Cybersecurity · vCISO · CMMC

Eyes on the stars.
Security on Earth.

A nomadic security practice for DoD contractors and small-to-mid businesses navigating CMMC, compliance, and the long trail to a mature security program.

Schedule a consultation → See what we do

CMMC Level 2 ✦ NIST SP 800-171 ✦ FAR / DFARS ✦ vCISO Engagements ✦ Gap Analysis ✦ Policy Authoring ✦ SSP & POA&M ✦ C3PAO Readiness ✦ CMMC Level 2 ✦ NIST SP 800-171 ✦ FAR / DFARS ✦ vCISO Engagements ✦ Gap Analysis ✦ Policy Authoring ✦ SSP & POA&M ✦ C3PAO Readiness ✦

01 — Services

Three trails. One destination — a security program you can actually defend.

Whether you need a fractional security leader, a clean compliance audit, or a clear-eyed read on where the gaps are, we work alongside your team and pack out what we pack in.

⊹ 01 / vCISO

Virtual CISO

Executive-level security leadership without the executive headcount. Strategy, board reporting, vendor reviews, incident drills — embedded with your team on a cadence that fits.

Roadmap & budgeting
Policy & governance
Vendor / 3rd-party risk
Board & client reporting

⊹ 02 / Compliance

Compliance Audits

End-to-end CMMC and NIST 800-171 audits run by someone who has been the technical lead through a successful C3PAO assessment. Not theory — receipts.

CMMC L1 / L2 readiness
NIST 800-171 audit
SSP & POA&M authoring
C3PAO assessment support

⊹ 03 / Gap Analysis

Gap Analysis

A full survey of your current state against the standard you need to meet. Where you are, where you need to be, and the specific terrain in between — with a prioritized plan, not a wish list.

Control-by-control review
Evidence inventory
Risk-ranked remediation plan
Executive briefing

110/110 Controls passed · C3PAO assessment

02 — Track record

Implemented every NIST 800-171 control. Then stood in the room when the assessor showed up.

Served as technical lead during a successful C3PAO CMMC Level 2 assessment — designing the controls, gathering the evidence, and answering for it on the record. The same playbook is what we bring to every engagement.

L2CMMC scope

100%Pass rate

1×Tech lead, on-site

03 — Credentials

Certified, and still climbing.

A working list of what's in the pack. Every cert represents a standard we've been tested against — not a logo on a slide.

Earned CISSP Certified Information Systems Security Professional · ISC²

Earned CCP Certified CMMC Professional · Cyber AB

Earned CCA Certified CMMC Assessor · Cyber AB

Earned CASP+ CompTIA Advanced Security Practitioner · CompTIA

Earned Security+ CompTIA Security+ · CompTIA

Field experience C3PAO Technical lead through a successful Level-2 assessment

Aligned to 800-171 NIST SP 800-171 / 172 control families

Aligned to DFARS DFARS 252.204-7012 / 7019 / 7020 / 7021

04 — How we work

A four-stop trail from base camp to summit.

Most engagements move through the same four phases. Pace varies — we'll match yours.

①

Stop 01 — Survey

Discovery call

30 minutes to map the terrain — your scope, deadlines, and what success looks like for your contract or your board.

②

Stop 02 — Map

Gap analysis

Control-by-control assessment of where you stand against the standard you need. A written report, ranked by risk and effort.

③

Stop 03 — Climb

Implementation

Hands-on work with your team — policies, technical controls, evidence collection, and the SSP / POA&M that ties it together.

④

Stop 04 — Summit

Assessment

We're in the room with you when the C3PAO arrives. After: continuous monitoring, vCISO retainer, or hand-off — your call.

Security Nomads

Wherever the work takes us

05 — About

Built by a practitioner, not a sales deck.

Security Nomads is a small, deliberate practice. We aren't a body shop and we aren't a reseller. The same person who scopes the work does the work, sits in the assessment, and answers your phone at 7pm when something looks wrong.

"I've stood at the front of the room as technical lead through a C3PAO assessment with all 110 controls passed. That's the bar I bring to your program."

Holding CISSP, CCP, CCA, CASP+, and Security+. Central time, available across any timezone on request.