Book a Strategy Call
Meet Barry Morgan

Connecting technical security to business reality.

Trident submarine missile technician turned DoD cybersecurity assessor. Participated in 80+ assessments across the Defense Industrial Base. I bring the same rigorous methodology used to evaluate America's defense contractors to Pacific Northwest organizations that need mature security programs โ€” without the overhead of a full-time CISO.

80+
Assessments
20+
Years in Security
DoD
Vetted Assessor
AI
Augmented Process
Assessor
Fractional CISO
Bridge Builder
Submariner
Innovator
Trusted by the Defense Industrial Base
๐Ÿ” U.S. Government Vetted
๐ŸŽ–๏ธ ETM Certified
๐Ÿ“‹ DIBCAC Assessor
โš“ U.S. Navy Veteran
๐Ÿค– AI-Augmented Methodology
Who I Am

The path from 600 feet under the ocean to your boardroom.

I started my career in the weapons department of U.S. Navy Trident submarines. Serving on the Lafayette-class USS Casimir Pulaski (SSBN 633) and the USS Ohio (SSBN 726), I helped maintain Trident C-4 tactical missiles and weapons systems. I was responsible for systems where a single failure didn't generate a ticket โ€” it put 130 lives at risk. From treadmills to nuclear weapons and everything in between, that's where I learned what security actually means. Not as a compliance checkbox. Not as a framework mapping exercise. As a discipline that keeps people safe.

U.S. Navy Enlisted Submarine Warfare Insignia (Silver Dolphins)
Submarine Warfare Qualified: Attained through systems walkthroughs and board review

For the next two decades, I took that discipline into enterprise technology across the Seattle area โ€” building, securing, and transforming infrastructure across industries. Then in 2022, I went to the other side of the table.

"Most consultants will tell you what the framework says. I can tell you what the assessor is actually looking for โ€” because I am one."

As a cybersecurity assessor with DCMA/DIBCAC, I've participated in 80+ formal assessments of Defense Industrial Base contractors against NIST SP 800-171A and CMMC. I've seen what passes. I've seen what fails. And I've pioneered an AI-augmented methodology that reduced SSP drafting time from weeks to hours.

Seattle CISO makes that assessor-grade expertise available to you โ€” before you face a formal assessment. I bridge the gap between your technical team and your executive leadership, translating complex security requirements into clear, practical programs that actually work.

The Truth

Most companies fail their first assessment.

Not because they aren't trying. Not because they don't care. Because they're getting advice from people who have never sat in the assessor's chair. I have. 80+ times.

๐Ÿ“‰
The Vague CRM Trap
The fastest path to an instant -203 score is inheriting cloud services without an accurate Customer Responsibility Matrix (CRM). If you haven't verified exactly where your boundary ends and your provider's begins, the audit will fail.
๐ŸŽฏ
Checkbox vs. Security
Too many consultants optimize for checkbox compliance. Real security means controls that actually protect your environment โ€” and happen to satisfy the framework too.
๐ŸŒŠ
The Translation Problem
Your IT team speaks one language. Your executives speak another. Your board needs a third. I bridge those conversations โ€” making security understandable at every level.
What I Deliver

Practical security leadership โ€” not slide decks.

Every engagement is built on real-world assessment experience. I don't guess at what you need โ€” I know, because I've evaluated organizations just like yours.

Core Offering
Fractional CISO

Part-time, embedded security leadership at the executive level. Policy development, risk management, board reporting, and program maturation โ€” on a schedule that fits your business and budget.

Compliance
CMMC & NIST 800-171

System Security Plans, gap analysis, POA&Ms, and control implementation that stands up to DIBCAC or C3PAO assessment โ€” because I have participated in those assessments.

Innovation
AI-Augmented Delivery

The same RAG-powered methodology that reduced SSP drafting from weeks to hours. Faster, higher-quality artifacts with explicit source citations back to your evidence.

Readiness
Pre-Assessment Reviews

Objective third-party review of your current security program before a formal assessment or audit. Find the gaps that matter โ€” before the assessor does.

The Approach

The assessment mindset โ€” applied to your advantage.

Every engagement follows the same disciplined methodology I use in formal DoD assessments โ€” adapted to build your program up instead of just evaluating it.

Phase 1
Discovery & Mapping
Current state, risk appetite, regulatory drivers

Detailed interviews, architecture reviews, and evidence collection. I map controls to your actual operations โ€” not theoretical policies. This is the same process I use at the start of every formal assessment.

Business Context Technical Reality Regulatory Scope
Phase 2
AI-Augmented Analysis
RAG models trained on your evidence base

Iterative synthesis of System Security Plans, gap analysis, and draft POA&Ms with inline citations back to source documentation. What used to take weeks now takes hours โ€” with higher quality and full traceability.

Phase 3
Implementation & Maturation
Practical, prioritized roadmap

Hands-on or advisory support to close gaps. I prioritize what actually moves the needle on risk and audit readiness โ€” not what looks good in a PowerPoint.

Policy Technical Controls Training Executive Reporting
The Proof

Real assessment experience. Not just certifications.

Most fractional CISOs have never sat on the other side of the table during a formal DIBCAC assessment. I have participated in them. I know exactly what assessors look for โ€” because it's what I look for.

Since 2022, I've served as a Cybersecurity Assessor with DCMA/DIBCAC, conducting formal assessments, Joint Surveillance Program evaluations, and leadership assessments across the Defense Industrial Base.

I am not a fan of paper certifications. They have no actual bearing on the quality of work. They function as an HR filter to find candidates โ€” but qualified and certified are not the same thing. Real security is an operational discipline, not a paper chase.

๐Ÿ”
U.S. Government Vetted
Active federal background investigation & suitability
๐Ÿ“‹
DIBCAC / C3PAO Assessor
Participated in 80+ formal cybersecurity assessments
๐ŸŽ–๏ธ
ETM Certified
Engineering & Tech Management / Foundational Acquisition
Silver Dolphins Insignia
Submarine Warfare Qualified (SS)
Attained through cross-functional systems walkthroughs and a rigorous evaluation board
FTB MT
U.S. Navy Submariner | Weapons Department
USS Casimir Pulaski (SSBN 633) & USS Ohio (SSBN 726) ยท Trident C-4 systems
๐Ÿค–
AI-Augmented Methodology Pioneer
RAG-powered SSP generation ยท Weeks โ†’ Hours

Core Competencies

Frameworks & Compliance
NIST SP 800-171A NIST SP 800-172 CMMC 2.0 DFARS 252.204-7012 SSP Authoring POA&M
Assessment & Evaluation
DIBCAC Assessments C3PAO Evaluation JSP Assessments Gap Analysis Control Verification
Technology & Innovation
RAG AI Models Prompt Engineering AI-Augmented Workflows Evidence Synthesis
Leadership
Fractional CISO Executive Presentations Board Reporting Program Maturation
The Invitation

Let's talk about your security.

Whether you need a fractional CISO, are preparing for a CMMC assessment, or just want an honest conversation about your security posture โ€” I'm here. No pitch deck. No pressure. Just a real conversation.

Select all areas where you need advisory or support: