Click the Download button below to download an excel spreadsheet with summary information about each candidate, or view the tables below.
Please note that only members of the C3PAO Stakeholder Forum are eligible to vote. You are considered a member if you have an account on the C3PAO Stakeholder Forum Discord and your account has the status “Verified”. Only C3PAO representatives are allowed to vote. If you represent multiple organizations you only get a single vote. If there are multiple members from a single C3PAO only one vote will count. To achieve a balance of representation, we specify 3 large, 4 medium, and 4 small C3PAO Advisors.
Do you want to become a member so that you can vote, contribute, and benefit? Please review the Join Us page for our charter and instructions.
The voting form is at the bottom of the page. Thank you for your participation!!!
Candidate Information – C3PAO Demographics
|C3PAO Name||C3PAO Status||Size||# of Full time + Contract employees (approx)||ISO Accreditation Status||Cybersecurity Certification and Assessment Services Offered||Breadth of Current Service Offering||First Name||Last Name||Title|
|Baker Tilly||Candidate||Large||4000||Not Yet||NIST800-53, NIST800-171, FISMA, HIPPA, HITECH, HITRUST, SOC1, SOC2, SOC3||Domestic (US), International – Americas, International – Asia Pacific, International – Europe||Matt||Gilbert||Principal|
|NQA, USA||Candidate||Large||250||ISO 17020 Accredited [with a different Accreditation Body (e.g., ANAB, A2LA)];|
ISO 17021 Accredited [with a different Accreditation Body (e.g., ANAB, A2LA)]
|ISO 27001, ISO 27701, NIST 800-53, NIST 800-171, CNSSI-1253||Domestic (US), International – Americas, International – Asia Pacific, International – Europe||Timothy||Woodcome||Director|
|A-LIGN||Candidate||Large||250||ISO 17020 Accredited [with a different Accreditation Body (e.g., ANAB, A2LA)], ISO 17021 Accredited [with a different Accreditation Body (e.g., ANAB, A2LA)]||SOC 1/2, PCI DSS, HITRUST, ISO 27001, FedRAMP, FISMA (800-53), 171||Domestic (US), International – Americas, International – Asia Pacific, International – Europe||Tony||Bai||Federal Practice Lead|
|KLC Consulting, Inc.||Candidate||Medium||23||Not Yet||NIST 800-171|
CIS CSC 20 Controls
Risk Management Framework (RMF (800-53) – help company obtain ATO)
|Domestic (US), International – Americas, International – Asia Pacific, International – Europe||Kyle||Lai||President and CISO|
|Edwards Performance Solutions||Candidate||Medium||75||Not Yet||NIST 800-53, NIST CSF, NIST 800-171, HIPAA||Domestic (US), International – Americas||Brian||Hubbard||Director, Commercial and Cybersecurity|
|Digital Beachhead||Candidate||Medium||26||Not Yet||NIST, HIPAA||Domestic (US), International – Americas||Michael||Crandall||CEO|
|Strong Connexions||Verified applicant||Medium||27||Not Yet||NIST 800-171, CIS20, HIPPA/HITRUST, FISMA||Domestic (US)||Jared||Hoskins||COO | CIO|
|CyberNINES||Candidate||Medium||15||Not Yet||NIST SP 800-171, HIPAA||Domestic (US)||Scott||Singer||President|
|Kieri Solutions||Candidate||Small||6||Not Yet||NIST 800-171||Domestic (US)||Amira||Armond||President|
|VAAXA||Verified applicant||Small||4||Not Yet||N/A||Domestic (US)||David||Savage||CEO|
|SoundWay Consulting||Candidate||Small||8||Not Yet||NIST 800-171, Network and Host Vulnerability Assessments, Cyber Risk Training for Government and Attorneys, Remote Pentesting||Domestic (US)||Carter||Schoenberg||VP of Cybersecurity and Chief Cybersecurity Officer|
|Deborah Hunt||Candidate||Small||7||Not Yet||Pre-Assessment for NIST-800-171||Domestic (US)||Deborah||Hunt||Provisional Lead Assessor|
|Kevin Wheeler||Candidate||Small||6||Not Yet||NIST SP 800-171, HIPAA, PCI DSS, FFIEC||Domestic (US)||Kevin||Wheeler||Managing Director|
