IT Services for Defense Contractors
CMMC-ready cybersecurity, NIST 800-171 implementation, and CUI protection that keeps your contracts safe and your company compliant.
Why Defense Contractors Need Specialized IT Services
If your company handles Department of Defense (DoD) contracts, you face cybersecurity and compliance requirements that generic IT providers simply cannot address. The Cybersecurity Maturity Model Certification (CMMC 2.0) program, DFARS clause 252.204-7012, and NIST Special Publication 800-171 collectively define how every defense contractor must protect Controlled Unclassified Information (CUI). Falling short does not just mean a failed audit. It means lost contracts, suspended bidding privileges, and potential False Claims Act liability.
The stakes are higher than ever. The DoD has made clear that CMMC assessments are being phased into contract requirements starting in 2025, with full implementation expected by 2028. Prime contractors are already flowing CMMC requirements down to subcontractors, meaning even small companies in the Defense Industrial Base (DIB) must meet these standards or risk being cut from supply chains. At the same time, DFARS 252.204-7012 requires defense contractors to report cyber incidents within 72 hours and maintain adequate security controls for CUI, creating ongoing operational obligations beyond a one-time certification.
The International Traffic in Arms Regulations (ITAR) add another layer of complexity for contractors who handle defense articles, technical data, or defense services. ITAR violations carry severe penalties, including criminal prosecution, and require strict access controls that limit who can view or interact with controlled data. Many standard IT environments were never built to handle these requirements.
Petronella Technology Group provides managed IT services and cybersecurity solutions built specifically for the defense contracting community. We understand the regulations, the assessment processes, and the technical controls required, because we work with DIB companies every day. Our team helps you build and maintain the infrastructure, policies, and documentation you need to win and keep DoD contracts.
CMMC 2.0 Certification Levels Explained
The Cybersecurity Maturity Model Certification 2.0 streamlined the original five-level framework into three levels. Each level builds on the previous one, and the level your company needs depends on the type of information you handle and the contracts you pursue. Understanding these levels is the first step toward compliance.
| Attribute | Level 1: Foundational | Level 2: Advanced | Level 3: Expert |
|---|---|---|---|
| Practices | 17 practices | 110 practices | 110+ practices (NIST SP 800-172) |
| Based On | FAR 52.204-21 (Basic Safeguarding) | NIST SP 800-171 Rev 2 | NIST SP 800-171 + NIST SP 800-172 |
| Information Type | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI (high-value assets, critical programs) |
| Assessment | Annual self-assessment | Triennial C3PAO assessment | Government-led (DIBCAC) assessment |
| Affirmation | Annual senior official affirmation | Annual senior official affirmation | Annual senior official affirmation |
| POA&M Allowed | Limited (180-day closeout) | Yes, with conditions (180-day closeout) | Very limited |
| Typical Applicability | All DoD contractors | Contractors handling CUI | Contractors on highest-priority programs |
Level 1: Foundational
Level 1 applies to every company that processes, stores, or transmits Federal Contract Information (FCI). The 17 required practices cover basic cyber hygiene, including antivirus software, access controls, physical security, and media protection. Contractors perform an annual self-assessment and submit their score to the Supplier Performance Risk System (SPRS). While Level 1 is the most accessible tier, failing to meet even these basic requirements disqualifies you from DoD contracting.
Level 2: Advanced
Level 2 is where most defense contractors handling CUI need to be. It requires full implementation of all 110 security controls in NIST SP 800-171 Revision 2 across 14 control families. For contracts involving CUI critical to national security, an accredited CMMC Third-Party Assessment Organization (C3PAO) conducts the evaluation. Some Level 2 contracts allow self-assessment, but the trend is clearly moving toward third-party verification. The assessment evaluates not just whether controls exist but whether they are effectively implemented and documented in your System Security Plan (SSP).
Level 3: Expert
Level 3 targets contractors working on the most sensitive DoD programs. It requires all NIST 800-171 controls plus additional enhanced security measures from NIST SP 800-172, designed to counter Advanced Persistent Threats (APTs). Assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a government entity. Very few contractors need Level 3, but those who do face the most rigorous evaluation process in the CMMC framework.
Not Sure Which CMMC Level You Need?
Our team will review your contracts, identify your CUI scope, and map your path to the right certification level.
