IT Services Built for Engineering Firms

The subcontractor compliance cascade. CMMC does not stop at the prime. The moment a prime contractor hands you a specification, a floor plan marked FOUO, a CAD model of a facility, or a calculation package tied to a protected program, you become part of the supply chain that Controlled Unclassified Information flows through. The prime is required to flow down CMMC obligations in every contract and purchase order. Many AE firms are discovering this only when a prime sends a questionnaire demanding proof of Level 2 readiness before the next bid cycle opens. Waiting for that letter is too late.

The three levels, and which one applies to you. Level 1 is self-attested against 17 basic safeguarding practices, suitable only for firms that handle Federal Contract Information and no CUI. Level 2 is the level most engineering subcontractors must actually meet, covering all 110 practices in NIST SP 800-171 and requiring a third-party assessment from an authorized C3PAO every three years. Level 3 adds a further 24 enhanced practices from NIST SP 800-172 and is government-led, reserved for contractors handling the highest-value CUI categories.

Why most engineering firms land at Level 2. If your CAD, BIM, or calculation files ever sit on a workstation that a designer uses to touch a DoD project, you are handling CUI. A Revit model of a base building, a structural calculation for a hangar upgrade, a mechanical schedule for a secure facility. All CUI. That means Level 2 applies to the entire environment that file ever rode through, not just the folder it is stored in. Firms that try to scope CUI down to a single workstation usually fail the assessment, because the scoping boundary is porous in practice.

Petronella's CMMC credentials. Petronella Technology Group is a Registered Provider Organization with the CMMC Accreditation Body, RPO #1449, verifiable at cyberab.org. Craig Petronella holds the CMMC-RP (Registered Practitioner) designation along with CCNA, CWNE, and DFE #604180. The entire team carries the CMMC-RP certification. That means an AE firm working with Petronella gets advisors who have been formally vetted by the accreditation body and who understand the difference between controls that read well on paper and controls that survive an actual C3PAO visit.

What the readiness process looks like. Without disclosing internal methodology, the path we walk clients through covers the outcomes every firm needs: a documented gap assessment against all 110 practices, a Plan of Action and Milestones that satisfies the deadline framework, remediation of the highest-risk gaps first, a full mock assessment to rehearse for the real audit, and hand-off to a C3PAO for the third-party certification. The deliverable is a firm that walks into the assessment with paperwork, screenshots, and a system security plan that match reality.

Common CMMC pitfalls for engineering firms. First, treating CMMC like HIPAA. HIPAA allows a reasonable-and-appropriate defense. CMMC does not. Every practice is pass or fail. Second, assuming the prime will carry the load. The prime will flow down the requirement, but it will not perform your compliance work. Third, leaving CAD and BIM workstations on a flat network shared with guest wifi, printers, and the receptionist's laptop. A flat network expands the CUI boundary across the whole office. Fourth, letting designers keep personal Dropbox, Google Drive, or OneDrive accounts on their work machines. Any of those sync paths becomes an unsanctioned CUI exfiltration route.

For the full readiness workflow, see the CMMC compliance guide, or download the CMMC Readiness Guide for a printable checklist you can take into your next leadership meeting. When you are ready to scope the work, call Penny on our digital twin line at (919) 348-4912 and she will qualify your situation and book a real conversation with an engineer who carries the RP credential.

Why "ChatGPT at work" is a legal time bomb for AE firms. The moment a designer pastes a specification into a public chat tool to tidy up the language, that specification enters a foreign training corpus. The moment a proposal writer asks a public model to summarize a prior winning RFP response, that RFP response becomes reference material for every competitor who queries the same tool next week. IP ownership clauses in your client contracts say that the work product belongs to the client. Client NDAs forbid disclosure to third parties without written consent. Export control regulations under ITAR and EAR criminalize the transfer of controlled technical data to foreign persons, which is exactly what a cloud-hosted public model becomes when it runs in a foreign data center. There is no cleanup path once the paste has been made. You can sue your own employee for violating policy, but you cannot un-train a model.

