Wednesday, May 21st
Duration: 20 mins.
Speaker 1: TBD
Speaker 2: TBD

The world of CMMC is full of acronyms, jargon, and technical terms that can leave contractors feeling overwhelmed. In just 20 minutes, this session will break down the key terminology you need to know to navigate CMMC confidently. From understanding what terms like “FCI,” “CUI,” and “POA&M” to evolving ecosystem terms like "CCA", "OSC", "CCP", "RPO", "RP", PI", "LTP", technical terms like "FIPS" and so many more. We’ll cut through the complexity to give you a clear understanding of the language of compliance.

You’ll learn:

• The critical terms and concepts every contractor needs to know to succeed with CMMC.
• How to differentiate between technical jargon and actionable requirements.
• Real-world examples of how misinterpreting terminology can lead to compliance gaps.
• Walk away with a solid foundation in CMMC terminology so you can confidently engage with auditors, service providers, and compliance requirements.

Wednesday, May 21st
Duration: 60 mins.
Speaker 1: TBD
Speaker 2: TBD

Scoping for CMMC is a high-stakes balancing act. Done right, it reduces costs, simplifies IT, and minimizes training overhead by isolating compliance efforts to a controlled enclave. But done wrong, it can introduce unexpected risks, create unmanageable complexity, and leave critical data—like CAD vaults in manufacturing—vulnerable.

This session explores the fine line between efficiency and exposure, walking through the risks of over-scoping (wasted resources) and under-scoping (compliance failures and security gaps). We’ll also delve into strategies for establishing strong boundaries between the enclave and the rest of your organization, ensuring only authorized people and devices access the protected environment. With real-world examples of scoping missteps and successes, this talk equips you with the tools to scope smart, not risky.

Key Takeaways:

• Learn how improper scoping decisions can increase organizational risk, from regulatory non-compliance to data breaches.
• Explore cost-effective strategies for balancing IT licensing, training, and operational complexity with robust security controls.
• Understand the importance of clear boundaries within a CMMC enclave and how to prevent spillover risks.
• Gain actionable insights into protecting in-scope CAD vaults and addressing manufacturing-specific challenges.
• Avoid common scoping pitfalls with real-world examples of what works—and what doesn’t—in the CMMC landscape.

Wednesday, May 21st
Duration: 40 mins.
Speaker 1: TBD
Speaker 2: TBD

As a contractor, your ability to achieve and maintain CMMC compliance often depends on the service providers you rely on—your MSPs, MSSPs, and CSPs. Equally important is your choice of a Certified Third-Party Assessment Organization (C3PAO) to certify your compliance. But how can you tell if these partners are delivering a complete solution or leaving critical gaps that could cost you time, money, and compliance?

This session will help you evaluate your service providers’ offerings and your options for selecting the right C3PAO.

We’ll cover:

Service Providers:

• How to determine if your MSP is delivering an “80%” or a “100%” solution for compliance.
• Common pitfalls, like hidden add-on costs and gaps in services, and how to avoid them.
• What certifications (SOC 2 Type 2, FedRAMP, CMMC) to look for in your service providers, and when they’re required for your compliance journey.
• Questions to ask your service providers to ensure they’re meeting your compliance needs.

Selecting a C3PAO:

• What makes a C3PAO credible and trustworthy in the CMMC ecosystem?
• Key factors to consider when choosing a C3PAO, including their experience, pricing structure, and availability.
• Insights from a C3PAO on how to evaluate their services and avoid common contractor missteps.
• Questions to ask during the selection process to ensure they align with your compliance timeline and goals.

By the end of this session, you’ll be equipped to vet your service providers effectively, select the right C3PAO, and hold all your partners accountable for helping you achieve and maintain CMMC compliance without surprises.

