Cryptid Cyber is a consultancy built around a simple premise: the compliance, privacy, and AI governance challenges facing today’s organizations are increasingly the same challenge, viewed from different angles — and they’re best addressed by someone who can see all three at once.

 

CMMC & NIST SP 800-171

 

Our core practice helps Department of Defense contractors and subcontractors navigate CMMC Level 1 and Level 2 requirements — from initial scoping and gap analysis through readiness assessment, SSP and POA&M development, and ongoing compliance support. We work from a structured, objective-by-objective methodology covering all 110 NIST SP 800-171 security requirements and their 320 underlying assessment objectives, giving clients a clear, evidence-based picture of where they stand and what it takes to get assessment-ready.

 

Privacy

​

Data privacy obligations — GDPR, CCPA, and emerging U.S. state privacy laws — increasingly overlap with federal contracting requirements like CUI handling, but they also stand on their own for any organization handling personal data. Cryptid Cyber brings privacy program expertise to both contexts: helping defense contractors align CUI handling with privacy obligations, and helping other organizations build data governance, retention, and privacy practices independent of CMMC.

 

AI Governance

 

As AI tools become embedded in everyday business software, AI adoption decisions are increasingly compliance decisions — particularly for organizations handling CUI or other regulated data. Cryptid Cyber helps clients evaluate AI tool adoption against existing compliance obligations, develop AI usage policies grounded in frameworks like the NIST AI Risk Management Framework, and close the gap between what IT has approved and what compliance assumes is happening.

 

Professional Background

 

Cryptid Cyber was founded by Devin Thelin, whose background spans security management, cloud security, privacy, and assessment methodology — including credentials such as CISSP, CCSP, CISM, CIPP/E, CIPM, and AIGP — alongside graduate study in cybersecurity and business, and doctoral work in cybersecurity analytics. Additionally Devin's professional experience of more than a decade in DoD realms, healthcare, as well as education and other regulated arenas illustrates that he knows how to help achieve compliance and understanding in a myriad of arenas. That combination reflects the firm’s underlying approach: compliance, privacy, and AI governance aren’t treated as separate disciplines requiring separate vendors, but as connected parts of the same operating environment.