CMMC and HIPAA Training Built for Your Whole Team
Live monthly cohort sessions, a dedicated instructor, and curriculum customized to your stack. Built for defense contractors who need AT.L2-3.2.2 role-based training their C3PAO will accept, healthcare practices facing OCR exposure, and MSP teams scaling regulated-client work. SCORM-style microlearning will not get your team there. This will.
Cohort Size
5 - 25 seats
Live Cadence
Monthly
Starting Price
From $5,000/mo
Min Term
6 months
The Compliance Manager's Real Problem
If you are reading this, you already know self-paced video and a generic awareness module are not going to clear your next audit. Here is what we hear from the security managers who eventually call us.
"My C3PAO flagged our training program."
You bought a KnowBe4 license. Your team clicked through 12 minutes of phishing-awareness video. The C3PAO on your CMMC Level 2 assessment looked at the training records and said "this does not satisfy AT.L2-3.2.2 - you need role-based training mapped to each user's CUI handling responsibilities, with documented competency evaluation."
Now you have a POA&M item with a remediation deadline, your assessment is paused, and you are watching ten thousand dollars in audit fees evaporate while you scramble for a real training program. We have heard this exact sequence from three defense contractors in the past six months.
The problem is not that KnowBe4 is bad - it is excellent at what it does. The problem is that AT-3 was never what KnowBe4 was built for. Generic awareness videos are AT-2 at best. AT-3 needs role-mapped curriculum, documented competency, and an instructor who can defend the methodology in front of an assessor.
The Cohort Model
Four mechanisms make a corporate cohort work where self-paced does not. Every engagement includes all four.
Live Monthly Sessions
Your team meets with our instructor for two hours each month. Live Q&A, threat-of-the-month walkthrough, scenario tabletop. Recorded for absent members. Calendar set quarterly with your team's schedule, not ours.
Dedicated Instructor
One named lead instructor for your engagement. CMMC-RP credentialed. Knows your environment, your SSP, your CUI flows by month two. Available for ad-hoc questions through a private Slack channel between live sessions.
Customized Curriculum
We do not run a stock playlist. The curriculum is mapped to your stack (Microsoft 365 versus on-prem AD versus cloud workload mix), your CMMC level (1, 2, or 3), and your role-distribution (admin, developer, leadership, contractor liaison). Built in week 1 of engagement.
Reporting Dashboard
Organization-wide completion tracking, quiz scores per learner, time-on-task, and audit-ready certificate exports. Visible to your security manager, your compliance officer, and ready to hand to a C3PAO or auditor on request.
Three Cohort Tiers
Pick by seat count. All three include live monthly sessions, dedicated instructor, customized curriculum, and reporting dashboard. Larger tiers add deeper customization and faster instructor response.
| Tier | Seats | Price | What Scales Up |
|---|---|---|---|
| Cohort Standard | 5 - 10 seats | From $5,000/mo | Monthly live session. 24-hour instructor email response. Quarterly stack review. Standard curriculum mapped to your CMMC level. |
| Cohort Plus | 11 - 25 seats | From $9,000/mo | Adds bi-weekly office-hours session, priority instructor Slack response (2-hour SLA business hours), custom-built role tracks for up to 4 distinct user roles, monthly compliance memo for your CISO or compliance committee. |
| Cohort Enterprise | 26 - 100+ seats | From custom | Dedicated instructor named to the engagement. Weekly office hours. Up to 8 role tracks with separate competency evaluations. Quarterly executive briefing for your board or audit committee. SCORM export for ingestion into your corporate LMS. Custom-quoted by seat count, role complexity, and assessment timeline. |
All tiers require a 6-month minimum engagement with monthly billing. Cohort Plus and Enterprise quotes are scoped after a 30-minute discovery call. Renewal at the end of term is opt-in with no auto-renewal. All fees are non-refundable per Stripe invoice; cancellation at end-of-term stops future invoices.
Curriculum Customization Options
Pick your framework focus, your CMMC level, and your role tracks. We build the cohort curriculum in week 1.
Framework Focus
- CMMC 2.0 Levels 1, 2, or 3
- HIPAA Security Rule technical and administrative safeguards
- HIPAA Privacy Rule and Breach Notification Rule
- NIST 800-171 (DFARS 252.204-7012)
- NIST CSF 2.0
- SOC 2 Type II readiness
- PCI-DSS v4 (limited - we map controls but defer to QSA assessor)
Role Tracks
- Privileged administrator (full CUI handling)
- Developer (code-handling CUI awareness)
- End-user / general workforce
- Leadership / executive (governance and reporting)
- Compliance officer (program management)
- Subcontractor liaison (flow-down requirements)
- Custom tracks for specialty roles (engineering, clinical, legal hold)
Stack Mapping
- Microsoft 365 GCC and GCC-High
- Google Workspace
- On-prem Active Directory environments
- AWS GovCloud
- Azure Government
- Hybrid cloud workload patterns
- EHR systems (Epic, Cerner, AthenaHealth) for HIPAA tracks
- EDR / XDR platforms (CrowdStrike, SentinelOne, Defender)
Outcomes Your Auditor Will Recognize
What your team walks away with at the end of a 6-month or 12-month engagement.
