Regulatory Alert

New Proposed Rule, May 7, 2026: DoD proposes FOCI disclosure and mitigation obligations for unclassified contracts above $5M, implementing Section 847 of the FY 2020 NDAA. SF 328 requirements and mitigation timelines may apply to contractors who have never faced a FOCI review. Comment period open. Read our analysis →

Defense Industrial Base Advisory

Built From Inside the Defense Industrial Base.
Not Consulting Into It.

FOCI mitigation, CMMC compliance, and AI deployment inside GCC High. Built on 25+ years of operating under these frameworks inside the defense industrial base, not advising on them from the outside.

Schedule a Call View Services
25+ Years Experience
16+ Years FOCI / DIB
Practitioner Experience From Inside the Industry
Extensive Experience Inside FOCI-Mitigated Environments
Azure GCC High · AI in Production · CMMC-Scoped
NIST · CMMC · NISPOM · RMF · FOCI · ISO 27001
DCSA Engagement · SSA · Mitigation Agreement Compliance
Core Services

Where Compliance Expertise Meets Operational Reality

View All Services

FOCI Advisory

DCSA engagement and SSA/mitigation agreement navigation. From initial disclosure through executed agreement, with extensive lived experience inside FOCI-mitigated environments.

Learn more →

CMMC Compliance

Gap assessments, SSP and POA&M development, scoping, and audit preparation for CMMC Level 2 and Level 3. Built around NIST SP 800-171 Rev 3 and the 32 CFR Part 170 final rule.

Learn more →

AI in GCC High

Azure OpenAI, RAG architecture, and enterprise AI assistants deployed inside your CMMC boundary. Production-tested design patterns that won't blow up your compliance posture.

Learn more →

Fractional vCISO

Ongoing security leadership without the full-time overhead. Strategy, board reporting, vendor evaluations, incident response planning, and compliance program management on retainer.

Learn more →
25+ Years in Enterprise IT & Cybersecurity
16+ Years Inside a FOCI-Mitigated Contractor
3 Disciplines: AI · CMMC · FOCI — in One Advisor
Why Fulcrum Advisory

You Don't Need Another Consultant Who Read the Framework Last Month

The defense industrial base has a consultant problem: plenty of people who know the frameworks, almost nobody who has operated under them at scale, under live DCSA scrutiny, where the stakes were real.

01

Operating Experience, Not Framework Study

Our background includes extensive experience operating as IS and security leadership inside a FOCI-mitigated defense contractor. Every recommendation comes from building and running these programs in production under real DCSA scrutiny.

02

Three Disciplines. One Firm.

FOCI, CMMC, and GCC High AI deployment are increasingly intersecting. Fulcrum Advisory is one of very few firms with hands-on depth across all three — so the compliance picture stays coherent as your needs evolve.

03

Inside the Environment, Not Outside It

Our team has operated under the same frameworks we now advise on — inside live DCSA-scrutinized programs where compliance failures had real consequences. That accountability shapes how we work.

04

Built AI in a CMMC Environment

We designed and deployed enterprise AI (Azure OpenAI + RAG) inside a GCC High CMMC-scoped environment — not a proof of concept. In production use. That's the difference between architecture advice and a vendor pitch.

Technology Products

FulcrumFOCI

The first purpose-built FOCI compliance management platform for cleared defense contractors. Engineered for SSA, Proxy, SCA, and Board Resolution mitigation agreements.

  • ECP / TCP / AOP document lifecycle management
  • Annual GSC compliance report automation
  • DCSA inspection readiness dashboard
  • Visitor management and foreign national tracking
  • Travel and interaction request workflows
  • AI-assisted FOCI policy Q&A (Tier 3)
Latest Insights

Analysis From the Field

All Articles
FOCI · Regulatory
May 12, 2025  ·  8 min read

What the New DFARS FOCI Rule Means for 40,000 Defense Contractors

The May 7 proposed rule extends FOCI requirements to unclassified contracts over $5M. Here's what triggers the 90-day clock and what to do before it starts.

AI · GCC High · CMMC
March 3, 2025  ·  11 min read

Deploying AI Inside a CMMC Boundary Without Destroying Your Compliance Posture

The three decisions that determine whether your AI deployment is CMMC-compliant before a single line of code is written.

CMMC · Compliance
January 14, 2025  ·  7 min read

CMMC Final Rule Is Live: The Clock Is Running for 80,000 Contractors

32 CFR Part 170 took effect December 16, 2024. What's actually changed from CMMC 2.0 and what your first 90 days should look like.

Get Started

Ready to Talk? Every Inquiry Is Answered Directly.

No sales team. No intake forms routed to juniors. Direct access to 25 years of expertise.

Schedule a Call Send an Email