Alex Trafton

Alex’s professional experience includes:

• High-Performance Computing Export Controls: Worked with a foreign cloud services and AI developer to implement a multibillion-dollar infrastructure pivot in order to meet U.S. Commerce Department export control requirements for high-performance computing (HPC) assets to support a new generative AI environment. Worked with company and external counsel personnel to document security policies and a system security plan (SSP) for a segregated regulated technology environment which included the refit of multiple large regional data centers. Through the application of network security controls and asset depreciation schedules was able to save the company over $150 million in removal and replacement costs.
• FedRAMP Authorization: Worked with a SaaS developer to prepare their build and production environments for a FedRAMP moderate baseline Authority to Operate (ATO) with a U.S. government agency. Worked with company business leaders, developers, and security personnel to assess the environment and build a robust SSP prior to C3PAO assessment. Conducted in-depth technical interviews, reviewed policy and procedure documentation, and built detailed Plans of Action and Milestones (POAMs) to ensure successful authorization.
• CFIUS Monitorship: Led quarterly product integrity testing of the secure software build environments for a global software developer subject to a National Security Agreement (NSA). Oversaw a multidisciplinary team conducting white box and black box testing with direct reporting to U.S. government agency monitors. Worked with integrity testers to ensure alignment with software security best practices, review and classify findings, and develop comprehensive reporting to address NSA requirements.
• Defense Industrial Base Cybersecurity: Led an information security program assessment of a U.S.-based defense contractor to assess its current implementation of DFARS requirements, NIST SP 800-171, and its readiness for Cybersecurity Maturity Model Certification (CMMC) audit. The project included integration and harmonization of export control and Controlled Unclassified Information (CUI) requirements. Conducted in-depth technical interviews, reviewed evidence and artifacts, and enhanced the evidence and artifacts supporting the SSP.
• Defense Industrial Base Cybersecurity: Led a security controls and risk assessment of the regulated data environment of a multinational manufacturing company in support of DoD cybersecurity contract requirements (DFARS) and to prepare the company for a third-party assessment of its implementation of the CMMC. Conducted in-depth technical interviews and reviewed evidence and artifacts to build an assurance case of controls implementation.
• CFIUS Monitorship: Served as third-party monitor engagement manager for multiple solar sites in Southern California. Coordinated the multidisciplinary monitorship which included physical security, personnel security, cybersecurity, and ICS and SCADA security. Worked with the transaction parties to optimize workflows to reduce burden and cost while effectively mitigating U.S. government agency identified risks.
• CFIUS Audit: Led the audit of a foreign language media company to review the auditee’s compliance with an NSA focused on mitigating the risk of foreign malign influence. Worked closely with the Department of Justice (DOJ) to ensure CMA equities were incorporated into the assessment of governance and technical requirements. Worked with the auditee to ensure all technical vulnerabilities were effectively remediated to provide assurance that U.S. citizen PII was protected.
• CFIUS Mitigation and Cybersecurity: Worked with a U.S.-based data analytics company serving DOD and Intelligence Community (IC) clients to ensure its AI-driven platform met all U.S. government contract cybersecurity requirements including the CMMC (NIST SP 800-171) and the NISPOM (NIST SP 800-53). Project deliverables included governance program development, data infrastructure migration, SSP development, and POA&M remediation.