|G2 Ops, Inc.||Candidate||Small||14||Not Yet||CIS CSC, DoD Risk Management Framework (RMF), FedRamp, HECVAT, HIPPA/HITECH, NIST 800-53, NIST-800-82/UFC-4-010-06/UFGS-25-05-11 (Industrial & Facility-related Control Systems), NIST-800-171,||Domestic (US)||Matthew||Chadwick||Director, Cybersecurity Services|
|Regola Consulting, Inc.||Candidate||Small||1||Not Yet||N/A (consulting only for NIST 800-53, NIST 800-171, FedRAMP, HIPPA/HITECH)||Domestic (US)||Nathan||Regola||President|
Candidate Information – Council self-nomination
|First Name||Last Name||Self-Nomination|
|Matt||Gilbert||I was part of Jeff Dalton’s working groups helping to develop the assessment methodology. I was selected to participate in the first provisional assessor training. I am assessor id #19. I represent a larger firm that is also a CPA. So I think I can share a unique point of view. I also have years of assessment experience. I also participated in peer reviews of other CPA firms and quality inspections. I also have been inspected by the PCAOB for the IT portion of a SOX audit. So I have a wide range of prior experience and assessment methods to rely. Further I have been actively sharing insights in the CMMC community via webinars and sessions with AICPA, National Bar Association, NCMA and various industry events. We are helping many organizations prepare for CMMC and my team has two additional provisional assessors. As a firm, we support government contractors from pursuit to closeout of contracts and all the compliance and regulatory requirements in between.|
|Timothy||Woodcome||-I have 25+ years experience in the Third Party Assessment industry working at various levels including as an assessor, operations and top management. |
-In my role current role as Business Unit Director, I oversee all aspects of NQA’s Cybersecurity Assurance Service offerings, including CMMC, NIST, ISO 27001, ISO 27701, ISO 20000-1, ISO 22301, and others.
-I have experience in working with a wide variety of DIB customers ranging from small 8(a) firms to large multi-national primes; and can understand the needs and challenges of these various cohorts.
-As part of an accredited ISO Certification Body, I have competencies with ISO 17021 and 17020; and I regularly interface with various other Accreditation Bodies and related entities such as ANAB, UKAS and IAF, along with industry specific bodies such as QuEST/TIA, NCWM, and ESDA.
-I have served on several Industry Bodies and Working Groups formed to develop, oversee and map strategies for third party standards in the ICT, Cybersecurity, Business Continuity, Quality, and other fields. This includes missions and goals similar to what I envision with this Council.
-I have well-rounded strong professional and leadership skills, including communication, analysis, decision making, mediation, team-building and strategy.
-I have a track record and willingness to “do the work” along with others and not simply direct from afar.
-I believe that the C3PAO community has a wealth of knowledge and expertise that has yet to be tapped with regard to the roll-out and administration of CMMC; many of us have ‘been here; done that’ (albeit with different standards or frameworks) and can foresee some of the potential risks and identify potential opportunities in the path forward. I believe that those in the C3PAO Stakeholder Forum are willing to share that knowledge for the good of the CMMC mission and all parties involved. I would like to help the Forum organize, prioritize and verbalize our collective thoughts and input for the good of the mission and reputation of the CMMC product. I look forward to being a positive and pro-active contributor to this Forum and the CMMC effort.
