Carl B. Johnson

Chief Information Security Officer | Cybersecurity Compliance Expert | Author | Speaker | Podcast Host

About Carl

With over 25 years of experience in cybersecurity and compliance, Carl B. Johnson has established himself as a leading expert in the field. As a former Chief Information Security Officer (CISO), Carl has helped numerous organizations navigate the complex landscape of regulatory requirements and security frameworks.

Carl combines deep technical knowledge with strategic vision to deliver practical solutions that protect sensitive information while enabling business growth. His expertise spans across NIST 800-171, ISO 27001, CMMC 2.0, ITAR, Export Controls, HIPAA, CUI protection, and emerging AI compliance frameworks.

As a recognized authority in Microsoft security and compliance solutions, Carl helps organizations implement and optimize Microsoft Defender for Endpoint, Microsoft Sentinel, Microsoft Purview, Microsoft Intune, Microsoft Entra ID (formerly Azure AD), Azure Security Center, Microsoft 365 Defender, and Microsoft Compliance Manager. His expertise extends to AI governance, responsible AI implementation, and ensuring AI systems meet regulatory requirements in highly regulated environments.

Areas of Expertise

NIST 800-171

Implementation strategies and compliance solutions for protecting controlled unclassified information (CUI).

ISO 27001

Information security management systems design, implementation, and certification guidance.

CMMC 2.0

Comprehensive preparation and remediation services for Cybersecurity Maturity Model Certification.

ITAR & Export Controls

Expert implementation of compliance solutions for International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) to protect controlled technical data and ensure national security.

Data Breach Response

Development of comprehensive incident response plans, forensic investigation procedures, and breach notification processes to minimize impact and ensure regulatory compliance.

Microsoft Security Suite

Expert implementation and optimization of Microsoft Defender for Endpoint, Microsoft Sentinel, Microsoft 365 Defender, and Defender for Office 365 for comprehensive threat protection.

Microsoft Compliance Tools

Strategic deployment of Microsoft Purview, Microsoft Compliance Manager, and Microsoft Information Protection for regulatory compliance and data governance.

Microsoft Identity & Access

Implementation of Microsoft Entra ID (formerly Azure AD), Microsoft Intune, and Conditional Access policies for secure identity and device management.

Security Remediation

Selection, deployment, and management of Qualys, Tenable Nessus, Rapid7 InsightVM, and Microsoft Defender Vulnerability Management for rapid vulnerability mitigation.

Microsoft GCC & GCC High

Expert configuration and implementation of Microsoft Government Cloud Community (GCC) and GCC High environments for federal contractors handling CUI and ITAR data.

PreVeil Secure Cloud

Implementation of PreVeil's end-to-end encrypted email and file sharing solutions for NIST 800-171 and CMMC 2.0 compliance.

Data Protection & Classification

Design and implementation of data classification frameworks, data loss prevention (DLP) solutions, and encryption technologies to protect sensitive, classified, and controlled unclassified information (CUI).

Security Logging & SIEM

Design and implementation of Microsoft Sentinel, Splunk, Elastic Stack, and QRadar for comprehensive security logging, monitoring, and threat detection.

AI Compliance & Governance

Development of comprehensive AI governance frameworks, responsible AI implementation strategies, and compliance approaches for AI systems in regulated industries.

Need Expert Cybersecurity Compliance Guidance?

Ensure your organization achieves and maintains compliance with industry regulations and security frameworks.

Schedule a Consultation

Published Books

Carl B. Johnson has authored 6 influential books on cybersecurity compliance and best practices, drawing from his extensive experience as a CISO and compliance expert.

Book cover for ITAR and Export Controls Fundamentals by Carl B. Johnson, featuring a blue background with global imagery and security elements, designed for compliance managers.

ITAR and Export Controls Fundamentals: A Guide for Compliance Managers

A comprehensive guide for compliance managers navigating International Traffic in Arms Regulations.

Book cover for ITAR Compliance Made Easy by Carl B. Johnson, with a dark blue background and bold yellow text highlighting a practical guide to program development.

ITAR Compliance Made Easy: A Practical Guide to Program Development

A step-by-step approach to developing and implementing effective ITAR compliance programs and procedures.

Book cover for HIPAA Privacy & Security Compliance by Carl B. Johnson, featuring a black background with white text and red accents designed for healthcare administrators.

HIPAA Privacy & Security Compliance for Healthcare Administrators

Essential guidance on implementing HIPAA privacy and security requirements for healthcare organizations and administrators.

Book cover for Shielding Your Business From Data Breaches by Carl B. Johnson, showing a padlock icon on a dark background with bold white and red typography.

