Cybersecurity has to work in the operation, not only in the documentation.
David Koran & Associates Inc. is an independent cybersecurity maturity, compliance, and operational risk advisory serving industrial, maritime, and defense-sector organizations. I evaluate cybersecurity maturity, regulatory obligations, technical implementation, operational dependencies, and supporting evidence onsite, in the environment where the controls have to operate. The practice covers three connected areas: C2M2 maturity assessments, maritime cybersecurity, and CMMC and Defense Industrial Base cybersecurity.
What an assessment examines
- Governance and cybersecurity maturity
- IT and OT assets and dependencies
- Access, vendors, and remote connectivity
- Policies, records, and evidence
- Operational and regulatory exposure
- Prioritized remediation

Three practice areas. One operational cybersecurity method.
Each practice area examines cybersecurity in the client's actual operating environment, including management practices, IT, OT, physical operations, personnel, vendors, documentation, and evidence. The framework changes with the client's obligations. The method of looking at the operation as it actually runs does not.
C2M2 Cybersecurity Maturity
The Cybersecurity Capability Maturity Model evaluates whether cybersecurity capabilities are established, repeatable, governed, and sustainable rather than dependent on individual effort. It is a maturity model, not a certification, an audit standard, or a pass and fail assessment.
- Independent facilitated maturity assessment
- IT and OT capability review
- Executive level findings
- Prioritized cybersecurity investment roadmap
The work suits industrial, infrastructure, maritime, and operational organizations that need a clear picture of where their cybersecurity program actually stands.
Maritime Cybersecurity
Covered maritime entities, including applicable vessel and facility operators, need to understand cybersecurity across vessels, facilities, shore-side systems, OT, remote access, vendors, physical security, and the operational dependencies that connect them. Readiness work addresses applicable maritime cybersecurity obligations, including 33 CFR Part 101, Subpart F, where those requirements apply to the organization.
- Cybersecurity assessment and readiness
- Maritime IT and OT environments
- Cybersecurity Officer support
- Operational resilience and remediation planning
CMMC and Defense Industrial Base Cybersecurity
The practice continues to provide onsite CMMC and NIST SP 800-171 work for defense contractors, supported by the most extensive content library on this site: service pages, executive guidance, white papers, a book, and a 110 control reference.
- CUI scoping and NIST SP 800-171 implementation review
- SSP development and critical review
- SPRS support and evidence development
- Supplier assurance and executive guidance
- Future assessment readiness
Three different questions about the same operating environment.
The practice areas are related, but they are not interchangeable. Each engagement applies the questions relevant to the client's environment and obligations: whether the cybersecurity program is mature, whether applicable operational and regulatory requirements are met, and whether implementation and evidence support the record the organization must maintain.
Is the cybersecurity program mature, governed, and sustainable?
C2M2 evaluates whether cybersecurity capabilities are institutionalized: documented, resourced, measured, and maintained by the organization rather than carried by a few individuals. The result is a maturity profile and an investment roadmap, not a compliance verdict.
Do the practices meet the applicable vessel, facility, and operational requirements?
Maritime cybersecurity connects the program to the specific obligations and operational realities of covered vessels and facilities, including IT, OT, remote connectivity, vendors, physical security, and the daily operation of the waterfront environment.
Do the implementation and evidence support the Defense Industrial Base contractual record?
Defense cybersecurity requirements connect implemented safeguards and supporting evidence to the contractor's contractual record. Depending on the solicitation or contract, that record may include the defined system scope, the SSP, NIST SP 800-171 assessment results recorded in SPRS, and the applicable CMMC status.
The work often has to happen in your building.
Remote interviews and questionnaires can support an engagement, but they cannot always establish how systems, people, vendors, physical controls, and daily operations interact. An onsite assessment examines six areas as one operating environment rather than as separate submissions.
01 Governance and accountability
Who owns cybersecurity decisions, how leadership funds and reviews the program, and whether responsibility is assigned to people who have the authority and information to carry it. Governance that exists only in a policy binder tends to surface quickly in interviews with the people who run the operation.
02 IT and OT asset boundaries
Which systems, equipment, and data flows are actually in scope for the applicable framework. In industrial and maritime environments, the boundary between business IT and operational technology is often less clean than the network diagram suggests, and the difference changes what must be protected and documented.
03 Network and operational dependencies
How production, vessel, facility, and business operations depend on specific systems, connections, and services, and what happens to the operation when one of them fails or is compromised. Dependency mapping is where cybersecurity risk becomes operational risk that management can evaluate.
04 Identity, remote access, and third parties
Who can reach the environment, from where, and under what conditions. This includes employee accounts, administrator access, vendor connections, managed service providers, and the remote connectivity that supports equipment, monitoring, and support arrangements.
05 Physical security and personnel practices
The doors, keys, badges, visitor processes, server locations, work areas, and daily habits that determine who can physically reach systems, media, and sensitive information. These practices can only be observed where they occur.
06 Documentation, evidence, and sustainment
Whether the plans, policies, records, and evidence describe the environment as it actually operates, and whether the organization can keep them current. A document set that diverges from the operation is a finding in every framework this practice supports.
Three phases, across every practice area.
Engagements follow the same discipline whether the applicable framework is C2M2, a maritime cybersecurity requirement, or CMMC. The scope, depth, and duration are set by the organization, the framework, and the environment rather than by a fixed schedule.