|Tony||Bai||We are interested in helping make the CMMC program a success and ensure the protection of our Nation. I feel we can provide a perspective to CMMC bringing in our experience as a FedRAMP 3PAO as well as our work in other Federal frameworks, i.e. FISMA/RMF (CJIS, IRS 1075, CMS DE/EDE, etc.) and 800-171, along with our experience in other cybersecurity frameworks, such as SOC 1/2, PCI DSS, HIPAA, Privacy, Penetration Testing, and ISO 27001/27701.|
|Kyle||Lai||As a C3PAO Candidate company, we are committed to going through the DIBCAC assessment to become authorized, and get our assessors trained and certified.|
I have 20+ years of experience in IT, cybersecurity, and third-party security management. I am a CISSP, CISA, CSSLP, CDPSE, CIPP/US, CIPP/G, and ISO 27001 Lead Auditor. I have worked at DISA as an operations manager, and I have been helping DIB companies with compliance, including DIACAP, RMF, and FISMA. Previously, I have helped commercial clients with security and privacy compliance, including HIPAA, PCI, SOX, SOC2, GLBA, GDPR, and FFIEC.
I would like to continue helping the community to
1) improve the DoD and CMMC-AB communication with C3PAOs,
2) Make the DOD DIBCAC CMMC Level 2 assessment process on C3PAO more transparent, so C3PAO can better prepare for the DIBCAC assessment,
3) Help express the C3PAO community’s collective feedback and suggestions to the DoD and CMMC-AB to improve future processes that will improve C3PAO operations.
4) Help develop position papers for the C3PAO Stakeholder Forum.
|Brian||Hubbard||I have been providing “cybersecurity” services to the DoD, Intel community, and Commercial sector for over 35 years. CMMC represents the best attempt yet to secure the contractor environment. This is why Edwards went all in on CMMC to help it succeed. We are a RPO, LPP, LTP and Candidate C3PAO. I would like to have a voice in helping the CMMC AB and DoD get over the hump in ramping up the assessment process. |
Personally, I have been involved in assessments since the 80’s. I was an Orange Book evaluator, I managed a Common Criteria Test Lab, I ran a team doing certification and accreditation work for the Intel and DoD communities. My teams directly helped develop the DITSCAP, DIACAP, NIACAP and most recently the NIST Cybersecurity Framework.
I have contributed to or reviewed C3PAO Stakeholder Forum position papers, try to participate as much as possible int he Discord forum, and I try to provide the insight I am gaining as an LPP, LTP and RPO to the C3PAO community. I am a Provisional Assessor and a Provisional Instructor.
|Michael||Crandall||I have worked DoD cyber security since the early 90’s having developed the DiD system, creating a DMZ etc. Also developed the first ever NOSC and spent the last 8 years of my military career as the IA officer for the AF Satellite Control Network and associated connected systems. In that role was performing assessments and accreditation reviews for DoD systems across the globe. I understand DoD cyber thinking (DISA Director and I grew up together in the AF/Cyber) and as a small biz owner I know the struggles to work DoD contracts and make critical / costly business decisions based on requirements. I have the time and desire to take part.|
|Jared||Hoskins||As development continues with the CMMC our organization has adapted and been versatile in ensuring that organizations we’re working with begin and continue progress in areas we know will not be changing and address greater cyber hygiene. Our perspective as both a small business and the understanding that national security is of the utmost importance our voice will help to balance all perspectives as they relate to this role and the tremendous responsibilities that come with it. It would be an honor to serve and contribute to the ecosystem and its success through the support of C3PAO’s and diversified perspectives.|
|Amira||Armond||I can represent very small C3PAOs that answered the call but don’t have experience with assessments prior to CMMC, so we are trying to figure it all out from scratch. I have a very high level of knowledge of the technical aspects of CMMC such as building a compliant system and how to assess, with moderate level of knowledge about the procedural aspects of CMMC assessments (being the lead for ISO 17020 at my company). This gives me the ability to give input on multiple aspects of CMMC as it relates to C3PAOs. |
I have already proven my willingness and ability to participate and organize on behalf of C3PAOs, and can continue supporting with 10+ hours per month. Other than patriotism and a desire to ensure the U.S. continues to do well long-term, my motivation for this is that I and my company have invested heavily into CMMC and I would like to make sure it is a functional system where companies (including mine) can succeed.
