Matt Gilbert

CISA, CRISC

Principal

+1 (410) 960 2716

Matt is a principal in Baker Tilly's risk advisory practice. Matt joined Baker Tilly in 2020 . He leads our Cybersecurity Maturity Model Certification (CMMC) and Government Contractor IT Risk suite of services. He has led IT audits and cybersecurity assessments for large primes down to smaller 8A contractors. Matt’s expertise includes internal auditing, SOX compliance, information technology controls, business process controls, and ERP risk and controls. Examples of these engagements include CMMC Readiness assessments, 800-171 implementation projects, 800-53 based ATO readiness reviews, IT Risk assessments, Sarbanes-Oxley compliance, internal audit, pre- and post-implementation assessments, and privacy assessments for clients.

Matt is actively engaged in supporting government contractors, grant recipients, state and local governments and federal agencies navigate the CMMC requirements but has extensive experience supporting NIST 800-171 and 800-53 related assessments. Matt has also run fully co-sourced internal audit engagements for large clients (multi-billion dollars in revenues) in the government contracting industry.

Experience

Led the internal audit team for a large prime Aerospace & Defense firm and large technology services firm
Led the transformation project of a large technology company to redesign customer data handling and contractual compliance efforts creating an effective second line of defense
Led NIST SP 800-171 and CMMC readiness assessments for government contractors
Led technology reviews at companies ranging from mid-size organizations to the largest corporations using Firm methodology or standard frameworks such as COSO, COBIT, ITIL, NIST SP 800-53, NIST SP 800-171 or ISO 27000
Developed standard work programs for the Costpoint ERP utilized by numerous government contractors. The work programs include automated configurable controls over all the business cycles (e.g. financial reporting, order to cash, procure to pay, hire to retire, etc.)
Conducted pre and post implementation reviews of business system implementations and significant upgrades for projects as large as $20M including Oracle, SAP and PeopleSoft ERPs
Performed or managed technical audit projects including detailed security configuration reviews over operating system, database or application configurations
Developed cybersecurity strategy and service catalogs aligned to business objectives and risk tolerance levels
Enhanced data protection capabilities through risk-driven data classification and control requirements
Created a proprietary Segregation of Duties testing tool and associated test cases used by to assess user access within the Costpoint ERP
Ran a controls integration and user access design and workstream over 2 years for a large prime contractor as part of their consolidation of two large and extremely complex SAP environments into a single instance

Involvement

Volunteer member of the CMMC Accreditation Body’s working groups
Selected as CMMC provisional assessor and completed the inaugural assessor training
Speaker on topics related to CMMC and IT risk in the following forums:
American Institute of Certified Public Accountants (AICPA) webinar, “Introduction to the Cybersecurity Maturity Model Certification (CMMC) Framework”
American Bar Association’s (ABA’s) Accounting, Cost and Pricing Committee’s webinar, “Successfully navigating the CMMC and DoD's new interim DFARS rule”
With Katie Arrington, Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)), presenting webinars such as “Your CMMC timeline: expert guidance for today and preparing for tomorrow” and “CMMC preparation: Minimize competitive barriers and grow your federal business”
Information Systems Audit and Control Association (ISACA)
Institute of Internal Auditors (IIA)