Robotics fordefense and DIB primes

The defense robotics buyer is rarely a single role. On a typical engagement we coordinate with a program manager who answers to a contracting officer, a principal investigator who answers to a research director, an information system security manager who answers to an authorizing official, and a contracts office that answers to legal counsel. Every one of those roles has a different tolerance for risk, a different timeline, and a different vocabulary for the same robotics deliverable. The work of an honest defense robotics partner starts with translating between them before a single line of code is written.

Controlled Unclassified Information sits at the center of every decision. CUI is the federal designation for information that is not classified but still requires safeguarding under federal law, regulation, or government-wide policy. It has subcategories - export-controlled, privacy, proprietary, intelligence, and dozens more - and a defense robotics dataset can carry several at once. A teleoperation log paired with a sensor stream paired with a payload geometry can become export-controlled CUI under the International Traffic in Arms Regulations the moment it touches a regulated subsystem. The handling rules cascade down to every contractor and subcontractor in the chain.

The procurement vehicles that fund defense robotics work also shape the landscape. Small Business Innovation Research and Small Business Technology Transfer grants are the most common entry path for a new robotics capability - a Phase I feasibility study at modest dollar value, a Phase II prototype at substantially higher dollar value, and a Phase III commercialization track that can run for years against a sole-source contract. The Defense Innovation Unit runs a parallel commercial-solutions opening process. The Air Force Research Laboratory, the Army Research Laboratory, the Office of Naval Research, and the Defense Advanced Research Projects Agency each fund directly into university and industry teams under their own contracting structures. A partner who does not understand which vehicle is paying for the work cannot scope it correctly.

Geography matters more than the industry usually acknowledges. North Carolina sits inside one of the densest defense and intelligence corridors in the country. Fort Liberty (the rebranded Fort Bragg footprint) is the largest United States Army installation by population. Seymour Johnson Air Force Base, Camp Lejeune, Cherry Point Marine Corps Air Station, and Pope Army Airfield anchor a Triangle-to-coast network of operational commands. Research Triangle Park hosts a deep bench of defense subcontractors, and our state's universities - North Carolina State, Duke, the University of North Carolina, and North Carolina A&T - have active Department of Defense research programs in autonomy, manipulation, perception, and human-robot teaming. We work in this corridor because we live in it.

The cost of a misstep is asymmetric. A non-defense robotics prototype that ships with a privacy bug becomes a customer-service problem. A defense robotics prototype that ships with a CUI handling gap becomes a contract-default problem, a flow-down problem at every prime above us, and possibly a reportable cybersecurity incident under DFARS. We engineer for that asymmetry from the first kickoff meeting.

We list these programs as the literature that frames the buyer's vocabulary. We do not claim engagements we have not delivered. When we describe what Petronella Technology Group brings to the conversation, the verifiable surface is the cybersecurity, compliance, and private artificial intelligence infrastructure - not a pretend track record on these specific programs. That distinction is the entire point of the honest novelty framing on this page.

The frameworks above interlock. CMMC L2 cites NIST SP 800-171 r3. DFARS 252.204-7012 references NIST SP 800-171 directly. CMMC L3 cites NIST SP 800-172. The CISA SBOM guidance is referenced inside emerging federal acquisition language. Treat them as one ecosystem, not as six separate audits, and the engagement gets simpler. Buyers who want the deeper compliance-only conversation can read the CMMC compliance pillar.

The credible part of the value proposition is the foundation, not the novelty. Petronella Technology Group was founded in 2002, holds a Better Business Bureau A+ rating since 2003, and is a CMMC-AB Registered Provider Organization (RPO #1449, verifiable at cyberab.org/Member/RPO-1449). Founder Craig Petronella holds CMMC-RP, CCNA, CWNE, and a North Carolina Licensed Digital Forensics Examiner credential (DFE #604180). The full team is CMMC Registered Practitioner certified. That credential stack is what defense buyers actually verify before they sign a non-disclosure agreement.

The infrastructure side is what most robotics shops do not bring. Petronella operates a private artificial intelligence cluster on owned NVIDIA Elite Partner Channel hardware (DGX-class, HGX-class, and RTX PRO compute, located in our Raleigh data plane). Robotics policies, vision-language-action models, and reinforcement-learning workloads can be trained and inferenced entirely on infrastructure that we own. No public cloud is required and no client data has to leave a defined enclave. Read the full architecture at private artificial intelligence solutions.

The robotics side is operational and small. We acquired a Reachy Mini - the open-source desktop expressive humanoid built by Pollen Robotics and acquired by Hugging Face in April 2025 - and run it in our Raleigh, North Carolina lab. Reachy Mini is the entry hardware platform for a research program that builds on the open-source Hugging Face LeRobot stack. Hardware specs, software stack, and the lab posture live on the Reachy Mini hardware page. We are participants in the LeRobot open-source ecosystem and we own the Reachy Mini in our lab. We do not claim a Pollen Robotics partnership we have not been granted.

