Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
Independent Cybersecurity Advisory

Cybersecurity has to work in the operation, not only in the documentation.

David Koran & Associates Inc. is an independent cybersecurity maturity, compliance, and operational risk advisory serving industrial, maritime, and defense-sector organizations. I evaluate cybersecurity maturity, regulatory obligations, technical implementation, operational dependencies, and supporting evidence onsite, in the environment where the controls have to operate. The practice covers three connected areas: C2M2 maturity assessments, maritime cybersecurity, and CMMC and Defense Industrial Base cybersecurity.

Scope of an Engagement

What an assessment examines

  • Governance and cybersecurity maturity
  • IT and OT assets and dependencies
  • Access, vendors, and remote connectivity
  • Policies, records, and evidence
  • Operational and regulatory exposure
  • Prioritized remediation
30+
Years in IT
2002
Cybersecurity Since
US
National Onsite Engagements
CyberAB Registered Practitioner Advanced credential badge
Registered Practitioner Advanced
Practice Areas

Three practice areas. One operational cybersecurity method.

Each practice area examines cybersecurity in the client's actual operating environment, including management practices, IT, OT, physical operations, personnel, vendors, documentation, and evidence. The framework changes with the client's obligations. The method of looking at the operation as it actually runs does not.

Maturity

C2M2 Cybersecurity Maturity

The Cybersecurity Capability Maturity Model evaluates whether cybersecurity capabilities are established, repeatable, governed, and sustainable rather than dependent on individual effort. It is a maturity model, not a certification, an audit standard, or a pass and fail assessment.

  • Independent facilitated maturity assessment
  • IT and OT capability review
  • Executive level findings
  • Prioritized cybersecurity investment roadmap

The work suits industrial, infrastructure, maritime, and operational organizations that need a clear picture of where their cybersecurity program actually stands.

Maritime

Maritime Cybersecurity

Covered maritime entities, including applicable vessel and facility operators, need to understand cybersecurity across vessels, facilities, shore-side systems, OT, remote access, vendors, physical security, and the operational dependencies that connect them. Readiness work addresses applicable maritime cybersecurity obligations, including 33 CFR Part 101, Subpart F, where those requirements apply to the organization.

  • Cybersecurity assessment and readiness
  • Maritime IT and OT environments
  • Cybersecurity Officer support
  • Operational resilience and remediation planning
Defense

CMMC and Defense Industrial Base Cybersecurity

The practice continues to provide onsite CMMC and NIST SP 800-171 work for defense contractors, supported by the most extensive content library on this site: service pages, executive guidance, white papers, a book, and a 110 control reference.

  • CUI scoping and NIST SP 800-171 implementation review
  • SSP development and critical review
  • SPRS support and evidence development
  • Supplier assurance and executive guidance
  • Future assessment readiness
How the Practice Areas Fit Together

Three different questions about the same operating environment.

The practice areas are related, but they are not interchangeable. Each engagement applies the questions relevant to the client's environment and obligations: whether the cybersecurity program is mature, whether applicable operational and regulatory requirements are met, and whether implementation and evidence support the record the organization must maintain.

C2M2 asks

Is the cybersecurity program mature, governed, and sustainable?

C2M2 evaluates whether cybersecurity capabilities are institutionalized: documented, resourced, measured, and maintained by the organization rather than carried by a few individuals. The result is a maturity profile and an investment roadmap, not a compliance verdict.

Maritime cybersecurity asks

Do the practices meet the applicable vessel, facility, and operational requirements?

Maritime cybersecurity connects the program to the specific obligations and operational realities of covered vessels and facilities, including IT, OT, remote connectivity, vendors, physical security, and the daily operation of the waterfront environment.

CMMC asks

Do the implementation and evidence support the Defense Industrial Base contractual record?

Defense cybersecurity requirements connect implemented safeguards and supporting evidence to the contractor's contractual record. Depending on the solicitation or contract, that record may include the defined system scope, the SSP, NIST SP 800-171 assessment results recorded in SPRS, and the applicable CMMC status.

Where more than one practice area applies, the questions reinforce one another. An organization that understands its maturity makes better remediation decisions. An organization that knows its applicable requirements scopes its program correctly. An organization whose evidence matches its operation can support what it reports. The common foundation is an accurate picture of the actual operating environment.
Why Onsite

The work often has to happen in your building.