The private AI boundary. Petronella operates an enterprise private AI cluster where the inference, the embeddings, the retrieval, and the logs all stay inside your control boundary. Nothing leaves the network you own. The model reads your library. It does not ship your library somewhere else. See the private AI cluster overview for the architecture and the AI services page for the engagement pattern.

What engineering firms actually use private AI for. The outcome list is long, and every item removes billable-hour friction. Assisted specification drafting that mirrors your firm's preferred voice and standards. Design standard compliance checks that flag deviations before they reach the checker's desk. Proposal template generation that pulls from your library of past wins instead of from a generic corpus. Legacy project search that finds the sheet, the calc, the detail, and the email thread in seconds instead of hours. RFI triage that routes the inbound question to the right discipline with a suggested draft response. Junior engineer training that answers the "why do we always do it this way" question with real citations from your own QA history. CAD library curation that surfaces duplicates, out-of-date blocks, and orphaned families your engineers keep rebuilding from scratch.

Data sovereignty framed simply. When our private AI cluster suggests a spec paragraph or drafts a proposal section, it is reading your library. It is not leaking your library. That sentence is the entire design brief for every AI system we build inside a regulated client. When we set up a cluster, we can show you the network diagram, the storage encryption keys you own, the audit log that records every query, and the uninstall procedure if you ever want to walk away with the model weights and the embeddings you paid us to compute.

We run the AI we sell. Petronella Technology Group runs more than a dozen production AI agents inside our own business today. That is how we know what breaks, what scales, and what is theater. The generic managed service provider down the street is pitching you AI they have not run themselves. That is a tell. Ask any vendor who walks through your door how many of their own business processes they have automated on the model they are proposing to sell you. If the answer is less than ten, ask another vendor.

To go deeper, download the Zero-Trust AI 2026 guide which covers the control framework in full, and call Penny at (919) 348-4912 to book a private AI scoping call. We will walk your environment, listen to what your engineers actually spend their day doing, and come back with a private-cluster design that fits your firm.

The two calls you are losing right now. A West-coast subcontractor sends an RFI at eleven at night Eastern time. Nobody picks up. By nine the next morning the question has either been routed to the wrong discipline or dropped into a voicemail inbox that gets checked once a week. Meanwhile, a prospect found your firm from a referral, called at six in the morning before anyone was in the office, got voicemail, hung up, and dialed the next name on the list. Both of those are revenue. Both are gone.

What a digital twin actually does. Petronella deploys private AI digital twin voice assistants that sound like a real member of your team, answer in your firm's voice, qualify the inbound call against your actual intake criteria, book the next step on your real calendar, and escalate only genuinely qualified leads to a human. They run twenty-four hours a day, seven days a week, including the hours when your human staff are asleep, in a project meeting, or driving back from a site visit. The caller experience is a warm, patient conversation that solves the problem in front of them.

The fleet we have in production. At Petronella, Paul is the digital twin of Craig, our founder. Bob is the digital twin of Blake, who runs compliance. Eve handles the AI practice inquiries. Joe handles compliance triage. Harper and Alex each cover a different intake pattern. Penny is our sales qualifier. Every one of those agents is built, trained, and hosted inside our own private AI cluster, so the voices, the scripts, the calendars, and the escalation paths are all under our control. Your firm's digital twin is built the same way, with your people's voices, your intake logic, and your calendar rules.

Why it matters more for engineering than for most verticals. Engineering RFIs are time-sensitive, often technical, and arrive from project stakeholders who expect immediate routing. A voicemail that sits for twelve hours has a cost. The client does not wait. The contractor does not wait. The schedule does not wait. A digital twin that can answer, capture the RFI cleanly, route it to the right discipline lead by text or email inside of two minutes, and book the call-back on the engineer's calendar is a force multiplier for a small office that would otherwise need a second receptionist to cover the same workload.

Hear what we build. Call Penny at (919) 348-4912 right now and have a real conversation with a digital twin agent. See the digital twin voice overview for deployment options, or reach out through contact us to scope a build for your firm.