RC-01 // Professional Profile
< C:\ROB\HOME

Personnel record // Security and compliance

GRC and FedRAMP Compliance Specialist

I am a cybersecurity governance, risk, and compliance professional specializing in FedRAMP compliance, federal authorization requirements, and the work required to achieve and maintain an Authority to Operate.

My experience is centered on turning complex regulatory requirements into practical, sustainable security programs. I have worked directly with security teams, software developers, auditors, and third-party assessment organizations to maintain compliance, resolve findings, strengthen documentation, and keep authorization activities on schedule.

I believe effective compliance should do more than satisfy an audit. It should improve how an organization understands risk, manages vulnerabilities, documents its security posture, and makes decisions.

FedRAMP and ATO Leadership

At Vasion, I served as the member of the security team dedicated specifically to FedRAMP compliance. Working within a small security team supporting an organization of more than 400 employees, including a large software development workforce, I helped the company achieve and maintain a FedRAMP High ATO with IL4 alignment.

My responsibilities included creating and maintaining the System Security Plan, developing and updating security policies and procedures, operating the internal audit program, coordinating daily with the 3PAO, and ensuring that assessment and remediation deadlines remained on track.

As the primary maintainer of the SSP, I was responsible for understanding the controls applicable to FedRAMP High and IL4 and for ensuring that control implementations were accurately documented, supported by evidence, and kept current as systems and processes evolved.

I also supported FedRAMP authorization maintenance at LexisNexis Reed Tech, where my work included federal compliance, internal auditing, vulnerability remediation oversight, and alignment with frameworks such as NIST 800-53 and FISMA.

Vulnerability Management and Continuous Compliance

A significant part of my work has involved managing vulnerability remediation across cloud environments and coordinating with internal engineering teams to deliver patches and updates on time.

I managed remediation activities against the required 30-, 60-, and 180-day thresholds for high-, moderate-, and low-risk findings. This required more than tracking due dates. It involved understanding technical risk, identifying duplicate findings, determining when multiple vulnerabilities could be resolved through the same patch, prioritizing remediation work, and maintaining clear communication between security, engineering, and external assessors.

I also led internal audit activities designed to identify weaknesses before they became external audit findings. By treating compliance as a continuous operating discipline rather than an annual event, I helped improve audit readiness and reduce last-minute remediation pressure.

Applying AI to GRC

I believe organizations that responsibly integrate artificial intelligence will operate faster, make better-informed decisions, and produce stronger compliance outcomes than organizations that avoid it.

My approach to AI is practical. I use it to augment professional judgment, reduce repetitive work, improve consistency, and help experienced security professionals focus on the decisions that require human context and accountability.

I have applied AI to:

  • Drafting and reviewing security policies
  • Identifying missing requirements or incomplete language
  • Prioritizing POA&M items
  • Ranking vulnerability severity
  • Detecting duplicate findings
  • Identifying vulnerabilities that may be resolved by a common patch
  • Comparing documentation against control requirements
  • Accelerating research, analysis, and audit preparation

AI does not replace security expertise, evidence, or accountability. Used responsibly, however, it can make compliance programs more efficient, more thorough, and more responsive.

Technical Curiosity and Hands-On Innovation

My interest in AI extends beyond compliance.

Through DigitalDesign.ai, I created tools and educational resources intended to make generative AI technologies more accessible to nontechnical users. The project gave me hands-on experience working with Stable Diffusion, large language models, distributed AI systems, and emerging automation workflows.

I am also developing RoboBot, an experimental artificial intelligence project in which different large language models design competing bot strategies for the original Quake engine. The project combines AI-assisted development, software testing, data analysis, benchmarking, and iterative engineering.

These projects reflect the same approach I bring to GRC: understand the underlying system, experiment thoughtfully, measure the results, and use technology to improve the final outcome.

Professional Foundation

My background includes more than a decade of experience across cybersecurity, governance, risk management, compliance, internal audit, security operations, infrastructure support, business analysis, and technical testing.

My professional credentials and qualifications include:

  • CompTIA Security+
  • CompTIA A+
  • ISO 27001 internal auditing credentials
  • Bachelor of Science in Business Management
  • Prior U.S. Government Public Trust clearance
  • Experience with FedRAMP, FISMA, NIST 800-53, ISO 27001, SOX, DISA STIGs, RMF, and cloud security environments

Open to New Opportunities

I am currently open to remote opportunities where I can help an organization achieve or maintain a FedRAMP authorization, strengthen its GRC program, improve audit readiness, manage continuous compliance, or responsibly introduce AI-assisted workflows into its security operations.

For additional information, please view my résumé, connect with me on LinkedIn, or contact me regarding employment opportunities.