Remote interviews and questionnaires can support an engagement, but they cannot always establish how systems, people, vendors, physical controls, and daily operations interact. An onsite assessment examines six areas as one operating environment rather than as separate submissions.

01 Governance and accountability

Who owns cybersecurity decisions, how leadership funds and reviews the program, and whether responsibility is assigned to people who have the authority and information to carry it. Governance that exists only in a policy binder tends to surface quickly in interviews with the people who run the operation.

02 IT and OT asset boundaries

Which systems, equipment, and data flows are actually in scope for the applicable framework. In industrial and maritime environments, the boundary between business IT and operational technology is often less clean than the network diagram suggests, and the difference changes what must be protected and documented.

03 Network and operational dependencies

How production, vessel, facility, and business operations depend on specific systems, connections, and services, and what happens to the operation when one of them fails or is compromised. Dependency mapping is where cybersecurity risk becomes operational risk that management can evaluate.

04 Identity, remote access, and third parties

Who can reach the environment, from where, and under what conditions. This includes employee accounts, administrator access, vendor connections, managed service providers, and the remote connectivity that supports equipment, monitoring, and support arrangements.

05 Physical security and personnel practices

The doors, keys, badges, visitor processes, server locations, work areas, and daily habits that determine who can physically reach systems, media, and sensitive information. These practices can only be observed where they occur.

06 Documentation, evidence, and sustainment

Whether the plans, policies, records, and evidence describe the environment as it actually operates, and whether the organization can keep them current. A document set that diverges from the operation is a finding in every framework this practice supports.

This is the work I travel to do. The onsite model allows the documents, systems, records, facility, and employee practices to be reviewed as one operating environment, whether the engagement is a maturity assessment, a maritime readiness review, or a CMMC implementation.
Engagement Structure

Three phases, across every practice area.

Engagements follow the same discipline whether the applicable framework is C2M2, a maritime cybersecurity requirement, or CMMC. The scope, depth, and duration are set by the organization, the framework, and the environment rather than by a fixed schedule.

Phase One

Discovery and Scope

  • Confirm objectives and the applicable framework
  • Review available documents
  • Conduct leadership and technical interviews
  • Define facilities, systems, operational processes, and dependencies
  • Plan the onsite work
Phase Two

Onsite Assessment

  • Examine the actual environment
  • Interview responsible personnel
  • Review systems, records, practices, vendors, and evidence
  • Identify maturity, regulatory, technical, and operational gaps
  • Validate whether the documentation reflects reality
Phase Three

Roadmap and Sustainment

  • Deliver executive findings
  • Prioritize remediation
  • Assign ownership and sequencing
  • Support implementation
  • Conduct periodic validation
  • Maintain an accurate and supportable cybersecurity program
Current CMMC Program Status

Phase 2 is suspended. Phase 1 remains the operating framework.

On July 13, 2026, the Department suspended the November 10, 2026 transition to CMMC Phase 2 and all pending and future implementation milestones while a task force reviews the program. The announcement did not remove the underlying obligation to protect covered defense information. During the review, the Department states that it will continue enforcing NIST SP 800-171 Revision 2 through self assessments and select government led assessments.

What Changed

The scheduled Phase 2 expansion stopped.

The Department suspended the transition that would have expanded Level 2 C3PAO requirements beginning November 10, 2026, together with pending and future implementation milestones.

What Remains

Phase 1 self assessment requirements continue.

Level 1 and Level 2 self assessments remain in the current program. Contractors handling covered defense information also remain responsible for the safeguarding requirements in DFARS 252.204-7012.

What Is Unresolved

The future certification structure is under review.

A CMMC Reform Task Force is conducting a 60 day review informed by a public request for information. The Department has not announced a replacement Phase 2 date or a final revised model.

The practical question for defense contractors is whether the contracts, SPRS records, SSP, CUI boundary, and operating environment support the obligations that remain in force. The CMMC services and resource library on this site continue to address that work in detail.

Review CMMC Services →
Services

How Clients Engage

The practice areas above identify which problem domain and which obligations apply. The engagements below are what a client actually retains the practice to do, and most apply across all three areas.

01

Cybersecurity Maturity Assessment

An independent facilitated C2M2 assessment of cybersecurity capabilities across IT and OT. Management receives a clear maturity profile, executive level findings, and a prioritized roadmap for where cybersecurity investment will do the most good.