Discovery and Scope
- Confirm objectives and the applicable framework
- Review available documents
- Conduct leadership and technical interviews
- Define facilities, systems, operational processes, and dependencies
- Plan the onsite work
Onsite Assessment
- Examine the actual environment
- Interview responsible personnel
- Review systems, records, practices, vendors, and evidence
- Identify maturity, regulatory, technical, and operational gaps
- Validate whether the documentation reflects reality
Roadmap and Sustainment
- Deliver executive findings
- Prioritize remediation
- Assign ownership and sequencing
- Support implementation
- Conduct periodic validation
- Maintain an accurate and supportable cybersecurity program
Phase 2 is suspended. Phase 1 remains the operating framework.
On July 13, 2026, the Department suspended the November 10, 2026 transition to CMMC Phase 2 and all pending and future implementation milestones while a task force reviews the program. The announcement did not remove the underlying obligation to protect covered defense information. During the review, the Department states that it will continue enforcing NIST SP 800-171 Revision 2 through self assessments and select government led assessments.
The scheduled Phase 2 expansion stopped.
The Department suspended the transition that would have expanded Level 2 C3PAO requirements beginning November 10, 2026, together with pending and future implementation milestones.
Phase 1 self assessment requirements continue.
Level 1 and Level 2 self assessments remain in the current program. Contractors handling covered defense information also remain responsible for the safeguarding requirements in DFARS 252.204-7012.
The future certification structure is under review.
A CMMC Reform Task Force is conducting a 60 day review informed by a public request for information. The Department has not announced a replacement Phase 2 date or a final revised model.
The practical question for defense contractors is whether the contracts, SPRS records, SSP, CUI boundary, and operating environment support the obligations that remain in force. The CMMC services and resource library on this site continue to address that work in detail.
Review CMMC Services →How Clients Engage
The practice areas above identify which problem domain and which obligations apply. The engagements below are what a client actually retains the practice to do, and most apply across all three areas.
Cybersecurity Maturity Assessment
An independent facilitated C2M2 assessment of cybersecurity capabilities across IT and OT. Management receives a clear maturity profile, executive level findings, and a prioritized roadmap for where cybersecurity investment will do the most good.
Regulatory Readiness Assessment
An onsite assessment against the obligations that actually apply to the organization, whether the applicable maritime cybersecurity requirements for covered vessel and facility operators or NIST SP 800-171 and CMMC for defense contractors. Management receives a supported picture of current state and the gaps that carry consequence.
IT and OT Operational Risk Review
An independent review of how information systems, operational technology, vendors, and remote connectivity affect the operation itself. Management receives a dependency picture and a risk view it can act on, expressed in operational terms rather than tool output.
Remediation Program Management
Turning findings into a working program: prioritization, ownership, sequencing, implementation support, and periodic validation. Management receives a remediation effort that closes gaps in a defensible order instead of a report that sits in a drawer.
Executive Cybersecurity Advisory
Private briefings that translate maturity findings, regulatory obligations, and operational risk into business terms: exposure, cost, realistic timeline, and the decisions leadership needs to own rather than delegate.
Independent Second Opinion and Due Diligence
An independent review of work the organization is about to rely on: another firm's assessment, a plan or SSP before submission, or a counterparty's cybersecurity posture before a contract is signed. Structured for management or, where engaged through counsel, for the legal record.
Detailed Service References
The CMMC consulting services overview describes how a Defense Industrial Base engagement is sequenced, the deliverables involved, and the contractor profiles this practice supports. The C2M2 and maritime cybersecurity pages describe those engagements in comparable depth.
Research and Reference Material
The publication library is particularly extensive in CMMC and Defense Industrial Base cybersecurity, reflecting several years of sustained practitioner research in that area. Every paper cites its sources and is available as a free PDF.
The CMMC Decision, Second Edition
A practitioner guide written for CEOs and senior executives of small and midsize defense contractors trying to decide how to approach compliance. Covers False Claims Act exposure, SPRS scoring, assessment preparation, and the decisions that determine whether a program succeeds. Free to download.
Read More →The White Paper Library
Published research on topics including assessment capacity, CUI scope reduction, artifact integrity, supply chain compliance, MSP and ESP obligations, and pre-award verification, together with the CMMC Executive Series and a 110 control reference guide.
View All Publications →
CyberAB Registered Practitioner Advanced
Certified ISO 27001 Auditor
Cisco CCCA
David W. Koran
I am the founder of David Koran & Associates Inc., an independent cybersecurity advisory practice serving industrial, maritime, and defense-sector organizations. My background is more than 30 years in information technology with a cybersecurity specialization dating to 2002, including work inside manufacturing environments and other regulated operational settings where cybersecurity has to coexist with production.
The practice combines technical analysis, operational observation, documentation review, and executive risk communication, and every engagement rests on evidence-based findings developed in the client's own environment. I travel to client sites nationally because much of what matters cannot be established from a questionnaire.
I hold the CyberAB Registered Practitioner Advanced credential, and I am the author of The CMMC Decision, now in its second edition, along with a library of practitioner white papers on Defense Industrial Base cybersecurity. That body of work reflects a consistent commitment to substance over salesmanship: documented ground truth, defensible findings, and guidance that holds up under scrutiny.
I am an independent advisor. I am not a reseller, a software vendor, a certification body, or a managed service provider, and I do not perform certification assessments. What I offer clients is my time, my attention, and a willingness to travel to their facility and do the work there.
Discuss Your Operating Environment
Inquiries may involve cybersecurity maturity, maritime readiness, CMMC, IT and OT risk, independent assessment, remediation planning, or executive advisory. Call, email, or send a note. I respond personally to every inquiry, usually within one business day.
Discuss an Assessment
Whether you are evaluating cybersecurity maturity, preparing a maritime operation, working through CMMC obligations, or looking for an independent second opinion, the first conversation carries no commitment and no pitch.
Discuss an Assessment →