John Richards is a Cyber AB Certified CMMC Professional and Principal Cybersecurity & Compliance Advisor with an extensive background in securing Microsoft, cloud, and small business environments. Through Simplafi, John helps defense contractors understand, organize, and prepare for CMMC Level 2 requirements in a way that connects compliance expectations to real operational practice.
His approach is built on tested experience, not just interpretation. John works with organizations to identify gaps, strengthen evidence, align technical controls with written policy, and prepare teams for the realities of CMMC readiness. His focus is simple: help contractors protect their DoD opportunities without turning compliance into unnecessary chaos.
With experience across cybersecurity operations, Microsoft 365 environments, managed services, and compliance planning, John brings a practical perspective to CMMC. He helps clients move from confusion to clarity, from scattered documentation to organized evidence, and from “we think we are ready” to a stronger, more defensible readiness posture.
Simplafi is a cybersecurity advisory practice focused on helping organizations within the Defense Industrial Base achieve and maintain CMMC readiness.
We work with companies handling Controlled Unclassified Information (CUI) who need more than general guidance. They need clarity on what is actually required, what will be tested, and how to align their environment before an assessment.
Our approach is grounded in real-world implementation and assessment preparation, not theory.
Simplafi is led by John Richards, a cybersecurity and compliance advisor with hands-on experience supporting organizations through DoD security requirements and CMMC assessment readiness. He holds the Certified CMMC Professional (CCP) designation, accredited by the Cyber AB.
Every engagement is led personally.
Work is not handed off to junior consultants or delivery teams unfamiliar with your environment. The same person helping you interpret requirements is the one working through implementation decisions and preparing you for assessment.
This model is intentional.
It ensures alignment between:
Because in a CMMC assessment, those gaps are where organizations fail.
Our work has supported environments that have undergone rigorous government-led cybersecurity reviews, including assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
That level of scrutiny changes how you approach compliance.
It forces a different standard:
This is the standard Simplafi brings into every engagement.
CMMC is built on NIST SP 800-171 and structured into practices and assessment objectives.
Most organizations focus on controls.
Assessors evaluate objectives.
That distinction matters.
Simplafi helps organizations:
Because “close enough” does not pass.
We work with organizations that:
Some need a structured path over time.
Others need to move quickly to protect a contract opportunity.
We meet both where they are, with a clear path forward.
You won’t get inflated scopes or unnecessary tooling.
You will get:
Sometimes the right answer is a phased approach.
Sometimes the right answer is moving fast and investing heavily.
Our role is to help you make that decision with clarity.
Simplafi exists to help you:
Without losing focus on the work that drives your business.
A short conversation is the fastest way to know where you stand.
The official FAR clause lists 15 safeguards, but CMMC documentation often references 17 practices. Here is why:
CMMC inherited the DoD’s earlier mapping from the DFARS 252.204-21 “Basic Safeguarding” table, where two of the FAR requirements were split into multiple CMMC practice IDs during modeling. They are not additional requirements—just a structural carryover from the original DoD-to-NIST mapping exercise.