Alex Trafton

Alex’s professional experience includes:

• Defense Industrial Base Cybersecurity: Led a security controls and risk assessment of the regulated data environment of a multi-national manufacturing company in support of DoD cybersecurity contract requirements (DFARS), to prepare the company for a third-party assessment of its implementation of the Cybersecurity Maturity Model Certification (CMMC). Conducted in-depth technical interviews and reviewed evidence and artifacts to build an assurance case of controls implementation.
• CFIUS Monitorship: Served as the information security SME during a third-party monitorship of a U.S. aerospace company subject to a National Security Agreement (NSA). Worked with the company to implement an information security program that would meet both NSA-directed requirements as well as likely future DoD contract requirements. Activities included overseeing and advising on the migration of enterprise data assets from a multi-cloud architecture to a FedRAMP authorized environment.
• FedRAMP Authorization: Worked with a SaaS developer to prepare their build and production environments for a FedRAMP moderate baseline Authority to Operate (ATO) with a U.S. government agency. Worked with company business leaders, developers, and security personnel to assess the environment and build a robust System Security Plan (SSP) prior to C3PAO assessment. Conducted in-depth technical interviews, reviewed policy and procedure documentation, and built detailed Plans of Action and Milestones (POAMs) to ensure successful authorization.
• CFIUS Monitorship: Led quarterly product integrity testing of the secure software build environments for a global software developer subject to a National Security Agreement (NSA). Oversaw a multi-disciplinary team conducting white box and black box testing with direct reporting to U.S. government agency monitors. Worked with integrity testers to ensure alignment with software security best practices, review and classify findings, and develop comprehensive reporting to address NSA requirements.
• Defense Industrial Base Cybersecurity: Led an information security program assessment of a U.S.-based defense contractor to assess its current implementation of DFARS requirements, NIST SP 800-171, and its readiness for Cybersecurity Maturity Model Certification (CMMC) audit. The project included integration and harmonization of export control and Controlled Unclassified Information (CUI) requirements. Conducted in-depth technical interviews, reviewed evidence and artifacts, and enhanced the evidence and artifacts supporting the System Security Plan (SSP).
• CFIUS Monitorship: Served as third-party monitor engagement manager for multiple solar sites in Southern California. Coordinated the multi-disciplinary monitorship which included physical security, personnel security, cybersecurity, and ICS and SCADA security. Worked with the transaction parties to optimize workflows to reduce burden and cost while effectively mitigating U.S. government agency identified risks.
• Global Compliance: Worked with a U.S. government contractor to review their global compliance program to identify and mitigate enforcement risk in over a dozen countries with a growing business footprint. Led a multi-disciplinary team to identify, qualify, and report on enforcement risk across 10 areas of business activity and compliance including cybersecurity and privacy, employment, immigration, customs, and status of forces, among others.
• CFIUS Mitigation and Cybersecurity: Worked with a U.S.-based manufacturer after foreign acquisition to build the cybersecurity governance program during a Join Voluntary Notice (JVN) to CFIUS. Worked with company leadership, IT personnel, and parent company leadership to build policies to address current DFARS cybersecurity requirements (NIST SP 800-171 and CMMC) and to harmonize and integrate these with the current export control compliance program.