Request a Free CMMC Scoping Call Call 919-348-4912CUI Handling Requirements for Defense Contractors
Controlled Unclassified Information is government-created or government-possessed information that requires safeguarding, even though it is not classified. For defense contractors, CUI handling is at the core of CMMC and DFARS compliance. Mishandling CUI is one of the fastest ways to lose a contract, face an investigation, or trigger mandatory incident reporting under DFARS 252.204-7012.
What Is CUI?
CUI encompasses a broad range of sensitive but unclassified information. The National Archives and Records Administration (NARA) maintains the CUI Registry, which organizes CUI into categories and subcategories. Defense contractors most commonly encounter these CUI categories:
- Controlled Technical Information (CTI) — Technical data with military or space application subject to distribution controls
- Export Controlled — Information subject to ITAR or Export Administration Regulations (EAR)
- Naval Nuclear Propulsion Information (NNPI) — Information related to naval nuclear propulsion systems
- Critical Infrastructure — Information about systems vital to national security
- Proprietary Business Information — Source selection, bid and proposal data, contractor financials
- Intelligence — Information related to intelligence activities and sources
CUI Marking Requirements
All CUI must be properly marked when created, stored, or transmitted. Markings include the CUI designation indicator, the specific CUI category, the dissemination control, and the authorizing authority. Unmarked CUI is a common audit finding that signals weak information governance and can result in non-compliance determinations during CMMC assessments.
Storage and Transmission
CUI must be stored in environments that implement all applicable NIST 800-171 controls. This means encrypted storage at rest using FIPS 140-2 validated cryptographic modules, access controls limiting CUI to authorized personnel, audit logging of all access events, and physical security measures for systems that store CUI. Transmission of CUI must use FIPS-validated encryption, which in practice means TLS 1.2 or higher for data in transit and encrypted email solutions for CUI shared externally.
Incident Reporting: The 72-Hour DFARS Requirement
DFARS clause 252.204-7012 mandates that defense contractors report cyber incidents involving CUI to the DoD within 72 hours of discovery. This is not 72 business hours; it is 72 calendar hours, including weekends and holidays. Contractors must report through the Defense Industrial Base Cybersecurity portal (dibnet.dod.mil), preserve images of all known affected systems for at least 90 days, and provide access to additional information or equipment if requested by the DoD Cyber Crime Center (DC3). Having an incident response plan in place before an incident occurs is not optional; it is a contractual requirement.
Our IT Services for Defense Contractors
We deliver a complete suite of services designed to meet the specific requirements of CMMC, NIST 800-171, and DFARS compliance. Every service is built to address real assessment requirements, not generic security checklists.
CMMC Gap Assessment & Remediation
We evaluate your current security posture against all 110 NIST 800-171 controls, identify gaps, score your readiness, and build a prioritized remediation plan that addresses the most critical deficiencies first. Our assessments mirror the C3PAO methodology so there are no surprises during your official evaluation.
NIST 800-171 Implementation
Full implementation of all 14 control families, from Access Control and Audit & Accountability through System & Information Integrity. We deploy the technical controls, write the policies and procedures, and create your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
CUI Enclave Design
We architect isolated CUI processing environments that limit your compliance scope. By segregating CUI systems from your general business network, we reduce the number of systems subject to NIST 800-171 controls, lowering both implementation cost and assessment complexity.
Security Monitoring & Logging (SIEM)
Continuous monitoring is a NIST 800-171 requirement, not an option. We deploy and manage Security Information and Event Management (SIEM) solutions that collect, correlate, and alert on security events across your CUI environment, meeting the Audit & Accountability control family requirements.
Access Control & Identity Management
We implement role-based access controls, multi-factor authentication, privileged access management, and account lifecycle procedures. These controls span multiple NIST 800-171 families and are among the most scrutinized during C3PAO assessments.
Encrypted Communications
All CUI in transit must be protected with FIPS 140-2 validated encryption. We configure VPNs, encrypted email, secure file transfer solutions, and TLS enforcement across your environment to meet System & Communications Protection requirements.
Backup & Disaster Recovery for CUI
CUI backup and recovery systems must meet the same security standards as production systems. We design backup and disaster recovery architectures that protect CUI availability while maintaining encryption, access controls, and audit trails on backup data.
POA&M Management
Not every control gap requires immediate remediation. We help you build and manage Plans of Action & Milestones that document known deficiencies, set realistic remediation timelines within the 180-day CMMC window, and track progress toward full compliance.
