Most organizations don't need a full-time CISO. They need the judgment, the program architecture, and the executive presence — on a retainer that matches where they actually are. That's what Cyber Control Group provides.
You have an IT team, maybe an MSP, maybe a compliance checklist — but no one in the room whose job it is to think about security at the executive level. No one owns your risk posture. No one is watching the program as a whole. And when a contract requires it, or an assessor shows up, that gap becomes visible fast.
Cyber Control Group fills that gap. We provide fractional CISO advisory on retainer — giving defense contractors, startups, and manufacturers the executive-level security leadership, structured program, and CMMC expertise they need without adding a full-time hire. We work alongside your existing IT team or MSP, not in place of them.
Ongoing strategic security leadership on retainer — security program ownership, risk management, policy frameworks, vendor oversight, board and executive reporting, and a single point of accountability for your security posture. Tiered retainer levels scaled to your organization's size and needs.
End-to-end CMMC Level 2 readiness support — gap assessments, System Security Plan development, POAM management, evidence preparation, and remediation guidance aligned to NIST SP 800-171 and DFARS 252.204-7012. Led by a credentialed CCA who understands what assessors are looking for — and builds your readiness to meet that standard.
The single most impactful decision in your CMMC journey is how much of your environment falls in scope. Most organizations inadvertently over-scope — dragging systems, users, and infrastructure into the CUI boundary that don't need to be there. CCG brings hands-on experience limiting CUI scope to only what is contractually required, then helping leadership decide whether a purpose-built enclave or an enterprise-wide approach makes more sense for their size, contract mix, and operational reality.
Before you commit to a full CMMC Level 2 remediation program, you need an honest picture of where you stand and what it will actually cost. CCG's gap assessment maps your current posture against all 110 NIST SP 800-171 controls and delivers a prioritized remediation roadmap and investment analysis — so leadership can make an informed decision, not a compliance guess.
You just landed your first defense contract. The DFARS clause is in the agreement. You have no SSP, no policies, and no one who owns security. CCG builds your security program from scratch — first policies, first risk assessment, first SSP, and a CMMC readiness posture designed to grow with your contract portfolio without becoming a burden on your team.
Your team is already using AI tools — often without policy, visibility, or any understanding of what data is leaving the environment. For defense contractors, AI use in or adjacent to CUI environments carries specific and underappreciated risk. CCG builds your acceptable use policy, approved tools registry, and shadow AI assessment to get ahead of the exposure before it becomes a compliance or contract problem.
Your CMMC assessment window is approaching. Your SSP is incomplete, your POA&M is a spreadsheet, and no one on your team owns NIST SP 800-171 end to end. We provide the fractional CISO leadership and CMMC readiness support to close that gap — without adding full-time headcount you don't need after the assessment.
You're moving fast, your first DoD contract is in hand, and CMMC just became a requirement you weren't planning for. You need a security program built for where you're going — not a framework dropped on a company that isn't ready for it. We build the architecture that grows with you and gets you through your first assessment.
Your prime is now requiring CMMC. Your production floor handles CUI you didn't know needed to be protected. Your IT environment was built for operations — not compliance. We bridge that gap: building the security program, CUI handling controls, and CMMC readiness posture that keeps you in the supply chain.
A Navy veteran and former VP of Information Security who has led organizations through CMMC Level 2 in complex, fast-moving defense environments. The kind of experience that lets you make the right call under pressure — not just run a framework checklist.
CCG's principal holds both CMMC CCA and CCP credentials and has worked assessments from the assessor side. When we prepare a defense contractor for CMMC, we build readiness that will hold up under scrutiny — because we understand what scrutiny actually looks like.
CISSP, CISM, CRISC, and AAISM-credentialed — but grounded in security operations, not just governance. We can evaluate your stack, your architecture, and your detection capability. When your team pushes back on a security recommendation, we can hold the technical conversation.
CCG's principal founded, scaled, and sold a cybersecurity firm before moving into executive security leadership. We understand that security has to make business sense. The program we build for you will be right-sized for where you are — and built to scale as you grow.
Every CCG engagement is led by Dan DeFay — a Navy veteran, former VP of Information Security, and MSP founder who sold his firm before transitioning into executive security leadership. His credential stack spans risk, governance, compliance, and AI security.
Dan holds dual CMMC credentials administered by ISACA and has worked the assessment process from both sides — giving clients a readiness posture built to hold up under actual assessor scrutiny, not just documentation that looks right on paper.
Based in Huntsville, Alabama — embedded in the Defense Industrial Base and available for remote and on-site engagements nationally.
Meet Dan DeFay →The conversation doesn't have to be complicated. Tell us where you are: what's driving the need, what you've already got, and what's keeping you up at night. We'll give you a straight answer about whether CCG is the right fit — and what that engagement would actually look like.