excellent at what it does. But it is expensive, slow to provision, breaks many third-party connectors, and is overkill for the substantial number of DoD subs whose CUI footprint is small, bounded, and could be safely contained in a properly-scoped encrypted enclave with the rest of the business running on commercial Microsoft 365. The honest answer requires honest assessment of your specific data flows. That is what gap analysis is for.

The 3-pattern decision tree for CMMC data protection

Most CMMC consultants try to standardize the architecture so they can sell the same package repeatedly. Petronella Technology Group, Inc. publishes our decision tree openly because the right pattern is determined by your contract clauses, your CUI volume, and your existing M365 posture, not by which tier is most profitable for us.

Read the full 3-pattern decision tree, Power BI variant. The same architectural logic applies to the data protection stack as a whole.

Important: an encrypted enclave does not turn commercial Microsoft 365 into a CUI-capable platform on its own. It moves the CUI handling layer outside the commercial M365 services. The Petronella encrypted data and email system is the CUI vault in Pattern B; it complements GCC High in Pattern A as the third-party-exchange layer; and it is the secure transport layer alongside Pattern C. The pattern dictates the boundary, the enclave operates inside the chosen boundary.

How the Petronella stack anchors the 100+ of 110 control story

NIST 800-171 r3 has 110 controls grouped into 14 families. A CMMC Level 2 assessment grades each one. Petronella Technology Group, Inc. does not claim that a single product checks all 110 boxes, no product does. The stack approach (encrypted data and email system + ComplianceArmor® + Petronella XDR + vCISO oversight) collectively addresses every control family because each layer was selected to complement the others.

The selected mapping below illustrates how the encrypted data and email system covers control families 3.1, 3.4, 3.5, 3.8, 3.13, and 3.14, the foundation of any CUI-handling architecture.

The remaining control families, 3.2 (Awareness and Training), 3.7 (Maintenance), 3.9 (Personnel Security), 3.10 (Physical Protection), 3.12 (Security Assessment), and 3.15 (System and Information Integrity governance), are operationalized through ComplianceArmor®-generated policies, our security awareness training program, and the Blake Rea vCISO program. The full mapping is documented in your engagement-specific SSP.

ComplianceArmor® generates the SSP, POA&M, and policies

The most expensive line item in a CMMC engagement, dollar for dollar, is documentation. The Department of Defense has publicly estimated the documentation work alone at approximately $150,000 per contractor when done from scratch. Most contractors stall in the documentation phase, not because they cannot do the work, but because writing 14 control-family policies, a System Security Plan that addresses 110 controls and 320 objectives, a Plan of Action and Milestones, a Customer Responsibility Matrix, network and CUI flow diagrams, and assessment-ready evidence files is a multi-month effort by a senior compliance practitioner.

ComplianceArmor® is Petronella's proprietary compliance documentation platform. It is a multi-framework system, CMMC, NIST 800-171, NIST 800-53, NIST CSF 2.0, SOC 2, HIPAA, PCI DSS, FTC Safeguards, and ISO 27001, designed to compress the documentation phase without compromising assessor defensibility. For a CMMC Level 2 engagement specifically, ComplianceArmor® generates:

• System Security Plan (SSP) covering all 110 NIST 800-171 r3 controls with the 320 objectives mapped, drafted from a guided intake against your specific enclave architecture, reviewed and signed by a Petronella CMMC-RP practitioner
• Plan of Action and Milestones (POA&M) with prioritized remediation, dates, owners, and evidence-collection targets
• 14 control-family policies matched to your actual environment (not boilerplate), Access Control, Audit and Accountability, Awareness and Training, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity
• Standard Operating Procedures for the operational tasks each policy implies
• Customer Responsibility Matrix (CRM) defining what Petronella, what the client, and what jointly-owned tasks each party is accountable for
• Network and CUI flow diagrams: auto-rendered from your environment data, kept current as your architecture evolves
• Boundary diagram showing the assessor-scoped CUI boundary and what is outside of scope
• Evidence trail: every assertion linked back to the artifact that proves it

The differentiator versus generic compliance accelerators: ComplianceArmor® is multi-framework. When a DoD subcontractor that is also a healthcare-adjacent supplier needs CMMC plus HIPAA, or when a publicly-traded prime needs CMMC plus SOC 2 Type II, the same platform handles both. One intake, one set of evidence, one renewal cycle. Per our own engineering directive, the platform uses LLM-assisted intake for the SSP narrative, questions, doc extraction, framework text citations, but never auto-generates compliance content that an assessor would have to take on faith. A CMMC-RP practitioner reviews and signs every artifact.