Building CMMC-Ready Infrastructure
Meeting CMMC requirements is not just about policies and documentation. The underlying IT infrastructure must support every technical control. Here is what a compliant defense contractor environment looks like.
CUI Enclave Architecture
A CUI enclave is a segmented network environment where all CUI processing, storage, and transmission occurs. By isolating CUI from your general business network, you reduce the scope of your CMMC assessment and limit the systems that require full NIST 800-171 control implementation. Enclave design includes dedicated servers, network segmentation via VLANs and firewalls, separate directory services, and controlled entry and exit points for data.
FedRAMP Cloud: Microsoft GCC High
Standard commercial cloud services, including regular Microsoft 365, are not authorized for CUI processing. Defense contractors need FedRAMP Moderate or High authorized cloud environments. Microsoft 365 GCC High is the most common solution, providing Exchange Online, SharePoint, OneDrive, and Teams in a cloud environment that meets DFARS and ITAR requirements. We handle the migration, configuration, and ongoing management of GCC High tenants.
FIPS 140-2 Encryption
NIST 800-171 requires FIPS-validated cryptographic modules for protecting CUI. This affects operating system configurations, VPN solutions, disk encryption, email encryption, and database encryption. We configure Windows FIPS mode, deploy FIPS-validated VPN appliances, and verify that all cryptographic implementations use validated modules, not just algorithms that happen to match FIPS specifications.
Multi-Factor Authentication Everywhere
MFA is required for all network access, remote access, and privileged account access under NIST 800-171. We implement MFA across every authentication point, including workstation logins, VPN connections, cloud services, and administrative consoles. Our MFA deployments use phishing-resistant methods, including hardware security keys and certificate-based authentication, that exceed basic SMS-based verification.
Comprehensive Audit Logging
The Audit & Accountability control family requires logging of all CUI access, authentication events, system changes, and security-relevant activities. Logs must be protected from unauthorized modification, retained for defined periods, and regularly reviewed. We deploy centralized log collection, tamper-evident storage, automated alerting, and scheduled log reviews that satisfy both the technical and procedural requirements.
Your Current IT Infrastructure May Not Pass a CMMC Assessment
Let us evaluate your environment against NIST 800-171 controls and identify what needs to change before your C3PAO assessment.
Schedule an Infrastructure Review Call 919-348-4912Our 5-Step Path to CMMC Readiness
Preparing for a CMMC assessment is a structured process, not a last-minute scramble. Our roadmap takes you from current state to assessment-ready, with clear milestones at every stage.
Gap Assessment
We conduct a thorough evaluation of your current security posture against all applicable NIST 800-171 controls. This includes technical testing, policy review, interviews with key personnel, and a detailed gap analysis report. You receive a preliminary SPRS score and a clear picture of where you stand.
SSP Development
We create your System Security Plan, the foundational document that describes your CUI environment, security boundaries, information flows, and how each NIST 800-171 control is implemented. The SSP is the primary document C3PAO assessors review, and it must accurately reflect your actual environment.
Technical Implementation
With gaps identified and the SSP drafted, we implement the technical controls: configuring systems, deploying security tools, segmenting networks, enabling encryption, setting up logging and monitoring, and hardening endpoints. Every change is documented and mapped to specific NIST 800-171 control requirements.
POA&M Remediation
For controls that cannot be immediately implemented, we create a Plan of Action & Milestones with specific remediation tasks, responsible parties, resource requirements, and completion dates. CMMC allows POA&Ms for certain findings, but they must be closed within 180 days of the assessment, and not all control gaps qualify for POA&M treatment.
Assessment Preparation
Before your C3PAO arrives, we conduct a pre-assessment readiness review that mirrors the official process. We verify every control, test evidence collection procedures, prepare your team for assessor interviews, and identify any last-minute issues. You walk into your CMMC assessment confident and prepared.
Understanding Your SPRS Score
The Supplier Performance Risk System (SPRS) score is a numerical representation of your NIST 800-171 compliance posture. Every defense contractor handling CUI must calculate and submit an SPRS score, and prime contractors can view your score when evaluating subcontractors. A low SPRS score can cost you contract opportunities before you even submit a bid.
