Encrypted Data, Email, and CUI Vault for CMMC, ITAR, HIPAA, and Beyond

Vendor compliance accelerators sell documentation. Petronella operates the documentation system, the encrypted fabric, and the MSP that keeps both running.

If you have priced compliance over the past year, you have probably been pitched a "compliance accelerator" or "compliance-in-a-box" product. Almost all of them are software-only, you receive a license to a documentation generator, maybe pre-filled templates for one regulatory framework, and a video library that explains the controls. You are then on your own to integrate the documentation with a real encryption platform, a real monitoring service, and a real human governance program. Two years later, when an auditor or a Department of Defense supplier flow-down request arrives, you discover the documentation is only as good as the operational reality it describes, and there is no operational reality.

Petronella Technology Group, Inc. solves a different problem. We deliver the documentation, the encrypted data and email fabric that the documentation describes, the managed detection and response service that protects that fabric, the Petronella vCISO who owns risk decisions in writing, and the managed-IT operations team that keeps the controls running on a daily basis. One firm, one accountable provider, one phone number, under CMMC RPO #1449 and four CMMC-RP practitioners with verifiable credentials on the Cyber AB registry. We have been the operator of regulated environments in Raleigh, North Carolina since 2002.

This page describes the Petronella Secure Data Suite, our brand for the encrypted data and email fabric, and how it integrates with our other PTG-owned services to deliver auditable compliance across CMMC, HIPAA, FTC Safeguards, GLB, FERPA, CJIS, PCI DSS, ISO 27001, and SOC 2 from a single point of contact.

The Petronella Secure Data Suite: what it is

Petronella Secure Data Suite is our branded encrypted data and email system. Inside, it is built on a FedRAMP Moderate Equivalent platform with FIPS 140-3 validated cryptographic modules and Controlled Unclassified Information (CUI) storage in AWS GovCloud. The architectural anchor is straightforward: encryption keys are generated and stored on user devices, never on a vendor server. There is no central key store for an attacker, an insider, or a subpoena to compromise. Every message and every file is encrypted before it leaves the sender's device and remains encrypted until it reaches the recipient's device.

For your users, the experience is unchanged from the email and file-sharing tools they already know. Outlook, Outlook on the Web, Gmail, Apple Mail, Windows File Explorer, Mac Finder, iOS, Android, and any modern browser are all supported through native integrations. The address on your business card stays the same. The send button is in the same place. Internal mail and file shares are encrypted by default; external recipients without an encrypted account receive a secure web portal link, which they can claim with a free third-party account and reuse for every future exchange with your firm.

ComplianceArmor®: the documentation backbone

An encrypted data fabric without documentation is not auditable. ComplianceArmor® is the multi-framework documentation platform we built and operate, and it is the second pillar of Petronella Secure Data Suite. ComplianceArmor® generates System Security Plans, Standard Operating Procedures across every NIST SP 800-171 control family, the Shared Responsibility Matrix between Petronella Technology Group, Inc. and your organization, Network and CUI Flow Diagrams, and assessment-ready checklists. It covers CMMC, HIPAA, SOC 2 Type I and Type II, PCI DSS 4.0.1, ISO 27001, and CCPA in one platform, broader than any single-framework documentation accelerator we have seen.

The platform uses a large language model only for intake, asking the right questions, extracting information from your existing policies, and explaining what a given control means in plain English. The generated artifacts themselves are produced from PTG-authored templates that have been refined across hundreds of regulated client engagements since 2002. Author attestation on every SSP we ship traces back to RPO #1449. A Department of Defense procurement officer or a HIPAA auditor can independently verify that number against the Cyber AB registry.

Learn more at /compliance/compliancearmor/, including the framework-specific deep dives for CMMC compliance software, HIPAA compliance software, and the broader CMMC Compliance Guide.

Petronella XDR: live detection and response

Encryption protects your data from interception in motion and from exposure at rest. It does not detect an attacker who has already compromised a workstation, stolen a privileged credential, or planted persistence inside your perimeter. The third pillar of Petronella Secure Data Suite is Petronella XDR: our extended detection and response service that monitors endpoint, network, identity, and cloud telemetry around the clock, with response actions executed by our security operations team.

Petronella XDR runs as a managed service, which means we own the alert triage, the playbook execution, and the after-action documentation. Your internal IT team does not have to learn a new SIEM, write detection rules, or staff a twenty-four-seven watch desk. We take that off the table and surface only the incidents that require client decisions or notifications. The two layers are complementary by design: encryption keeps data confidential even if a device is stolen or coerced; XDR detects and contains the intrusion before encrypted data can be exfiltrated under attacker control.

Details and pricing at /managed-xdr/.