The deliverable that ties cyber, compliance, and robotics together is what defense buyers cannot find anywhere else in the market. Most custom-robotics-development shops are platform specialists who do not market a CMMC posture. Most CMMC consultants do not run a robotics lab. Petronella sits in the intersection - cyber foundation, compliance fluency, private artificial intelligence compute, and an operational robotics workbench - and that is the wedge we offer to a defense robotics buyer who needs all four under one engagement contract. The pillar pages that anchor each of those four legs are cybersecurity, CMMC compliance, private artificial intelligence, and Reachy Mini hardware.

Each archetype is scoped on a time-and-materials or fixed-phase basis. We do not publish defense pricing on this page because procurement realities for a Department of Defense Industrial Base buyer differ from a commercial conversation; we discuss scope and cost on a call. What is fixed across all three archetypes is the security-and-compliance overlay - CUI handling, secrets vault, audit logging, and a documented authorization-to-operate posture - regardless of which shape the engagement takes.

For a parallel view of the deliverable side of any of these shapes, see the robotics prototyping solutions page which describes the engagement phases in more detail.

Defense procurement is not commercial procurement. We coordinate around the buyer's contracting structure, not the other way around. Petronella works as a subcontractor to a Department of Defense Industrial Base prime, as a teaming partner to a small business preparing a Small Business Innovation Research proposal, as a direct contractor against a Defense Innovation Unit Commercial Solutions Opening, and as a research subcontractor to a university principal investigator funded by an Air Force Research Laboratory or Army Research Laboratory grant. Each of those vehicles has its own contracting clauses, its own flow-down language, and its own milestone calendar. We read those documents before we scope work.

Communications posture defaults to non-classified, NIPRNet-aware coordination. We do not host a sensitive compartmented information facility. For defense engagements that need above-controlled-unclassified handling, we coordinate with the buyer's authorizing official and route work to the buyer's own classified environment. The wedge we own is the regulated-but-unclassified slice of the defense robotics market - which is where the overwhelming majority of Phase II and Phase III prototype work actually lives.

Grant-alignment work is part of the engagement. For a research university partnering with a defense sponsor, the principal investigator's grant proposal is the document that scopes the next eighteen months of work. We read the proposal, map the milestone schedule into the engineering calendar, and build the security plan that the sponsoring program office will accept. A sibling page, research universities cybersecurity, describes the academic-side anxieties and the buyer-identity layer for that vertical.

General Services Administration and Multiple Award Schedule context comes up. Petronella is not a GSA Schedule holder today - we say that out loud rather than pretend otherwise. For engagements that require GSA contracting we either subcontract under a teaming partner who holds an appropriate Schedule or coordinate with the buyer to use an alternative procurement vehicle. The honesty floor is non-negotiable; misrepresenting a Schedule status would itself be a contract-default risk.

Every conversation starts with a one-hour introductory call. There is no charge, no obligation, and no hard sell on that call. The output is either a clear path to a scoped engagement or a clear "this is not where we add value" - and the second outcome is just as honest a result as the first.

One. Who exactly is on your side of the table? Buyers want to know whether they are speaking with the engineer who will do the work or with a salesperson who will hand the project off after signature. Petronella Technology Group is small enough that the founder, Craig Petronella, is on the kickoff call for every defense engagement, and the engineering lead who will own the deliverable is on the call before scope is signed. We do not run a sales-engineer-to-delivery handoff. The person describing the work on the call is the person who will execute it. Buyers who have been burned by sales-engineering bait-and-switch in past procurements relax visibly when this question lands cleanly.

Two. What is the actual breadth of your CMMC posture? The Registered Provider Organization status (RPO #1449, verifiable at cyberab.org/Member/RPO-1449) is the headline answer. The longer answer is that we have walked clients through Level 1 self-assessment, Level 2 readiness work in advance of a Certified Third-Party Assessment Organization audit, and Level 3 conversations for clients facing the higher-tier control set drawn from NIST SP 800-172. We do not sit a CMMC L2 third-party assessment ourselves; that is a regulatory separation that the CMMC ecosystem enforces. We prepare the buyer for that assessment and then we step aside while the C3PAO does its work. The honesty of that scope boundary is a feature, not a bug.

Three. What does your data-flow diagram look like? Defense buyers who have been audited know that the first artifact a contracting officer asks for after a covered cyber incident is the data-flow diagram - which systems hold Controlled Unclassified Information, which network segments those systems live on, which user identities can reach those systems, and which audit logs prove that access. We bring a template diagram into the first call, walk through the variant we would build for the buyer's engagement, and answer the underlying question of "could you defend this if a contracting officer asked tomorrow." If the answer is no, we do not take the engagement until the diagram is ready.

Four. What happens to our intellectual property? The buyer keeps the intellectual property. Petronella does not retain background rights in client deliverables on defense engagements. The engagement contract reads that way and the deliverable artifacts ship that way. For buyers pursuing a Phase III sole-source award off a Phase II prototype we built, that intellectual property posture is the difference between a clean Phase III conversation and a contract dispute. We refuse to take the engagement on terms that compromise the buyer's Phase III position.