How the SPRS Score Works
The SPRS scoring methodology assigns a weight of 1, 3, or 5 points to each of the 110 NIST 800-171 controls based on their security significance. A perfect score is 110, meaning all controls are fully implemented. For each unimplemented control, the corresponding point value is subtracted. The minimum possible score is -203, indicating that no controls are implemented. Scores must be submitted to the SPRS portal at https://petronellatech.com/tools/sprs-calculator/ along with the date of the assessment and a description of your System Security Plan scope.
Use our free SPRS Score Calculator to estimate where your organization currently stands. The calculator walks through each control family and provides a preliminary score you can use for planning purposes.
Who Our Defense Contractor IT Services Are For
Whether you are a prime contractor bidding on multi-billion-dollar programs or a small machine shop making components for a defense supply chain, CMMC and DFARS compliance requirements apply to you. Our services scale to fit organizations of every size in the Defense Industrial Base. We work with companies across the Raleigh-Durham area and nationwide, including those in the manufacturing sector that serve defense supply chains.
- Prime Contractors — Large defense firms managing CUI across multiple programs and flowing requirements down to subcontractors
- Subcontractors & Suppliers — Companies at any tier of the defense supply chain that receive CUI from primes or the DoD
- Small DIB Companies — Businesses with 10 to 200 employees that lack dedicated compliance staff but still need to meet CMMC requirements
- Defense Manufacturers — Machine shops, electronics manufacturers, and fabrication companies producing components under DoD contracts
- Defense IT Companies — Software developers, managed service providers, and technology firms building or maintaining DoD systems
- Cleared Facilities — Organizations holding facility clearances (FCLs) that need IT environments meeting both classified and unclassified handling requirements
If you are not sure whether your company needs CMMC certification or which level applies, contact us for a no-obligation scoping conversation. We will review your current and target contracts and advise you on exactly what is required.
Why Defense Contractors Choose Petronella Technology Group
CMMC Registered Practitioner Organization
We are a CMMC Registered Practitioner Organization (RPO) with personnel trained and authorized by the Cyber AB to advise on CMMC readiness. This is not a generic cybersecurity consultancy; we specialize in the defense contracting compliance space.
23+ Years in Cybersecurity
Since 2003, we have helped businesses of all sizes build and maintain secure IT environments. Our depth of experience means we have seen what works, what fails assessments, and how to build systems that stay compliant over time, not just on assessment day.
Complete Compliance Stack
We do not just consult. We implement. From CMMC documentation and policy writing to firewall configuration, SIEM deployment, and endpoint hardening, we deliver the full technical and administrative stack required for compliance.
Ongoing Managed Support
Compliance is not a one-time event. We provide ongoing managed IT services that maintain your security posture between assessments, including continuous monitoring, patching, vulnerability management, and annual SSP updates.
Key Regulations Every Defense Contractor Must Know
Defense contractor compliance is not a single regulation. It is a web of interconnected requirements that collectively define how you must protect information, report incidents, and demonstrate security maturity. Here are the regulations that most directly affect your IT operations.
DFARS 252.204-7012: Safeguarding Covered Defense Information
This is the foundational DFARS clause that requires defense contractors to implement NIST 800-171 controls for CUI, report cyber incidents within 72 hours, and include the clause in subcontracts. It has been in effect since 2017, and compliance is already a contractual obligation, not a future requirement.
DFARS 252.204-7019 & 7020: NIST Assessment and Examination
These clauses require contractors to conduct a NIST 800-171 self-assessment, submit the resulting SPRS score, and provide the government access to facilities and systems for verification. Without a current SPRS score on file, you cannot receive new DoD contract awards containing these clauses.
DFARS 252.204-7021: CMMC Requirements
This clause integrates CMMC certification requirements directly into DoD contracts. When this clause appears in a solicitation, the contractor must hold the specified CMMC level at time of award and maintain it throughout contract performance.
NIST SP 800-171: Protecting CUI in Nonfederal Systems
The 110-control framework that defines how contractors must protect CUI. It covers 14 control families: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity.
ITAR: International Traffic in Arms Regulations
Administered by the State Department, ITAR controls the export of defense articles, services, and technical data. For IT, this means restricting access to ITAR-controlled data to U.S. persons only, implementing geographic access controls on cloud environments, and maintaining strict access logging. Violations carry penalties up to $1 million per violation and criminal prosecution.
