Navy Fire Controlman. MSP founder and acquiree. VP of Information Security at a defense drone company. Now running Cyber Control Group — delivering fractional CISO leadership and CMMC readiness to defense contractors, startups, and manufacturers across the DIB.
CMMC CCA and CCP credentialed — understanding the assessment methodology from both sides. NIST SP 800-171 control validation, SSP development and review, POAM management, evidence collection, and assessment preparation across DFARS 252.204-7012.
Policy framework development, risk management, third-party risk, and security governance aligned to NIST CSF 2.0, ISO 27001, and CIS Controls. Built security programs from the ground up in complex, multi-framework environments.
Detection engineering, incident response architecture, and security stack evaluation. A SecOps background that most compliance-focused practitioners don't carry — able to evaluate your environment technically, not just documentarily.
Deep familiarity with the defense supply chain security landscape — prime and sub-tier contractor obligations, ITAR-controlled environments, CUI scoping, and CMMC security requirements across manufacturing and integration operations. Built for manufacturers and integrators in the DIB who need security leadership that understands their operating environment.
Supporting organizations navigating NIST AI RMF requirements and shadow AI exposure. Acceptable use policy development, approved tools governance, and AI risk assessment in defense and commercial environments.
Translating security posture, compliance milestones, and risk exposure into business language for senior leadership and boards. Experienced delivering executive briefings across defense and regulated industries — CMMC status reporting, risk dashboards, and board-level security program summaries that drive decisions, not just inform them.
Most fractional CISOs come from the GRC side. They know the frameworks, they can write the policies, and they'll hand you a gap report. What they can't do is walk into a room with your program manager, your IT team, and your DCSA representative and hold the technical, operational, and compliance conversation simultaneously. That's the difference.
As VP of Information Security at a defense drone technology company, I built the security program from the ground up while simultaneously running CMMC Level 2 and ISO 27001 — in a fast-moving environment with real contract pressure and real DCSA visibility. I know what it looks like when compliance meets operations under a deadline.
Holding both CMMC CCA and CCP credentials administered by ISACA means I've studied the assessment methodology from the assessor side, not just the contractor side. When I prepare your organization for a CMMC Level 2 assessment, I build documentation, evidence packages, and control implementations that are designed to hold up under actual scrutiny — not just look complete.
Based in Huntsville, Alabama — the heart of the U.S. Army's missile and space command infrastructure. I work with defense contractors, primes, and sub-tier suppliers across the Redstone Arsenal ecosystem and am available for on-site engagements nationally. When your prime is in Huntsville, so am I.
CCG stays in the advisory lane — which means you get a CISO who isn't trying to sell you managed services or own your implementation. When your engagement requires technical build-out, CUI enclave architecture, or MSSP services, I bring vetted delivery partners into the engagement. CCG coordinates; you don't have to manage multiple vendors. C3PAO and MSP partnerships are available for organizations that need assessment or implementation alongside advisory.
Fractional CISO and CMMC advisory practice serving the Defense Industrial Base — defense contractors, defense startups, and defense manufacturers. Bringing executive-level security leadership on a retainer model to DIB organizations that need the program architecture, the CMMC expertise, and the executive presence — without the full-time headcount.
Joined as PDW's first Information Security hire — building the enterprise security program from the ground up at a fast-growing drone technology company in the defense and aerospace sector. Led concurrent CMMC Level 2 and ISO 27001 programs as a CCA-credentialed practitioner, with full ownership of security strategy, policy development, risk management, and executive reporting.
Joined post-acquisition as Chief Security Officer — serving as the senior security leader across a national client base spanning cybersecurity and managed IT services. Led executive-level security advisory engagements with a focus on zero-trust architecture, security program development, and compliance-driven strategy.
Founded SmartFirm IT as a solo operator and scaled it into a full-service cybersecurity and managed IT firm serving professional services clients nationally. Built repeatable security programs aligned to CIS Controls and NIST frameworks. Successfully exited through strategic acquisition in 2023.
Served clients nationally as an embedded IT and security resource for a legal technology firm specializing in document management and billing applications. Developed deep familiarity with professional services data governance and the security challenges of highly regulated client environments.
Supported network and database infrastructure at a large regional professional services firm — approximately 250 staff across four offices. Progressed from helpdesk support into network and database administration through hands-on mentorship and self-directed learning.
Operated, maintained, and repaired the NATO SeaSparrow Missile System aboard a forward-deployed aircraft carrier. The FC rating combines advanced electronics, weapons systems integration, and real-time operational decision-making — building foundational discipline in precision and high-stakes troubleshooting that has carried through every technical role since.
A dual major combining technology systems thinking with global business context — and a Japanese minor reflecting time spent living and working in Yokosuka during naval service.
The conversation is straightforward. Tell me where you are — your contract situation, your current security posture, what's driving the timeline. I'll give you an honest read on what CMMC readiness actually looks like for your organization and whether CCG is the right fit to get you there.