Explore ComplianceArmor® in detail

Petronella XDR for continuous CMMC monitoring

CMMC Level 2 is not a one-time certificate; it is a continuous control state that the assessor will return to verify. Audit logs, alert response time, incident handling evidence, and risk-treatment progress have to be demonstrably alive between assessments. Petronella XDR is our managed extended detection and response service, purpose-built for the audit-and-accountability burden a DoD contractor carries.

What Petronella XDR adds to the CMMC stack:

• 3.3 Audit and Accountability family coverage: log collection from endpoints, identity, the encrypted enclave, network gear, and cloud services; retention aligned with your SSP-documented policy; on-demand evidence packaging for assessor review
• 3.6 Incident Response family coverage: 24/7 detection, triage, and response playbooks with assessor-defensible documentation of every incident lifecycle
• 3.11 Risk Assessment family coverage: continuous threat telemetry feeding into the vCISO-owned risk register and annual risk assessment
• 3.14 System and Information Integrity family support: indicator monitoring, malicious code detection, security alert correlation
• Direct escalation to a Petronella Digital Forensic Examiner (License 604180-DFE) when an incident requires forensic preservation, attribution, or Kovel-style privileged work

The XDR is operated by Petronella Technology Group, Inc., same accountability line as the encrypted system, the documentation, and the vCISO program. When an assessor asks "show me your audit review evidence from Q3," you are not coordinating across three vendor portals. Read more about Petronella XDR.

vCISO oversight: Blake Rea leads engagements

Architecture, documentation, and monitoring are the technical layers. The governance layer is what keeps a CMMC program alive between assessments: and that is the role of the virtual Chief Information Security Officer. Without it, the SSP goes stale, the POA&M items don't close, the risk register is never opened, and the CMMC Level 2 attestation that took eight months to earn quietly erodes into something the next assessor will struggle to defend.

Blake Rea, CMMC-RP, is the Petronella Lead vCISO and Senior Compliance Practitioner. His role on a CMMC engagement covers:

• Governance and policy stewardship: the SSP, POA&M, and policy set stay current as the environment changes
• Quarterly executive risk briefings: the client's leadership team gets a non-technical risk view with clear remediation priorities
• Annual risk assessment ownership, risk register, treatment plan, and tracking against the documented risk appetite
• L2 control owner mapping: every NIST 800-171 r3 control has a named owner inside the client org and a documented review cadence
• Vendor and subcontractor flow-down review: DFARS 252.204-7012 flow-down obligations to your own tier-3 suppliers are tracked and documented
• Incident response readiness: tabletop exercises, runbook reviews, escalation contact validation
• C3PAO assessment preparation: coordination with the assessment body, evidence-package handoff, post-assessment remediation guidance

Craig Petronella serves as Executive Sponsor on vCISO engagements, the senior escalation point for client leadership on strategic risk decisions, with direct availability when matters cross the technical/strategic boundary. Blake owns day-to-day delivery; Craig stays at the founder-level relationship. Read more about the Petronella vCISO program.

How a Petronella CMMC engagement actually runs

No two CMMC engagements are identical because no two CUI footprints are identical. That said, the engagement structure has settled into a four-phase model that consistently delivers assessment-ready clients in four to eight months. Petronella Technology Group, Inc. publishes the structure openly so prospective clients can audit our process before they sign.

Ongoing after assessment: Petronella XDR continues, ComplianceArmor® stays current, and the Blake Rea vCISO program runs on a monthly cadence with quarterly executive risk briefings. The engagement converts from project-mode to managed-service mode after the C3PAO certificate is issued.

Payment terms. All Petronella fixed-fee milestones are paid 100% upfront at contract execution. No net-15. No mid-phase invoicing. Ongoing managed services (XDR, ComplianceArmor® subscription, vCISO retainer) are billed monthly or annually per the SOW.

The Petronella CMMC-RP bench

Petronella Technology Group, Inc. is one of a small number of Registered Provider Organizations whose entire compliance bench is CMMC-RP certified. Member #1449 with the Cyber AB. Four practitioners. Twenty-three years in business.

Meet the rest of the Petronella team