Two-day intensive for technology leaders stepping into virtual CISO responsibility. Covers risk assessment methodology, policy framework selection, compliance roadmap construction, board reporting, and budget defense. Designed for fractional CISOs and compliance directors at small-to-midsize federal contractors.
This two-day intensive is built for the practitioner who has just inherited—or is about to build—a compliance program with limited staff, limited budget, and real regulatory obligations. Working from the ground up, instructor Carl B. Johnson guides participants through every stage of standing up a defensible security and compliance function at a small-to-midsize federal contractor.
Day one opens with a structured approach to risk assessment grounded in NIST Cybersecurity Framework (CSF) Identify and Protect functions. Participants work through scoping decisions, asset classification, threat modeling, and likelihood-impact scoring so that every downstream compliance decision is traceable to documented risk. The same methodology feeds directly into the risk register artifact participants build during the session.
Not every contractor needs the same policy stack. This module walks through how to select and right-size a policy framework anchored to NIST SP 800-171 control families—covering access control, configuration management, incident response, and the remaining families—while avoiding the over-engineering that stalls small programs. Participants draft a policy gap analysis against their current documentation posture.
With risk and policy baselines established, day two shifts to sequencing. Participants learn how to build a phased compliance roadmap that prioritizes high-risk control gaps, assigns ownership, and sets measurable milestones. The roadmap format is designed to survive leadership turnover and serve as the single source of truth for program status.
A compliance program that leadership does not understand will not receive the resources it needs. This module covers translating technical findings into executive-ready language, structuring a board-level risk summary, and constructing a budget justification that ties control investments to specific risk reduction outcomes. Participants leave with a reusable reporting template and talking points for their next budget cycle.
This training is artifact-driven. By the end of day two, each participant will have produced or substantially completed the following working documents:
Beyond documents, participants will be able to facilitate a risk assessment, select an appropriate governance framework, and hold a credible conversation with both auditors and executives about program status. Organizations that want ongoing vCISO support after the training can explore Regulatory vCISO Services or learn how Compliance Program Development engagements can accelerate implementation.
This session is designed for two overlapping groups. Compliance practitioners—IT security managers, compliance analysts, and program managers at defense and federal contractors—who have been asked to own or build a compliance function without a large team behind them. And fractional or newly appointed CISOs who need a repeatable, defensible methodology rather than starting from a blank page.
If you manage someone who holds a title like Compliance Manager, IT Security Lead, or Security Program Director—or someone who just accepted a vCISO engagement at a contractor organization—this training gives them the structure and deliverables to be effective immediately. It is particularly well-suited to organizations navigating CMMC, CUI handling requirements, or DFARS obligations for the first time. Teams working through those specific requirements may also benefit from reviewing CMMC, CUI & DFARS Compliance services alongside this training.
Compliance programs fail when they are built reactively, documented inconsistently, or explained poorly to the people who fund them. This intensive exists to fix all three problems at once. Participants leave with real artifacts, a tested methodology, and the professional language to take their program seriously—and get others to do the same.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