|Scott||Singer||We are focused on supporting small businesses affordably meet the CMMC requirements. We have done over 60 assessments in the last year as the state of WI and MN preferred NIST MEP partner. We have a managed service where we partner with MSPs to help support these SMBs remediate their POAMs. I have 27 years of experience in senior IT leadership positions at both Fortune 500 and SMBs. I am a retired Navy Captain of 30 years and I spent my last 5 years working as the Navy Emergency Preparedness Liaison Officer for MN attached to FEMA Region 5 and was recalled to active duty as the DoD Liaison to FEMA for Hurricane Maria in the National Response Coordination Center (NRCC) in Washington, D.C. I was the Executive Officer of a Pacific Fleet cybersecurity unit. I served a number of years on CINTAC, the Civil Nuclear Trade Advisory Committee for the Secretary of Commerce and thus am familiar with private/public committees. I currently serve on the State of MN InfraGard Board and the Wisconsin CISOs Cyber Strategy & Planning Working Group.|
|David||Savage||Having a background in technical, cybersecurity, and managed services, I bring a unique point of view. I want to help the C3PAO’s be successful and have proper representation with the CMMC-AB and DoD.|
|Carter||Schoenberg||Mr. Schoenberg is a Certified Information System Security Professional and Registered Practitioner with the CMMC. He has over 27 years of combined experience in criminal investigations, cyber threat intelligence, cybersecurity, cyber risk management, and cyber law. His past works include comprehensive assessments of U.S. Government Contractors to align with what are now formal requirements set forth by the Defense Department including NIST SP 800-171 and now the Cybersecurity Maturity Model Certification (CMMC).|
His past works for conforming with DFARS .7012 were featured at MITRE’s Quarterly Cyber Supply Chain Risk Forum at the request of the DOD and DHS. To date, he has performed over 20 assessments based upon NIST 800-171 and has been involved in over 30 ATOs on US Federal Systems.
Mr. Schoenberg actively contributed to the GSA/DoD Final Report to the White House “Improving Cybersecurity and Resiliency through Acquisition”. His work products have been actively used by DOD, Department of Education, DHS, the ISAC communities, Smart Cities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. Mr. Schoenberg also recently co-authored “Guidance for Smart Cities and Municipalities Cyber Supply Chain Risk Management (C-SCRM)” published by NIST.
|Deborah||Hunt||As one of the early participants in the CMMC and CMMC-AB program we want to ensure the important and intent of securing the DIB community remains but is implemented in a way to support the entire community without excluding small business. As a long standing CMMI assessment organization as well as a government consulting firm operating in the DoD and Intelligence space we and I offer a well rounded and complete view of the needs for these security controls to be balanced with business operations supporting day to day Government requirements.|
|Kevin||Wheeler||InfoDefense has been providing NIST SP 800-171 / CMMC services for the past four+ years. Needless to say, we are highly vested in the success of CMMC. I bring over 20 years of cyber security as well as IT audit experience. In addition to to co-authoring the original version of an authoritative IT audit text “IT Auditing: Using Controls to Protect Information Assets”, I am very active within the industry. I bring offer cyber security and compliance thought leadership as well as commitment to the success of CMMC.|
|Matthew||Chadwick||I am interested in participating on the CMMC C3PAO Advisory Council because of my and my company’s vested interest and commitment to driving the C3PAO community toward success within the CMMC ecosystem. I bring over 20 years’ experience from multiple disciplines (e.g., cybersecurity [operational & technical], governance-risk management-compliance, operations management, project/program management, & systems integration) and industries (e.g., government contracting, healthcare, higher education) to the C3PAO Advisory Council, and I understand the implications of cybersecurity compliance on organizations and associated stakeholders. I personnally recognize the risk our DIB is under, and I want to be a proactive participant to propel the CMMC program forward because of this risk. Although self-attestation is appropriate for some, it is not appropriate for all companies. I believe the C3PAO Advisory Council will play a critical role in informing the CMMC Accreditation Body and DoD with regard to CMMC policy, program integration and implementation, general advancement, and community awareness as to why the CMMC program needs to be rolled out.|
As a Security Engineering firm who is a prime DoD contractor and candidate C3PAO, G2 Ops is uniquely positioned on both sides of the CMMC assessment provider and OSC spectrum. We understand that protecting government data (i.e., CUI & FCI) and those companies relying on it makes CMMC critical to strengthening the DIB’s cybersecurity posture.
