Keynote: Uniting the Framework with its CMMC Assessment

Session 1: Timeline to Compliance

Session 2: CUI

Session 3: Power Session - 1.5 Hours

Session 4: Building a Culture of Evidence

The Prime Panel

Session 5: Documentation -- Too Much, Too Little and Just Right

Session 6: Choosing a Service Provider

Session 7: Mock Assessment Walk-through Panel

George Finney, SMU CISO and bestselling author of Project Zero Trust, will discuss the current state of cybersecurity and why government oversight and compliance are so important.
Eric Crusius, Holland and Knight
Tommy Baril, US Government Accountability Office (GAO) Defense Capabilities and Management team
Jerry Leishman, Crown Infosec
Jim Johnson, Safran 
Regan Edens, DTC Global

Regan Edens, DTC Global 
Bill Cooper, Vanguard – Critical Infrastructure
Mike Ellestad, MpM Products – F-35 Supply Chain
Mitch Niemela, Tool Craft Precision
John Pantzer, Skywire Design – Engineering Firm
Chris Jensen, GracoRoberts
Scott Paul, Premier SS

Smart people learn from their mistakes. Smarter people learn from OTHER people’s mistakes. This dynamic panel is an opportunity you won’t get anywhere else – a chance to learn from companies who have already headed down the road to compliance. You’ll learn from those in the trenches on the right (and wrong) way to navigate CMMC.

Lincoln Neely, Beryllium Infosec

Practical implementation guidance for organizations to achieve and maintain CMMC compliance.

There's a lot of information to know surrounding CMMC: intricacies of CUI, scoping, technical baselines, documentation, ongoing compliance activities, and the list goes on. It's often overwhelming and leaves organizations unsure of how to proceed. This session aims to demystify the seemingly daunting task of CMMC compliance from an implementation perspective. Attendees will get a simplified framework of practical steps, considerations and decisions for their organization to make toward achieving –and maintaining– CMMC compliance.

Stuart Itkin, NeoSystems

Whether an advisor, a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP), who you work with to achieve and maintain compliance is important. DoD regulations, DFARS 242.204-7012 and NIST 800-171 in particular, are very specific, as are the assessment objectives which must be satisfied to achieve compliance. Many providers capable of supporting commercial organizations don’t have the understanding of DoD regulations or the ability to ensure your organization will be compliant, although they may claim to. This session will explain what qualifications are important when evaluating advisors, MSPs and MSSPs, and how to ensure the providers you select are the right providers for your organization.

Fred Tsigiri, Guernsey

All government agencies are implementing new requirements for their supply chain. FEMA is pushing down NIST 800-171 or equivalent to private sector property insurers, TSA is updating pipeline security directives, and of course, the DoD implementation of CMMC to assess DFARS 7012 requirements. During this two-part conversation, we will discuss setting new business expectations to remain competitive in the marketplace and the growth opportunities each of us have as individuals to catapult our careers to the next level.

Mark Berman

Jim Goepel

To become compliant, third party assessors need documentation showing how your business operates securely and compliantly, with proof that you are following that system.  If you aren’t careful, maintaining compliance can result in a flood of documents, and worse a ginormous and repeating process to prep for annual self-attestations and triennial third party assessments.
This session will teach you how to build a system from the ground up that minimizes disruption and improves quality organization-wide.  Documented delivery of management’s needs through SOPs (standard operating procedures) for assessors can be contagious and go beyond cybersecurity.  We’ll show you how to:

  • Organize management’s desired outcomes through policy (and the pitfalls of overdoing it)
  • How to create procedures and build habits that deliver policy outcomes
  • Understand expected document types and relationships between them
  • Create accountability
  • End/prevent expensive pre-assessment discovery
  • Monitor both compliance and employee performance in one system

Matt Travis, Cyber-AB

Robert Teague, RedSpin

Lincoln Neely, Beryllium

Stuart Itkin, NeoSystems

In this session you will learn about current assessment trends including:

  • FIPS 140-2 Validated Encryption
  • Printing capabilities largely overlooked
  • External Connections not identified
  • Outdated Application Whitelist
  • Commercial Cloud vs. Government Cloud

Several case studies will be discussed, and Robert will guide you through how to get started.