Jimmy Armour is a cybersecurity and compliance professional specializing in NIST, SOC 2, and CIS GRC frameworks. As a Practice Lead, he guides cross-functional teams to streamline audit processes, strengthen security posture, and meet rigorous regulatory requirements—always staying on the cutting edge of emerging cybersecurity trends.
Outside of his professional pursuits, Jimmy is deeply involved in Harrisburg Young Professionals Sports—playing kickball, dodgeball, and bowling—while also participating in the 247Kickball leagues. Some years even take him to national kickball tournaments. All of which are experiences he finds mirrors the same camaraderie and teamwork that drive his success in the workplace.
In my first blog of this series (Defining and Identifying Your Attack Surface), we covered what makes up your organization’s attack surface, and how it’s likely bigger (and more complex) than you realize. But knowing what’s out there is only the beginning. If you want to stay ahead of threats, you need to continuously monitor your environment, keep your asset inventory up to date, and prioritize which exposures deserve your attention.
Let’s break down what that really looks like in practice.
In today’s evolving threat landscape, understanding your attack surface is no longer optional, it’s foundational. Before you can defend your organization effectively, you need to know what you’re defending. That’s why the first step in any strong Attack Surface Management (ASM) program is clearly defining and identifying your attack surface.
But what exactly is an “attack surface”? Let’s break it down.
If you had told me a few years ago that my calendar would be split between virtual CISO responsibilities, mentoring team members, and crafting cybersecurity campaign content with a marketing team, I might have raised an eyebrow. But today, that’s just a regular Tuesday. As the Practice Lead for NIST, SOC2, and CIS GRC Services at a cybersecurity consulting firm, no two days look exactly alike, and that’s exactly what makes the role both challenging and rewarding. However, my day has looked like this before and this includes most of my responsibilities.
The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Level 2 is based on the 110 security practices from NIST SP 800-171 rev 2. These practices are designed to protect controlled unclassified information (CUI) within the defense supply chain. For most DoD contractors, achieving CMMC Level 2 compliance is now mandatory, but the process is challenging. Organizations must navigate evolving requirements, implement technical controls, manage costs, train their workforce, and prepare for stringent audits. Here’s an overview of the top challenges contractors face along with the best practices for overcoming them.
In today’s increasingly interconnected world, safeguarding sensitive government data is a top priority for federal agencies—and for the contractors they partner with. While classified information has long been protected through well-established regulations, a new category of “Controlled Unclassified Information” (CUI) has emerged in recent years, prompting additional guidance and compliance requirements. Enter the Federal Acquisition Regulation (FAR) rule for CUI.
In this blog post, we’ll explore what CUI is, why it matters to government contractors, and how the FAR rule on CUI will shape compliance requirements going forward.