Thursday, May 22nd
Duration: 40 mins.
Speaker 1: Michael Gruden
Speaker 2: Jennie Von Cannon, DOJ
Speaker 3: TBD

Since the Civil Cyber Fraud Initiative, the Department of Justice has brought forth endless cases and penalties against companies that fail to implement cybersecurity requirements. Join former Department of Justice cybersecurity prosecutor and former Pentagon IT Acquisition Branch Chief Michael Gruden, now both cybersecurity Partners at Crowell & Moring LLP, as they discuss the key cybersecurity gaps and omissions the government has enforced in CCFI cases and which CMMC controls are most commonly affected. During this robust conversation, common CMMC control vulnerabilties will be addressed and considerations to harden potential gaps.

Thursday, May 22nd
Duration: 40 mins.
Panelist 1: TBD
Panelist 2: TBD
Panelist 3: TBD
Panelist 4: TBD
Panelist 5: TBD

With the CMMC Assessment Process (CAP) newly published in December, everyone is navigating an evolving compliance landscape. This panel brings together diverse perspectives from:

• A company that completed a Joint Surveillance Voluntary Assessment (JVSA)
• A service provider supporting CMMC readiness
• A Certified Third-Party Assessment Organization (C3PAO).

Panelists will share lessons learned from the JVSA process, insights into what went right and wrong, and strategies to apply these experiences to your C3PAO-based certification. You'll also gain practical tips on managing variances in C3PAO criteria, leveraging data governance to control costs, and preparing for success in a rapidly changing compliance environment.

Thursday, May 22nd
Duration: 30 mins.
Speaker 1: TBD
Speaker 2: TBD

This session focuses on the practical application of CEIC West insights to document and prepare the body of evidence for two specific CMMC controls—one simple and one complex. Attendees will learn how to create compliance statements for each control objective and assemble the evidence required for the Examine, Interview, and Test phases of an assessment.

We’ll cover:

• Compliance Statements: How to craft precise, objective-aligned compliance statements that clearly define control implementation and effectiveness.
• Examine Phase: Documenting policies, procedures, and records that are concise yet comprehensive to meet assessor expectations.
• Interview Phase: Preparing teams to articulate how controls are implemented, backed by documented evidence, while avoiding unnecessary elaboration.
• Test Phase: Demonstrating operational effectiveness with technical configurations and supporting records that align with documented objectives.
• Balancing Evidence: Ensuring documentation is neither excessive nor insufficient, avoiding unnecessary complexity while addressing all requirements.

This session provides a detailed walkthrough of how to effectively document and prepare evidence for two controls, giving attendees the tools to ensure their body of evidence meets assessment standards.

Friday, May 23rd
Duration: 30 mins.
Speaker 1: Mike Bramm
Speaker 2: TBD

How to keep the momentum on the CMMC process

• Get C-Suite Buy-In
• Staying focused and not get distracted by daily tasks
• Creating new habits for staff
• Engaging Non-IT Staff
• Examples of how people go off track and get bogged down

Wednesday, May 21st
Duration: 20 mins.
Speaker 1: TBD

As the CMMC ecosystem evolves, staying certified requires service providers to stay ahead of critical updates from CAICO. One of the most important developments is the introduction of "delta" training, designed to bridge the gap for professionals who completed certification before the CMMC rule release. This session will provide an essential update on CAICO's training oversight, certification pathways, and the implications for service providers.

You’ll learn:

• The structure and requirements of "delta" training to ensure certifications remain valid and up-to-date.
• Key timelines for Certified CMMC Professionals (CCPs), Certified Assessors (CAs), and instructors to maintain compliance.
• Updates on CAICO’s current training programs and certification pathways, including Provisional Instructor (PI) and Certified CMMC Instructor (CCI).
• How to prepare your organization and clients for changes in training and certification requirements.
• Practical insights into leveraging CAICO’s programs to align your services with CMMC expectations.

This session equips you with the knowledge to stay certified, support your clients effectively, and ensure your organization remains competitive in the CMMC ecosystem.