Petronella vCISO: governance and risk decisions in writing

The fourth pillar is the Petronella vCISO. Blake Rea, CMMC-RP, leads the vCISO practice. Craig Petronella, CMMC-RP and founder of Petronella Technology Group, Inc. since 2002, serves as the executive sponsor on every vCISO engagement involving regulated data. The vCISO program produces the documents that an auditor, an insurance underwriter, a Department of Defense customer, or a regulator will ask for: the risk register, the documented risk acceptance decisions, the third-party risk reviews, the incident response runbooks, and the annual security program report to the board.

For organizations preparing for a CMMC assessment, Blake Rea functions as the lead practitioner and signs off on the readiness package. For organizations that need a CISO-level signature on a HIPAA Security Risk Analysis, a SOC 2 description of services, or a PCI DSS scoping memorandum, the same governance program produces that artifact. The vCISO sits one layer above the operational delivery team, separating the "who decides" from the "who executes", which is a control most small firms cannot afford to maintain internally.

Program details at /solutions/vciso/.

MSP-grade operations: the controls run every day

The fifth pillar is the part most security firms quietly skip. Documentation, encryption, monitoring, and governance only deliver compliance if they are operated every day. Petronella Technology Group, Inc. has been a Raleigh, North Carolina managed-IT services provider since 2002, which means we own the unglamorous side of compliance: patching, backup verification, drift detection, license adjustments, account-provisioning workflow, joiner-mover-leaver discipline, mobile device management, browser hardening, secure-baseline enforcement, and the help desk that resolves the user lockout at 7:42 a.m. so your CFO can sign payroll on time.

This is the operational reality that gives the documentation its meaning. When a client SSP states "user accounts are reviewed quarterly," the MSP runs that review on the calendar with an artifact archived to the audit folder. When the SSP states "endpoint baselines are enforced," the RMM and the EDR enforce it and produce the evidence. There is no gap between the document and the practice. This is why we lead with the whole stack rather than a single product.

See /it-services/managed-it-services/ for the managed-IT program and /managed-it-services-raleigh-nc/ for the Raleigh-local engagement model.

Use case 1: DoD supplier with CUI

For a defense subcontractor handling Controlled Unclassified Information under a Department of Defense flow-down, three architectural patterns are available and each makes sense in different scenarios. Pattern A is Microsoft GCC High, a sovereign Microsoft 365 tenant designed for CUI workloads. Pattern B is a Petronella encrypted enclave layered on top of your commercial Microsoft 365 or Google Workspace tenant, with the Petronella Secure Data Suite isolating CUI from non-CUI workflows and pairing with de-identified commercial Power BI for reporting. Pattern C is Power BI Report Server running on-premises inside your CUI authorization boundary.

For most small and mid-size defense suppliers we work with, Pattern B is the right answer, faster to deploy, materially less expensive than a GCC High migration, and operable with the staff a thirty-person shop already has. For organizations with deep dependencies on Microsoft 365 services that GCC High alone provides, or with explicit contract language calling out GCC High, Pattern A is the right answer and we will say so on the scoping call. Pattern C is reserved for shops with air-gapped CNC machines or floor-network constraints that argue against any cloud option.

The full three-pattern decision tree lives at /cmmc-power-bi-reporting/. For the broader CMMC readiness path, see the CMMC Compliance Guide.

Use case 2: Healthcare practice with electronic protected health information

For a clinical practice, behavioral health provider, dental group, or specialty clinic moving electronic protected health information (ePHI) across email and file-sharing channels, the regulatory anchor is the HIPAA Security Rule plus the HIPAA Breach Notification Rule's Safe Harbor for encrypted data. When ePHI is encrypted to NIST standards at the time of unauthorized access, the breach notification obligation does not attach. The Petronella Secure Data Suite encrypted email and storage layer meets that NIST standard, and Petronella Technology Group, Inc. signs a Business Associate Agreement with every healthcare client before any ePHI touches the platform.

ComplianceArmor® generates the HIPAA Security Risk Analysis and Risk Management Plan that complete the Safe Harbor evidence chain. The architecture pattern pairs with role-based access, sensitivity labels, audit-log retention, and a documented prohibition on Publish-to-Web for any Power BI dashboards built on top of the same data. See the broader HIPAA architecture playbook at /power-bi-hipaa-dashboards/ for reporting use cases, and /compliance/compliancearmor/hipaa-software/ for the documentation deep dive.

Use case 3: Law firm with privileged matter data

For a law firm, the data protection problem has unusual breadth. A single firm may simultaneously handle Controlled Unclassified Information for a defense industrial base client, electronic protected health information for a healthcare client, financial data subject to Gramm-Leach-Bliley for a banking client, attorney-client privileged communications across every matter, eDiscovery materials under judicial protective order, and donor or board records in the firm's own books. Maintaining a separate compliance stack for each regulatory regime is unworkable.

