CMMC doesn't have to mean overspending, ripping out your IT environment, or moving to GCC High and hoping that's enough. There's a better way — and it starts with someone who has actually been through and passed an assessment.
Most consultants pick a lane. I don't.
Plenty of consultants will get you "CMMC ready" — a light gap assessment, a stack of policy templates, and a report listing what they think is missing. Then the technical work is left to you. That doesn't leave you ready for anything.
The real difference is that I cover the full picture: writing the policies, implementing the technical controls, and guiding the strategic decisions that connect the two. Whether you're just starting your CMMC journey, months from assessment, or somewhere in between — I can plug in at whatever stage you're at and for whatever you need.
When it's assessment time, the gaps become your problem
Shared responsibility matrices that leave critical controls unassigned
Documentation that doesn't meet evidence standards
Technical controls that were never truly implemented
Policies that read well but aren't enforced
Evidence gaps that force expensive remediation
Assessment delays that cost you contracts
I don't just see the gaps — I see the options for solving them. I evaluate vendors, weigh operational costs, write the policies, configure the controls, and hand it off clean.
In October 2025 I led a 200-person professional-services firm through a CMMC Level 2 assessment and passed on the first attempt with a perfect score — no POA&Ms, no remediation. The C3PAO later came back to ask how we were so well prepared.
0
POA&Ms at assessment
110
NIST 800-171 controls, hands-on
200
user org led to certification
25+
years in IT & engineering
I know what assessors look for
Not from reading the framework — from sitting across from assessors as they asked the questions, reviewed the evidence, and validated the controls. I know what a defensible, maintainable SSP looks like and how to write one. I know the evidence they need to confirm that controls aren't just switched on today, but governed and maintained over time.
Three decades of solving hard problems
I've worked as the owner, consultant, engineer, validator, and trusted advisor across many industries and companies of all sizes. 7+ years as an automation and validation engineer in regulated pharma. 15+ years building and leading an IT managed-services firm. I've worked GMP pharma audits, OCC bank exams, HIPAA and PCI initiatives, and most recently a CMMC Level 2 audit. I'm current across Microsoft 365 (including GCC), Azure, and Google Cloud. I don't just see the gaps — I see the options for solving them, evaluate vendors, implement the fix, write the documentation, and hand it off clean when my work is done.
If you need someone who sees the whole picture — not just a list of deficiencies — let's talk.
From a quick gut-check to full implementation. Every engagement starts with a free intro call, scales to your needs, and bills only for the hours you use.
01Ad-hoc Advisory
Hourly · As needed
On-demand strategic clarity. Targeted technical working sessions, email access for burning framework questions, and an expert "BS detector" to sit in on your vendor meetings.
Best for teams that need answers fast, without a long-term commitment.
02Structured Readiness Review
2–3 weeks · Foundation
An independent, deep-dive verification before you pay for a C3PAO assessment: documentation and SSP review, technical verification across core control families, a gap analysis mapped to NIST 800-171, and a straight Ready / Not-Ready call with a prioritized remediation roadmap.
Best for contractors approaching assessment who need the truth. Prerequisite for ongoing support.
03Targeted Advisory
Monthly retainer
Ongoing compliance and technical oversight at a predictable monthly budget. Recurring meeting attendance, continuous SSP and policy review, control interpretation turned into engineering decisions, an independent check on your MSP's work, and executive briefings to translate compliance into business outcomes.
Best for contractors with internal IT or an MSP who need an independent compliance voice.
04Comprehensive Implementation
6–12 months · End-to-end
Everything in the Readiness Review, plus hands-on configuration of all 110 controls, documentation and custom policy development, evidence strategy and validation, mock assessments and interview drills, and direct C3PAO coordination.
Best for contractors who want one partner to build, configure, and manage it all.
Not sure where you fit? Start with a free intro call — we'll figure out the right path together.