02

Regulatory Readiness Assessment

An onsite assessment against the obligations that actually apply to the organization, whether the applicable maritime cybersecurity requirements for covered vessel and facility operators or NIST SP 800-171 and CMMC for defense contractors. Management receives a supported picture of current state and the gaps that carry consequence.

03

IT and OT Operational Risk Review

An independent review of how information systems, operational technology, vendors, and remote connectivity affect the operation itself. Management receives a dependency picture and a risk view it can act on, expressed in operational terms rather than tool output.

04

Remediation Program Management

Turning findings into a working program: prioritization, ownership, sequencing, implementation support, and periodic validation. Management receives a remediation effort that closes gaps in a defensible order instead of a report that sits in a drawer.

05

Executive Cybersecurity Advisory

Private briefings that translate maturity findings, regulatory obligations, and operational risk into business terms: exposure, cost, realistic timeline, and the decisions leadership needs to own rather than delegate.

06

Independent Second Opinion and Due Diligence

An independent review of work the organization is about to rely on: another firm's assessment, a plan or SSP before submission, or a counterparty's cybersecurity posture before a contract is signed. Structured for management or, where engaged through counsel, for the legal record.

Learn More

Detailed Service References

The CMMC consulting services overview describes how a Defense Industrial Base engagement is sequenced, the deliverables involved, and the contractor profiles this practice supports. The C2M2 and maritime cybersecurity pages describe those engagements in comparable depth.

Publications

Research and Reference Material

The publication library is particularly extensive in CMMC and Defense Industrial Base cybersecurity, reflecting several years of sustained practitioner research in that area. Every paper cites its sources and is available as a free PDF.

The Book

The CMMC Decision, Second Edition

A practitioner guide written for CEOs and senior executives of small and midsize defense contractors trying to decide how to approach compliance. Covers False Claims Act exposure, SPRS scoring, assessment preparation, and the decisions that determine whether a program succeeds. Free to download.

Read More →
White Papers

The White Paper Library

Published research on topics including assessment capacity, CUI scope reduction, artifact integrity, supply chain compliance, MSP and ESP obligations, and pre-award verification, together with the CMMC Executive Series and a 110 control reference guide.

View All Publications →
New material addressing C2M2, maritime cybersecurity, industrial cybersecurity, and IT and OT operational risk will be added to the library as the broader practice develops. The existing CMMC Executive Series remains the recommended starting point for defense contractor leadership.
David W. Koran, CyberAB Registered Practitioner Advanced
David W. Koran
CyberAB Registered Practitioner Advanced
Certified ISO 27001 Auditor
Cisco CCCA
About

David W. Koran

"Cybersecurity maturity is demonstrated when management practices, technical controls, records, vendors, and daily operations all support the same conclusion."

I am the founder of David Koran & Associates Inc., an independent cybersecurity advisory practice serving industrial, maritime, and defense-sector organizations. My background is more than 30 years in information technology with a cybersecurity specialization dating to 2002, including work inside manufacturing environments and other regulated operational settings where cybersecurity has to coexist with production.

The practice combines technical analysis, operational observation, documentation review, and executive risk communication, and every engagement rests on evidence-based findings developed in the client's own environment. I travel to client sites nationally because much of what matters cannot be established from a questionnaire.

I hold the CyberAB Registered Practitioner Advanced credential, and I am the author of The CMMC Decision, now in its second edition, along with a library of practitioner white papers on Defense Industrial Base cybersecurity. That body of work reflects a consistent commitment to substance over salesmanship: documented ground truth, defensible findings, and guidance that holds up under scrutiny.

I am an independent advisor. I am not a reseller, a software vendor, a certification body, or a managed service provider, and I do not perform certification assessments. What I offer clients is my time, my attention, and a willingness to travel to their facility and do the work there.

Get In Touch

Discuss Your Operating Environment

Inquiries may involve cybersecurity maturity, maritime readiness, CMMC, IT and OT risk, independent assessment, remediation planning, or executive advisory. Call, email, or send a note. I respond personally to every inquiry, usually within one business day.

Address
Essex Junction, VT
Travel
I travel to client sites nationally.

Discuss an Assessment

Whether you are evaluating cybersecurity maturity, preparing a maritime operation, working through CMMC obligations, or looking for an independent second opinion, the first conversation carries no commitment and no pitch.

Discuss an Assessment →