Todd Stanton

Growth Specialist at K2 GRC

Todd Stanton is a Growth Specialist at K2 GRC with over five years of experience focused on governance, risk, and compliance frameworks, particularly CMMC and NIST SP 800-171. He has worked with over a dozen organizations that have successfully passed DIBCAC High and CMMC Level 2 assessments.

Todd has built relationships with more than 20 Certified Third-Party Assessment Organizations (C3PAOs) and has collaborated with over 50 Lead Certified CMMC Assessors and Instructors, giving him deep insight into how compliance frameworks are evaluated in practice.

He specializes in translating complex regulatory requirements into actionable security and compliance initiatives, with a focus on qualitative risk analysis and structured governance programs. Todd also helped architect framework crosswalk functionality within K2 GRC based on NIST IR 8477, IR 8278, and IR 8278A, supporting organizations in aligning multiple compliance standards.

Implementing 3.1.2 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
If 3.1.1 authorizes access to the system, 3.1.2 authorizes permissions within the system. The rules of chess, for example, limit the types of functions allowed for each piece...
Read More
10 min read

Implementing 3.1.22 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Organizations should prevent the release of nonpublic information on systems accessible to the public. Systems accessible to the public include websites and social media...
Read More
10 min read

Implementing 3.5.1 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Identifying accounts and devices is foundational to creating a secure and accountable system. Accounts may have assignments to people and non-person entities...
Read More
10 min read

Implementing 3.5.2 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Forbes Advisor reported 68% of Americans changed passwords across accounts due to compromise. Social media and email accounts were the most common compromised passwords...
Read More
10 min read

Implementing 3.1.20 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
System architecture design and separation techniques may isolate assets that handle sensitive information. Organizations may consider these separated systems external to the system handling sensitive information.
Read More
10 min read

Implementing 3.8.3 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Media may flow out to vendors for equipment repairs or in paper form through recycle bins. Adversaries may try to retrieve data from media after it leaves the organization. Media protection limits access to system media in both paper and digital forms.
Read More
10 min read

Implementing 3.10.1 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Implementing physical security controls is a critical component of safeguarding sensitive information. The NIST physical and environmental protection (PE) domain focuses on physical safeguarding practices.
Read More
10 min read

Implementing 3.10.3, 3.10.4, and 3.10.5 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
NIST SP 800-171 derived three requirements from this part of FIPS 200. The Federal Acquisition Regulation derived one practice from this part of FIPS 200.
Read More
10 min read

Implementing 3.13.1 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Organizations handling sensitive information must define the external boundary of their system. Establishing internal boundaries helps create a multi-layer defense. Enable monitoring, control traffic and protect communications at each boundary.
Read More
10 min read

Implementing 3.13.5 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
NIST describes several approaches on how organizations can establish a demilitarized zone (DMZ). This blog will discuss the following topics around NIST SP 800-171 practice 3.13.5
Read More
10 min read

Implementing 3.14.1 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Flaw remediation is the most difficult CMMC level one practice. It was the only level one practice on the top 10 other than satisfied requirements.
Read More
10 min read

Implementing 3.14.2, 3.14.4, and 3.14.5 from NIST SP 800-171 Rev 2

Author
By
Todd Stanton
Mar 17, 2026
Malware is the most common external threat to information systems. It causes widespread damage and disruption and necessitates extensive recovery efforts. Many of today’s malware threats are stealthy and designed to avoid detection.
Read More
10 min read

The CMMC Assessment Process (CAP): An Ultimate Guide

Author
By
Todd Stanton
Mar 17, 2026
The CMMC Assessment Process (CAP) provides procedures for CMMC Level 2 Assessments. CMMC Third-Party Assessment Organizations conduct assessments of organizations seeking certification (OSCs).
Read More
10 min read

CMMC Access Control Policy: An Audit-Ready Template

Author
By
Todd Stanton
Mar 17, 2026
This blog will outline how to build an Access Control policy that satisfies CMMC Level 2.
Read More
10 min read

CMMC Awareness and Training Policy: Structure, Implement, and Track

Author
By
Todd Stanton
Mar 17, 2026
This blog will outline how to build an Awareness and Training policy that satisfies CMMC Level 2.
Read More
10 min read

Ransomware Risk Assessment: Quantifying The Most Impactful Controls

Author
By
Todd Stanton
Mar 17, 2026
Ransomware isn’t just a technical threat heading into 2026, it’s a business risk that demands a unified approach, where leading cybersecurity frameworks work together to translate attacker behavior and control gaps into clear financial impact.
Read More
10 min read

CMMC Audit and Accountability Policy: Log Requirements for Compliance

Author
By
Todd Stanton
Mar 17, 2026
This blog explains the Audit and Accountability (AU) domain under NIST and CMMC, covering logging, monitoring, and policy structure requirements.
Read More
10 min read

CMMC Configuration Management Policy: An Audit-Ready Template

Author
By
Todd Stanton
Mar 17, 2026
The Audit and Accountability (AU) domain ensures your organization records and reviews system activity to detect threats, support investigations, and meet compliance requirements.
Read More
10 min read

Microsoft GCC High Customer Responsibility Matrix Decoded: The CMMC Rosetta Stone

Author
By
Todd Stanton
Mar 17, 2026
This blog explains how to translate Microsoft GCC High FedRAMP CRM responsibilities into CMMC Level 2 requirements using a detailed crosswalk. It breaks down shared responsibility, control inheritance, and how to properly document both in your System Security Plan (SSP). The guide also shows how this process simplifies compliance and helps organizations prepare for CMMC assessments.
Read More
10 min read

CMMC Identification and Authentication Policy Template (Audit-Ready)

Author
By
Todd Stanton
Mar 17, 2026
A comprehensive guide to Identification and Authentication (IA) policies, outlining how organizations verify user and device identities, enforce secure access controls like MFA, and structure policies to align with CMMC and NIST requirements for stronger cybersecurity and audit readiness.
Read More
10 min read

CMMC Incident Response Policy: An Audit-Ready Template

Author
By
Todd Stanton
Mar 17, 2026
Learn how to build a strong Incident Response plan that helps your organization detect, contain, and recover from security threats quickly. This guide breaks down key policies, procedures, and testing strategies aligned with CMMC and NIST standards.
Read More
10 min read

CMMC Maintenance Policy: An Audit-Ready Template

Author
By
Todd Stanton
Mar 17, 2026
This blog explains how a CMMC maintenance policy secures system repairs and maintenance activities. It covers vendor control, tool management, and aligning policies with your security plan to reduce risk and stay compliant.
Read More
10 min read

CMMC Media Protection Policy: An Ultimate Template

Author
By
Todd Stanton
Mar 17, 2026
This blog provides a clear overview of how to build and implement a CMMC Media Protection Policy to secure sensitive data across physical and digital media. It breaks down key controls like media usage, storage, labeling, and sanitization, helping organizations reduce risk and align with CMMC Level 2 requirements.
Read More
10 min read
Elevate your oversight.
sales@etactics.com
 300 Executive Pkwy W
Hudson, OH 44236
(330) 342-0568 Opt 3
Quick Links
HomeAboutPartnersContact Us
Offerings
K2 AkademyK2 CMMCK2 ExcludeK2 HIPAAK2 PharmacyK2 Risk Management
Social Links
Linkedin
Copyright © 2024 by K2 GRC Powered By Etactics