Agenda

This presentation provides a practical legal overview of how the False Claims Act applies to defense contractors, with a focus on whistleblower activity and enforcement trends. Attendees will gain insight into common risk areas, how investigations unfold, and strategies for minimizing exposure before issues escalate.

Key topics include:

• Overview of the False Claims Act and its application to defense contracting
• Whistleblower (qui tam) actions: how they start and why they succeed
• Common compliance failures that trigger FCA liability
• Government investigation and enforcement processes
• Financial, legal, and reputational risks for contractors
• Best practices for internal controls, reporting, and risk mitigation

This presentation explains the role of the Customer Responsibility Matrix (CRM) in meeting NIST SP 800-171 requirements,
clarifying how compliance responsibilities are divided between an organization and its service providers. Attendees will learn
how shared responsibility works in practice, including how to validate whether a service provider has fully or partially assumed
responsibility for specific security controls.

Key topics include:

• Overview of NIST SP 800-171 and third-party responsibility models
• What a Customer Responsibility Matrix is and why it matters
• Defining customer vs. service provider responsibilities for 800-171 controls
• When and how a provider may assume full or partial control responsibility
• How to validate and assess a service provider’s CRM and supporting evidence
• Maintaining alignment through contracts, SLAs, and ongoing oversight

Many organizations operate under the mistaken belief that GCC High is the only compliant option for storing, processing, and
transmitting Controlled Unclassified Information (CUI). This session explains why that is not the case, explores other compliant
solutions—such as secure storage services (Dropbox , secure collaboration platforms, and Google Workspace—and helps
attendees determine when GCC High is the best fit versus when alternative solutions may better meet operational and business
needs.

Key topics include:

• Common misconceptions about GCC High and CUI compliance
• Actual requirements for storing, processing, and transmitting CUI
• Why GCC High is often chosen—and when it truly adds value
• Compliant alternatives to GCC High, including secure storage and collaboration tools
• Using platforms like Google Workspace to meet CUI requirements
• Matching solutions to use cases, risk tolerance, and business needs

This session explores the benefits of engaging third-party service providers such as RPOs, C3PAOs, and MSPs, while
highlighting the critical need for due diligence—not all providers are equally qualified or able to deliver on their claims. Attendees
will learn how to evaluate, select, and manage service providers effectively to reduce risk and ensure long-term compliance and
operational success.

Key topics include:

• Roles and differences between RPOs, C3PAOs, and MSPs
• Benefits and risks of relying on third-party service providers
• Common red flags and misleading claims to watch for
• Key questions to ask when evaluating a service provider
• How to verify qualifications, experience, and scope of services
• Best practices for managing and governing ongoing provider relationships

This session explains why CMMC compliance goes beyond written policies and procedures to require clear, defensible artifacts
and evidence that demonstrate controls are implemented, operating as intended, and effective. Attendees will learn how to
create, maintain, and curate proof of process over time—because in CMMC, if it isn’t documented and supported by evidence, it
effectively doesn’t exist.

Key topics include:

• The role of artifacts and evidence in CMMC assessments
• Difference between documentation, implementation, and operational proof
• What assessors look for as valid and sufficient evidence
• How to create, maintain, and curate artifacts over time
• Mapping artifacts to CMMC practices and processes
• How GRC platforms can simplify evidence collection, organization, and maintenance

Compliance implications for using AI on top of the dealing with tools that may only be 70% accurate, or could leak your data if
not configured properly. During this roundtable contractors share approaches to managing AI tool proliferation while protecting
CUI and maintaining CMMC compliance.

• Discovery and inventory: finding AI tools already in use across the organization
• Risk assessment: data exposure, model training, and third-party processing
• Policy development: acceptable use, data handling, and approval processes
• Technical controls: DLP integration, network monitoring, and access restrictions
• Vendor management: AI service provider assessments and contract terms
• Training and awareness: helping employees understand AI risks and proper usage

Round table attendees will trade proven approaches to POA&M development that satisfy assessors and actually drive security
improvements.

• Writing deficiencies that pass: root cause analysis, risk scoring, and remediation specificity
• Milestone planning: realistic timelines, resource allocation, and dependency management
• Evidence linkage: connecting findings to controls and tracking remediation proof
• Risk management: accepting, mitigating, and transferring risks appropriately
• Ongoing maintenance: tracking progress, updating timelines, and closing items
• Assessor perspective: what makes a POA&M acceptable vs. what triggers re-work