- Documented competency evaluation per learner. Quiz-graded, role-mapped, exportable for audit. Passes the AT.L2-3.2.2 control evidentiary bar.
- PPSB CE credit per eligible learner. Five courses in our underlying catalog carry NC PPSB CE codes; team members holding NC PI, security consultant, or expert-witness licenses earn renewal credit through cohort participation.
- Audit-ready certificate exports. PDF or CSV, listing learner name, course title, hours, completion date, instructor credentials, and competency score. Format approved by C3PAOs we have worked with.
- Organizational risk-posture improvement. Measurable through quarterly phishing-simulation scores, MFA-adoption rates, and incident-response tabletop performance. Built into the dashboard.
- Curriculum living document. Your custom curriculum is yours. If you renew, it evolves with your stack. If you do not renew, you receive the curriculum spec as a printable PDF on engagement close.
- SCORM export option (Cohort Enterprise tier). We hand over the curriculum as SCORM 1.2 or 2004 packages for ingestion into your corporate LMS, suitable for ongoing in-house use after engagement ends.
Who Buys a Corporate Cohort
Four organization profiles where the math works and the format fits. If you are smaller than these or you have a stronger preference for asynchronous self-paced, the annual subscription at From $997 per learner is the better SKU.
50 - 500 Employee MSP
You are growing into regulated-client work. Your CMMC-aspiring posture needs AT-3 evidence in your own SSP, and your downstream defense-contractor clients want to see a credible workforce-training program when you bid against incumbents.
Mid-Size Healthcare Practice
You hold ePHI for thousands of patients. Your last OCR-style risk analysis flagged workforce training as a gap. You need HIPAA Security Rule depth that reaches your IT staff plus role-appropriate Privacy Rule coverage for your clinical and admin teams.
Defense Subcontractor 50 - 500 FTE
You hold CUI under a DFARS 252.204-7012 contract. Your CMMC Level 2 assessment is on the calendar. AT.L2-3.2.2 role-based training is the gap your prime contractor and your C3PAO are both pointing at. You have 90 to 180 days to fix it credibly.
Professional Services Firm 100 - 500 FTE
Law firm, engineering firm, accounting practice with regulated clients. You handle privileged data daily. Your insurance carrier added a cybersecurity-training requirement to renewal. You need a program that satisfies the carrier auditor without padding everyone's calendar with checkbox modules.
Why Petronella Is the Right Instructor
Petronella Technology Group has delivered cybersecurity engagements since 2002. Our cohort training is built and taught by the same engineers who run live CMMC, HIPAA, and incident-response work for defense contractors and healthcare practices in North Carolina and nationally. We are CMMC-AB Registered Provider Organization RPO-1449, with a team of CMMC-RP-credentialed practitioners. Founder Craig Petronella holds CMMC-RP, CCNA, CWNE, and DFE #604180 (Digital Forensic Examiner). Our instructors testify in court as expert witnesses, ship CMMC SSPs that pass C3PAO assessment, and run the same controls we teach in our own infrastructure.
We are accredited by the North Carolina Private Protective Services Board (PPSB), hold a BBB A+ rating since 2003, and operate from 5540 Centerview Dr, Suite 200, Raleigh NC 27606. The cohort instructor your team meets is not a contractor we resold; they are a Petronella employee with a security clearance pathway, a court-record litigation history, or both.
What we do not do: we do not white-label SANS material, we do not resell KnowBe4 with a bow, we do not promise outcomes our methodology cannot defend in front of an assessor. The curriculum is ours, the instructors are ours, the dashboard is ours, and the credentials behind every certificate are ours.
Frequently Asked Questions
What is the minimum engagement?
How flexible is the live-session schedule?
Can we develop custom content beyond the standard catalog?
What is your recording retention and content access policy?
Can we export to our corporate LMS?
How is billing structured?
Book a 30-Minute Discovery Call
Bring your CMMC level, your HIPAA exposure, your seat count, and your current training stack. We will map a curriculum recommendation and a price quote within 5 business days of the call. Petronella Technology Group, 5540 Centerview Dr Suite 200, Raleigh NC 27606. Call (919) 348-4912.