Five. What is your incident response under DFARS 252.204-7012? Our runbook covers detection through reportable-incident notification. Tabletop exercises rehearse the path before any live incident lands. The same digital forensics team that supports active investigations - including investigations that go to court under expert-witness scrutiny - sets the response posture for our defense clients. That is not a marketing claim, it is a verifiable statement: Craig Petronella holds a North Carolina Licensed Digital Forensics Examiner credential (DFE #604180), is listed on the North Carolina Office of Indigent Defense Services forensics registry, and has testified in court as an expert witness. The incident response runbook reflects that operational discipline.

Six. Where does the artificial intelligence inference run? On Petronella-owned compute, in our Raleigh, North Carolina data plane, on hardware sourced through the NVIDIA Elite Partner Channel. There is no public cloud inference path for defense engagements. Robotics policies, vision-language-action models, and reinforcement-learning workloads run on our cluster from training through deployment. The buyer can request the data-plane diagram and the audit-log topology before signing scope. The full architecture is described at private artificial intelligence solutions.

Seven. What is your relationship to Hugging Face and Pollen Robotics? Petronella is a customer and a community participant. Hugging Face acquired Pollen Robotics in April 2025 and announced the Reachy Mini hardware platform in July 2025. We acquired a Reachy Mini, run it in our Raleigh lab, and build prototypes on the open-source Hugging Face LeRobot stack. We are not a Pollen Robotics authorized partner because no public Pollen authorized-partner program currently exists; we are not Hugging Face certified or endorsed because no Hugging Face certification program exists in this domain. We say that out loud rather than imply a relationship that has not been granted.

Eight. Why should we trust a robotics practice that is new? The honest answer: because the robotics work is the new application of a 23-year-old foundation that you can verify line by line. Founded in 2002. Better Business Bureau A+ since 2003. CMMC-AB Registered Provider Organization #1449 verifiable on the CyberAB website. North Carolina Licensed Digital Forensics Examiner credential. Cisco-certified network professional. Cisco Wireless Networking Expert credential. Forensic registry listing on the North Carolina Office of Indigent Defense Services site. Five-thousand-plus pages of public technical writing on cybersecurity and compliance topics. The novelty surface is the robotics engineering. The trust surface is the foundation under it. Pretending the robotics work is older than it is would damage the trust surface, so we do not pretend.

The first call is forty-five minutes. The eight questions take the first thirty. The remaining fifteen minutes are spent on scope, sponsor program, and timeline. If the conversation reveals a fit, we follow up with a written engagement summary within forty-eight hours. If the conversation reveals that we are not the right partner for the buyer's specific need, we say so on the call and refer the buyer to a more appropriate shop where we can. The honesty floor on the first-call posture is what produces the trust required to sign a defense engagement contract.

The defense robotics market is not under-served by robotics shops. It is under-served by robotics shops that also bring a verifiable cybersecurity, compliance, and private artificial intelligence infrastructure surface. The shops that lead with motion planning, manipulation research, or platform integration are excellent at what they do; the buyers who hire them often hire a separate compliance vendor and a separate cloud-AI integrator and a separate cyber response team to round out the engagement. The integration tax is real. A buyer running a Phase II prototype with three external partners spends a meaningful percentage of the program budget on coordination overhead.

Petronella collapses three of the four lanes into a single contract. The robotics engineering lane is a new lane for us; we are operationally small in that lane and we say so. The cybersecurity lane is a 23-year-old discipline. The compliance lane is a CMMC-AB Registered Provider Organization function we have built since the CMMC framework existed. The private artificial intelligence lane is a multi-year investment in owned NVIDIA Elite Partner Channel hardware that we run in our own Raleigh data plane. A buyer who hires us is hiring three operational lanes plus one new-but-supportable lane under one engagement contract, not four separate vendors.

The geographic wedge holds independently. North Carolina is one of the densest defense corridors in the country. Fort Liberty is the largest United States Army installation by population. Seymour Johnson Air Force Base, Camp Lejeune, Cherry Point Marine Corps Air Station, and Pope Army Airfield round out the state's operational footprint. Research Triangle Park hosts a deep bench of defense subcontractors and a research-university stack with active Department of Defense funding. The buyer who needs a CMMC-aligned robotics partner with feet on the ground in North Carolina has limited options today. We intend to be the obvious one.

The honesty discipline reinforces the wedge instead of weakening it. Defense buyers have been pitched by enough vendors that the room reads marketing language for what it is. A vendor who claims a partnership it has not been granted, a credential it does not hold, or a track record it cannot verify gets caught - sometimes after signature, sometimes during a Phase II review when an auditor follows up on a claim. Petronella refuses to make claims that cannot survive that audit. The output is a slower-growing pipeline and a much higher trust floor with the buyers who actually call. We will take that trade.