Frequently Asked Questions
What is CMMC 2.0, and does my company need it?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is a DoD program that verifies defense contractors meet specific cybersecurity standards before receiving contract awards. If your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under DoD contracts, you will need CMMC certification. The level required depends on the sensitivity of the information you handle. Visit our CMMC compliance page for a detailed breakdown.
How long does it take to prepare for a CMMC Level 2 assessment?
Most organizations need 6 to 18 months to prepare for a Level 2 assessment, depending on their starting point. Companies with mature security programs and an existing SSP may need only 6 months of gap remediation. Companies starting from scratch typically need 12 to 18 months to implement all 110 NIST 800-171 controls, develop documentation, and train staff. We recommend starting preparation as early as possible, as C3PAO availability may create scheduling delays.
What is the difference between CMMC and NIST 800-171?
NIST 800-171 defines the 110 security controls that contractors must implement to protect CUI. CMMC is the certification and verification mechanism that proves you have actually implemented those controls. Think of NIST 800-171 as the requirements and CMMC as the test. Before CMMC, contractors self-attested to NIST 800-171 compliance. CMMC adds third-party verification to that process. Learn more about NIST compliance requirements.
What is a CUI enclave, and do I need one?
A CUI enclave is a segmented portion of your network specifically designed to process, store, and transmit CUI. It is not required by name in NIST 800-171, but it is a widely recommended architectural approach because it limits the scope of your CMMC assessment. Without an enclave, every system on your network that could potentially access CUI is in scope, dramatically increasing the number of controls you must implement and the cost of compliance.
Can I use regular Microsoft 365 for CUI?
No. Standard commercial Microsoft 365 (including Business and Enterprise plans) is not authorized for CUI processing or storage. Defense contractors handling CUI need Microsoft 365 GCC High, which operates in a FedRAMP High authorized environment with data residency in the United States and access limited to screened U.S. persons. We help contractors migrate to and manage GCC High environments.
What happens if I fail a CMMC assessment?
If you do not achieve the required CMMC level, you will not receive the contract award. There is no provisional certification. However, CMMC 2.0 does allow limited use of Plans of Action and Milestones (POA&Ms) for certain findings, giving you 180 days to remediate those specific gaps. Critical controls cannot be placed on POA&Ms. The best strategy is thorough preparation before the assessment, which is exactly what our readiness program delivers.
How much does CMMC compliance cost for a small defense contractor?
Costs vary significantly based on your current security posture, the number of users and systems in your CUI scope, and the CMMC level required. For a small company with 20 to 50 users, expect to invest between $50,000 and $200,000 over 12 to 18 months for gap assessment, remediation, documentation, and the assessment itself. A CUI enclave approach can reduce costs by limiting scope. Contact us for a scoping estimate based on your specific situation.
What is an SPRS score, and how do I calculate mine?
The Supplier Performance Risk System (SPRS) score is a numerical measure of your NIST 800-171 compliance, ranging from -203 (no controls implemented) to 110 (full compliance). Each of the 110 controls is weighted at 1, 3, or 5 points. You subtract points for unimplemented controls. All contractors handling CUI must submit a current SPRS score to the DoD. Use our free SPRS Score Calculator to estimate your current score.
Do subcontractors need CMMC certification too?
Yes. CMMC requirements flow down through the supply chain. If a prime contractor is required to hold CMMC Level 2 and passes CUI to a subcontractor, that subcontractor must also hold at least Level 2 certification. Even subcontractors who only handle FCI (not CUI) need Level 1. Prime contractors are increasingly requiring CMMC readiness from their subcontractors as a condition of doing business, even before it appears in contract clauses.
Can Petronella Technology Group perform my official CMMC assessment?
No, and any company that offers both consulting and official assessment services should raise a red flag. CMMC assessments must be performed by accredited C3PAO organizations, and there is an intentional separation between consulting and assessment functions. As a CMMC Registered Practitioner Organization, we prepare you for the assessment, but the certification itself comes from an independent C3PAO. This separation protects the integrity of the process and your certification.
Protect Your Defense Contracts with Proven CMMC Expertise
Petronella Technology Group has helped defense contractors across North Carolina and nationwide build compliant IT environments that pass assessments and protect CUI. Contact us today for a free CMMC readiness assessment.
Schedule Your Free Assessment Call 919-348-4912Petronella Technology Group, Inc.
5540 Centerview Dr., Suite 200
Raleigh, NC 27606
919-348-4912 • info@petronellatech.com