It is for these reasons that I and my company wish to participate on the CMMC C3PAO Advisory Council. Thank you for your time and consideration.
|Nathan||Regola||Regola Consulting, Inc. DBA Regola Cyber joined the CMMC ecosystem as a C3PAO and strives to bring a legal and technical perspective to the C3PAO role. We aren’t registered as an RPO, but understand why some C3PAOs have dual registrations. We understand the significant investment required to prepare for a DIBCAC assessment because we have implemented our own GCC High environment, and migrated our data from Office 365 Commercial in February of 2021. We hope to influence the CMMC Assessment Method (CAM) (formerly CMMC Assessment Process or CAP) to reflect the reality of a C3PAO business. We attempt to actively engage in the Discord forum and other avenues. If elected, we will advocate an approach of continued “off-the-record” engagement with CMMC-AB to advance the C3PAO position and discuss how C3PAOs can support increased security of the DIB, as the most credentialed and invested, but underutilized, resources in the CMMC ecosystem.|
Our President, Nate Regola, is a member of the Exam SME committee supporting the CMMC exams and plans to complete PI training soon. You can read about Nate’s background and our company at the following links: https://www.linkedin.com/in/nathanregola/ and https://www.regolacyber.com/
Candidate Information – Incumbent contributions
|First Name||Last Name||Position||Summary of Your Council Contributions to Date (INCUMBENTS ONLY)|
|Matt||Gilbert||Focus: Processes||I have been an active participant in the majority of council meetings. We hosted one of the monthly C3PAO session with the CMMC-AB. I provided suggestions for the voting process and am working to develop a means to vote via the website. I am also working on a position paper related to the CMMC scoping guides. I look forward to continuing to help advocate for the needs of the C3PAOs in the CMMC ecosystem.|
|Kyle||Lai||Focus: C3PAO engagement||During my time as a C3PAO Stakeholder Forum Council member, I have: |
1) Participated in the Council meetings
2) Lead multiple C3PAO Stakeholder Forum Thursday meetings
3) Contribute to the review and feedback position paper
4) Contacted non-member C3PAOs to join the Forum
|Timothy||Woodcome||Secretary||I have been actively involved in all aspects of the C3PAO Council over the past year including weekly meet-ups (participant and host), bi-weekly Leadership meetings, monthly CMMC-AB meetings and various behind the scenes work on and off of Discord. I have contributed to the establishment of the monthly meetings with the CMMC-AB, C3PAO website and various position papers. I have provided input on various Discord discussions in efforts to share subject matter expertise and enhance the value of the conversations being had within the forum.|
|Amira||Armond||Vice Chair||Helped host all CMMC-AB and C3PAO forum meetings and sent out meeting notifications for all of them. Attended about 70% of the weekly C3PAO discussions. Attended all council planning meetings. Advocated for C3PAOs to the CMMC-AB, as a result the DoD and AB both presented more information about how assessments were being conducted and what was causing C3PAOs to fail. Identified position paper process and organized the first few votes.|
|Scott||Singer||Chair||Over the last six months I have led the initial C3PAO Advisory Council working closely with our Vice Chair Amira Armond in moving this community forward. We have just started this work and I look forward to continuing in this role. Some of the accomplishments we have made so far include regular monthly meetings with Matt Travis of the CMMC AB, 3 completed position papers, one out for voting that I led. We are now also regularly meeting as a Council with the Chairman of the CMMC AB. All of these activities will help ensure we as C3PAOs will have more of a voice in the ecosystem’s direction.|
|Brian||Hubbard||Focus: People||Participated in council meetings. Active on forum in process, training, and CMMC DIBCAC assessment topics.|
|Tony||Bai||Focus: Accountability /Integrity||Participated in council meetings. Presented seminar on ISO 17020. Active on forum in technical, process, and CMMC DIBCAC assessment topics.|