Regulatory Alert

DFARS proposed rule — FOCI requirements extended to 40,000+ unclassified contractors over $5M. Comments close July 6, 2025. Read our analysis →

Defense Industrial Base Advisory

The Experience Is Real.
So Is the Accountability.

FOCI mitigation, CMMC compliance, and AI deployment inside GCC High — from a practitioner who has operated under these frameworks for over two decades, not just consulted on them.

Schedule a Call View Services
25+ Years Experience
16+ Years FOCI / DIB
Former CISO & VP IS — FOCI-Mitigated Contractor, 2009–2025
16+ Years FOCI-Mitigated Contractor
Azure GCC High · AI Production Deployments
NIST · CMMC · NISPOM · RMF · ISO 27001
DCSA Engagement · SSA · Proxy Agreements
Core Services

Where Compliance Expertise Meets Operational Reality

View All Services

FOCI Advisory

SF 328 filings, DCSA engagement, and SSA/mitigation agreement navigation. From initial disclosure through executed agreement — with 16+ years of lived experience in FOCI-mitigated environments.

Learn more →

CMMC Compliance

Gap assessments, SSP and POA&M development, scoping, and audit preparation for CMMC Level 2 and Level 3. Built around NIST SP 800-171 Rev 3 and the 32 CFR Part 170 final rule.

Learn more →

AI in GCC High

Azure OpenAI, RAG architecture, and enterprise AI assistants deployed inside your CMMC boundary. Production-tested design patterns that won't blow up your compliance posture.

Learn more →

Fractional vCISO

Ongoing security leadership without the full-time overhead. Strategy, board reporting, vendor evaluations, incident response planning, and compliance program management on retainer.

Learn more →
25+ Years in Enterprise IT & Cybersecurity
16+ Years Inside a FOCI-Mitigated Contractor
3 Disciplines: AI · CMMC · FOCI — in One Advisor
Why Fulcrum Advisory

You Don't Need Another Consultant Who Read the Framework Last Month

The defense industrial base has a consultant problem: plenty of people who know the frameworks, almost nobody who has operated under them at scale, under live DCSA scrutiny, where the stakes were real.

01

Practitioner, Not Theorist

16+ years as VP of IS and CISO inside a FOCI-mitigated defense contractor. Every recommendation comes from building and operating these systems in production.

02

The Only Advisor Covering All Three

FOCI, CMMC, and GCC High AI deployment are increasingly intersecting. Fulcrum Advisory is one of very few firms with hands-on depth across all three simultaneously.

03

Inside the Environment, Not Outside It

16 years inside a DCSA-scrutinized environment means advice held to the same standard we applied when compliance outcomes were our direct responsibility.

04

Built AI in a CMMC Environment

Designed and deployed enterprise AI (Azure OpenAI + RAG) inside a GCC High CMMC-scoped environment — not a proof of concept, in production use.

Latest Insights

Analysis From the Field

All Articles
FOCI · Regulatory
May 12, 2025  ·  8 min read

What the New DFARS FOCI Rule Means for 40,000 Defense Contractors

The May 7 proposed rule extends FOCI requirements to unclassified contracts over $5M. Here's what triggers the 90-day clock and what to do before it starts.

Read article →
AI · GCC High · CMMC
March 3, 2025  ·  11 min read

Deploying AI Inside a CMMC Boundary Without Destroying Your Compliance Posture

The three decisions that determine whether your AI deployment is CMMC-compliant before a single line of code is written.

Read article →
CMMC · Compliance
January 14, 2025  ·  7 min read

CMMC Final Rule Is Live: The Clock Is Running for 80,000 Contractors

32 CFR Part 170 took effect December 16, 2024. What's actually changed from CMMC 2.0 and what your first 90 days should look like.

Read article →
Get Started

Ready to Talk? Every Inquiry Is Answered Directly.

No sales team. No intake forms routed to juniors. Direct access to 25 years of expertise.

Schedule a Call Send an Email