Question 1

What is CMMC and do we need it?

Accepted Answer

CMMC (Cybersecurity Maturity Model Certification) is the DoD's framework requiring defense contractors to demonstrate cybersecurity maturity through third-party assessment. If your contracts include DFARS clause 252.204-7021 or you handle Controlled Unclassified Information (CUI), you need CMMC certification. Level 1 covers basic safeguarding of Federal Contract Information (FCI) through self-assessment. Level 2 requires C3PAO assessment against all 110 NIST 800-171 controls for organizations handling CUI. Level 3 adds government-led assessment against NIST 800-172 enhanced controls. The DoD is phasing CMMC requirements into contracts starting in 2025, and contractors without certification will be ineligible for covered awards. Petronella Technology Group, Inc. prepares contractors for Level 2 and Level 3 assessment success.

Question 2

What is the difference between GCC and GCC High?

Accepted Answer

Microsoft 365 GCC is a government community cloud environment with U.S.-based data centers and background-screened personnel, suitable for government agencies and contractors handling FCI but not CUI. Microsoft 365 GCC High provides enhanced isolation meeting FedRAMP High, DFARS, and ITAR requirements -- necessary for contractors processing CUI or ITAR-controlled technical data. Key differences include data sovereignty (GCC High data never leaves U.S. sovereign control), personnel screening (all support personnel are screened U.S. persons), network isolation (GCC High operates on a separate network from commercial and GCC environments), and compliance certifications (GCC High holds FedRAMP High authorization). If your contracts require NIST 800-171 compliance or involve ITAR data, you almost certainly need GCC High. We assess your specific requirements and recommend the appropriate environment.

Question 3

How long does CMMC preparation take?

Accepted Answer

Timeline depends on your current security posture and the scope of remediation required. Organizations with strong existing security programs and limited gaps may reach assessment readiness in 3-6 months. Organizations requiring significant infrastructure changes -- cloud migration, enclave architecture, new security tools, policy development -- typically need 6-12 months. Complex environments with multiple locations, large user populations, or extensive CUI scope may require 12-18 months. The critical path is usually cloud migration (GCC High) and security tool deployment, while documentation and policy development proceed in parallel. We provide detailed project plans with milestones during the initial assessment phase so you can plan resources and timelines accurately. Do not wait until a contract requires CMMC -- start preparation now to avoid losing bid eligibility.

Question 4

What is a CUI enclave and do we need one?

Accepted Answer

A CUI enclave is a segmented network environment specifically designed to process, store, and transmit Controlled Unclassified Information, isolated from your general business IT infrastructure. Enclaves are beneficial because they minimize your CMMC assessment scope -- only systems within the enclave boundary require full NIST 800-171 control implementation. Without an enclave, every system in your organization that could potentially access CUI falls within assessment scope, dramatically increasing compliance cost and complexity. A well-designed enclave includes dedicated network segments with firewall-controlled access, compliant cloud environments (GCC High), hardened workstations or VDI for CUI access, FIPS-validated encryption, and comprehensive monitoring. We recommend enclave architecture for most contractors because it reduces compliance scope, strengthens security, and provides clear boundaries for assessors. The investment in enclave design typically pays for itself through reduced assessment scope and simplified ongoing compliance.

Question 5

Can you support ITAR compliance requirements?

Accepted Answer

Yes. We implement IT infrastructure and security controls that satisfy ITAR requirements for organizations handling defense articles, technical data, and defense services regulated under the International Traffic in Arms Regulations. ITAR requires that technical data is accessible only by U.S. persons, that cloud environments meet ITAR data sovereignty requirements (GCC High satisfies this), and that physical and logical access controls prevent deemed exports to foreign nationals. Our ITAR IT solutions include identity verification enforcing U.S. person status, GCC High cloud environments with sovereign data controls, network segmentation and access control preventing unauthorized access, encryption meeting FIPS 140-2 standards, and integration with your Technology Control Plan. We work alongside your export compliance team to ensure IT controls align with DDTC registration and agreement requirements.

Question 6

What happens during a cyber incident under DFARS?

Accepted Answer

DFARS 252.204-7012 imposes specific obligations when a cyber incident affecting covered defense information occurs. You must report the incident to the DoD Cyber Crime Center (DC3) within 72 hours of discovery, preserve forensic images of affected systems for at least 90 days, submit malicious software discovered during the incident, and provide DoD access to additional information or equipment for forensic analysis upon request. Our incident response plan is specifically designed to satisfy these DFARS obligations. When an incident occurs, our team immediately contains the threat, preserves forensic evidence with chain-of-custody documentation, creates forensic images suitable for DC3 submission, coordinates the 72-hour report filing, and manages communication with your contracting officer and prime contractor. Our Licensed Digital Forensic Examiner ensures investigations meet the evidentiary standards required for government review.

Question 7

Do subcontractors need CMMC certification too?

Accepted Answer

Yes. CMMC flow-down requirements mandate that subcontractors processing, storing, or transmitting CUI on behalf of a prime contractor must achieve the CMMC level specified in the prime contract. This applies throughout the supply chain -- sub-tier contractors must meet the same requirements as first-tier subcontractors. If you are a prime contractor, your subcontractors' compliance status directly affects your own compliance and contract eligibility. If you are a subcontractor, your ability to win subcontracts depends on achieving and maintaining the required CMMC certification level. We help both primes and subs navigate flow-down requirements, assess subcontractor compliance, and implement technical solutions that enable secure information sharing while maintaining each party's compliance boundary.

Question 8

How much do federal contractor IT services cost?

Accepted Answer

Federal contractor IT services cost more than standard commercial managed services because the compliance requirements, security tooling, cloud environments (GCC High licensing), and specialized expertise demand significantly higher investment. Monthly managed services for compliant environments typically range from $150-$300 per user depending on scope, user count, and environment complexity. CMMC preparation engagements range from $50,000-$250,000+ depending on current posture, gap severity, and organizational complexity. GCC High migration projects typically require $25,000-$100,000+ depending on user count, data volume, and integration complexity. While these costs are substantial, they are a fraction of the revenue at risk from lost contract eligibility, DFARS non-compliance penalties, or data breach consequences. We provide detailed proposals with transparent pricing after initial assessment so you can budget accurately and make informed investment decisions.

Managed IT Built for Federal Contractors

Why Generic MSPs Cannot Serve Federal Contractors

What Federal Contractors Need

What We Deliver Beyond IT

Managed IT for Federal Contractors

CMMC Assessment Preparation

Microsoft 365 GCC High and Azure Government

NIST 800-171 Implementation

CUI Enclave Architecture

Managed Security Operations

ITAR Compliance and Export Control IT

Generic MSP vs. Federal-Ready IT

Commercial Cloud for Government Data

Two Vendors, No Accountability

CUI Scattered Everywhere

GCC High Government Cloud

One Provider, Complete Accountability

Defined CUI Enclave

Our Engagement Process

Compliance gap assessment with CUI scoping and SPRS scoring

Architecture design: enclave boundaries, GCC High, network segmentation

Technical implementation, cloud migration, and control deployment

SSP development, policy creation, and employee training

Pre-assessment readiness review simulating C3PAO evaluation

Ongoing managed IT, security monitoring, and continuous compliance

Federal Contractor IT FAQ

Explore More

CMMC Compliance

NIST 800-171 Compliance

Schedule an Appointment

Stop Managing Two Vendors for IT and Compliance