Shielding Your Business From Data Breaches: A Comprehensive Guide to Data Security

Strategies and frameworks for protecting your organization from data breaches through proactive security measures.

Book cover for CUI for Federal Contractors by Carl B. Johnson, displaying a red targeting/radar graphic on a dark background, focused on Controlled Unclassified Information.

CUI for Federal Contractors

Practical methods for implementing data classification and protection systems for Controlled Unclassified Information.

Book cover for CMMC 2.0 For DOD & Federal Contractors by Carl B. Johnson, with a blue background featuring digital elements and bold white text explaining NIST 800-171 compliance.

CMMC 2.0 For DOD & Federal Contractors

Creating and implementing DFARS/NIST 800-171 processes, policies, and procedures to achieve CMMC 2.0 compliance.

InfoSec Battlefield Podcast

InfoSec Battlefield Podcast logo

Carl B. Johnson is the creator and host of the popular "InfoSec Battlefield" podcast, where he interviews industry leaders, discusses emerging threats, and shares practical strategies for improving organizational security posture.

With over 100 episodes and thousands of monthly listeners, the InfoSec Battlefield has become a trusted resource for security professionals seeking actionable insights and expert perspectives on today's most challenging security and compliance issues.

Listen to the Podcast

Featured Videos

Watch Carl share his insights on cybersecurity compliance and best practices.

Speaking Engagements

Carl is a sought-after speaker on cybersecurity compliance topics, having presented at numerous industry conferences and events.

Popular Speaking Topics:

Client Testimonials

Feedback from organizations that have worked with Carl B. Johnson. Client references available upon request.

"Carl's expertise in CMMC 2.0 compliance was invaluable to our organization. He guided us through the entire certification process with clear strategies and practical solutions. His in-depth knowledge of NIST 800-171 requirements saved us countless hours and resources."

— Director of Information Security

Defense Contractor

"Implementing Microsoft GCC High environment seemed overwhelming until we brought Carl on board. His methodical approach to security configuration and compliance requirements made the transition seamless. Our team now has a robust security posture that meets all federal requirements."

— Chief Technology Officer

Technology Services Provider

"After experiencing a data breach, we hired Carl to develop our incident response plan and implement stronger data protection measures. His expertise in ITAR compliance and data classification frameworks transformed our security protocols. He's now our go-to consultant for all compliance matters."

— VP of Compliance

Aerospace Industry

Frequently Asked Questions

Get answers to common questions about cybersecurity compliance and consulting services.

What types of organizations do you typically work with?

+

I work with a diverse range of organizations including defense contractors, federal agencies, healthcare providers, technology companies, and businesses in regulated industries. My services are particularly valuable to organizations that handle sensitive information, need to comply with government regulations, or are seeking to improve their cybersecurity posture.

How long does it typically take to become CMMC 2.0 compliant?

+

The timeline varies based on your organization's current security maturity and the specific level of CMMC compliance required. For most organizations starting with basic cybersecurity measures, Level 2 compliance typically takes 6-12 months of focused effort. This includes gap analysis, remediation planning, implementation, documentation, and validation. I provide realistic timelines after conducting an initial assessment of your current environment.

What are the most common compliance gaps you encounter?

+

The most common gaps include insufficient documentation of security policies and procedures, inadequate access controls, weak configuration management, incomplete incident response planning, and lack of security awareness training. Many organizations also struggle with proper identification and protection of controlled unclassified information (CUI) and implementing appropriate technical controls for data protection.

Do you offer virtual CISO services?

+

Yes, I offer virtual CISO (vCISO) services to organizations that need executive-level security leadership without the cost of a full-time CISO. My vCISO services include security strategy development, compliance management, risk assessment, security awareness training, vendor management, and board/executive communication. These services can be tailored to your organization's specific needs and scaled according to your requirements.

What's your approach to AI governance in regulated environments?

+

My approach to AI governance in regulated environments focuses on developing comprehensive frameworks that address risk management, data protection, ethics, and compliance requirements. I help organizations establish AI policies, implement monitoring and oversight mechanisms, and ensure alignment with emerging regulations like the EU AI Act and industry standards. For federal contractors, I emphasize controls that satisfy both NIST and agency-specific requirements while enabling responsible innovation.

How do you stay current with evolving compliance requirements?

+

I maintain active involvement in industry associations, participate in regulatory working groups, attend specialized training programs, and regularly contribute to professional forums and publications. I also maintain close relationships with compliance authorities and technology partners to stay informed about upcoming changes. This commitment to continuous learning ensures my clients receive guidance based on the most current requirements and best practices.

Get in Touch

Ready to strengthen your organization's security posture and ensure compliance with industry regulations?

Contact Form