The Petronella Secure Data Suite covers all of these on a single platform. Encrypted matter rooms isolate privileged communications by case. Free third-party accounts let clients, expert witnesses, and outside counsel claim encrypted access at no per-seat cost, material for a firm handling fifty external matters. Cryptographic activity logs satisfy eDiscovery audit requirements and court-defensible retention. ABA Model Rule 1.6 confidentiality obligations and the more recent state bar opinions on attorney duty of competence with respect to client data security are addressed by the same platform that satisfies CMMC and HIPAA, without separate procurement, separate licensing, or separate user training. Sector deep dive at /power-bi-for-law-firms/ for the reporting and analytics layer.

Use case 4: Manufacturer with ITAR drawings on the shop floor

For a manufacturing firm, particularly a CNC shop, a fabrication shop, or a contract manufacturer producing parts under International Traffic in Arms Regulations (ITAR) drawings or Controlled Defense Information, the data protection challenge sits across air-gapped machine controllers, engineering workstations carrying CAD and BIM files, and the email channel through which the prime contractor ships work orders. ITAR § 120.54 provides an end-to-end encryption carveout: an ITAR-controlled technical drawing transmitted under end-to-end encryption where the keys never leave United States-controlled devices is not, under that rule, a controlled export.

The Petronella Secure Data Suite is designed to satisfy the § 120.54 conditions. Combined with Petronella XDR on the engineering workstations and an MSP-operated secure handoff workflow to the shop floor, the architecture lets a small shop ship CMMC Level 2 readiness and ITAR-compliant drawing handling without ripping out commercial Microsoft 365.

Use case 5: Tax or accounting firm under the FTC Safeguards Rule

For a CPA firm, an enrolled agent, or a tax preparer, the regulatory drivers in 2026 are the Federal Trade Commission Safeguards Rule (updated 2023, enforcement teeth attached), IRS Publication 4557's Written Information Security Plan requirement, and the Gramm-Leach-Bliley Act. The Safeguards Rule requires a designated qualified individual responsible for the information security program, a written risk assessment, encryption of customer information at rest and in transit, multi-factor authentication, regular monitoring, and an annual report to the board or owner.

The Petronella Secure Data Suite covers the encryption mandate end to end. ComplianceArmor® produces the Written Information Security Plan, the risk assessment, and the annual report. The Petronella vCISO program supplies the qualified individual designation where the firm does not have one in-house. Petronella XDR delivers the monitoring requirement. Free third-party accounts let clients return signed 1040s, K-1s, and engagement letters through the encrypted portal at no per-client cost, material for a firm handling four hundred returns per season. Sector pillar at /ftc-safeguards-rule-compliance/.

Some vendors sell an accelerator product. Petronella operates the full stack.

The honest version of the competitive picture: many vendors will sell you a compliance accelerator product. We have evaluated them. Most are competent at the slice of the problem they address. None of them deliver the surrounding stack, the encrypted data fabric, the managed detection and response, the vCISO governance, and the MSP-grade daily operations, under one accountable provider with verifiable Cyber AB credentials.

For organizations that want to compare framework breadth specifically, ComplianceArmor® is the broadest documentation platform we have benchmarked, and we benchmark every quarter. It is built for the regulated SMB that has more than one compliance driver, almost every business we work with does.

Engagement model

Engagements are fixed-fee with published scope. Initial fixed-fee milestones are paid one hundred percent upfront at contract execution before kickoff, in line with our standard payment terms. Three engagement tiers are typical:

• Foundation: encrypted email layer plus encrypted drive plus the first ComplianceArmor® SSP draft for one framework. Typical scope: five to twenty-five users. Ships in two to six weeks. Pairs with an annual Petronella XDR Operations Retainer and an optional Petronella vCISO Light retainer.
• Compliance Sprint: Foundation plus full framework documentation (SSP, SOPs, CRM, network and CUI flow diagrams, assessment checklists) plus vCISO governance program plus Petronella XDR rollout. Typical scope: twenty-five to two hundred fifty users. Ships in eight to fourteen weeks. Designed for clients with a known external assessment date.
• Enterprise Anchor: Compliance Sprint plus multi-framework documentation (any combination of CMMC, HIPAA, SOC 2, PCI DSS, ISO 27001), MSP-grade operations, Petronella XDR with extended retention, and full Petronella vCISO Standard. Typical scope: two hundred fifty to two thousand users or complex multi-entity organizations. Ships in twelve to twenty weeks.

All three include a written Shared Responsibility Matrix making it explicit who owns each control, an annual program review with the executive sponsor, and access to the four-person CMMC-RP bench. Each tier has a published "From" starting price disclosed in the written proposal, scoped to your user count, data sources, regulatory framework, and integration footprint. We do not bill hourly for delivery work.

For organizations with an in-flight active engagement, retention pricing is asymmetric, the loyalty credit applies on continuation of the same tier and does not transfer to a downgrade. This is in line with our published pricing policy.

Related Petronella services