Wednesday, May 21st
Duration: 60 mins.
Speaker 1: TBD
Speaker 2: TBD

Thriving as an External Service Provider (ESP) or C3PAO in the CMMC Market

Thriving as an External Service Provider (ESP) in the CMMC market isn’t just about delivering great technical services—it’s about mastering compliance, managing costs, and building trust with your clients. Whether you’re an MSP, MSSP, CSP, or aspiring to become a Certified Third-Party Assessment Organization (C3PAO), understanding how to align your services with CMMC requirements is critical to staying competitive and profitable. This session focuses on the practical, real-world steps ESPs and C3PAOs need to take to succeed in this challenging market.

For External Service Providers (ESPs):

• The financial and operational impacts of becoming a compliance-focused ESP, including investments in certifications like SOC 2, CMMC, and FedRAMP.
• How to structure services that meet client compliance needs while maintaining profitability.
• The role of documentation, QBRs, and consulting in positioning yourself as a trusted partner for your clients’ compliance journey.
• Why simplifying compliance for your clients isn’t just a value-add—it’s a business necessity in the CMMC market.
• Strategies to balance profitability with the additional complexity of serving compliance-driven contractors.

For C3PAOs:

• What it takes to build and become a C3PAO, including ISO requirements, staffing needs, and operational readiness.
• Key challenges specific to C3PAOs, including navigating accreditation processes and managing auditor capacity.

This session provides a no-nonsense look at what it takes to not just survive, but thrive, in the CMMC ecosystem as a trusted, profitable ESP or C3PAO.

Wednesday, May 21st
Duration: 40 mins.
Speaker 1: Noel Vestal
Speaker 2: TBD
Speaker 3: TBD

When it comes to CMMC compliance, your policies, procedures, and documentation are your first—and often most critical—line of defense. But what does "good" actually look like? This session dives into the practical strategies and lessons learned from real-world assessments to help you build documentation that not only satisfies assessors but also supports your organization’s long-term success.

We’ll cover:

• What Good Looks Like: The essential components of effective policies, procedures, and documentation that stand up to scrutiny.
• Creating a Configuration Management Plan: Step-by-step guidance on assigning document numbers, establishing authorship, review and approval processes, and using CCBs to manage changes.
• Lessons from the Field: Insights from over a dozen CMMC Level 2 assessments, including strategies for structuring evidence packages and creating clear, actionable control summaries.
• Two Approaches to Content: Balancing complete, compliance-focused documentation that meets audit requirements with consumable, employee-friendly materials that guide day-to-day operations.
• Sustainability in Documentation: How to build maintainable documents with refresh cycles that keep your compliance up to date without overwhelming your team.

Join a certified C3PAO assessor and a DIB company representative as they break down what works, what doesn’t, and how you can turn your documentation into a competitive advantage. Whether you’re just starting or fine-tuning your approach, this session will leave you with actionable steps to streamline your compliance journey.

Wednesday, May 21st
Duration: 40 mins.
Speaker 1: Terrence "Terry" McGraw
Speaker 2: TBD

In recent years, the cybersecurity industry has been characterized by what economists term as a "market for lemons," where the quality of security products and services often remains opaque to buyers, leading to a market dominated by potentially substandard offerings. This talk will explore how this asymmetric information problem in cybersecurity parallels George Akerlof's classic "Market for Lemons" theory, where buyers cannot discern the quality of products, leading to market failure.

We will discuss how the introduction of the Cybersecurity Maturity Model Certification (CMMC) program by the U.S. Department of Defense aims to address these issues by standardizing and verifying the cybersecurity practices of its contractors. The CMMC framework is designed to increase transparency and trust by certifying companies based on their cybersecurity maturity levels, thereby ensuring that those handling sensitive information meet certain security standards.

However, the sustainability of CMMC's effectiveness hinges on its own transparency and rigor. This presentation will analyze the challenges the CMMC must overcome to avoid becoming another "market for lemons" itself, including maintaining impartiality in assessments, ensuring assessor competence, and adapting to evolving cyber threats. We'll examine the potential pitfalls if these standards are not upheld and explore how continuous oversight, public scrutiny, and stakeholder engagement can safeguard the integrity of the CMMC process.

This talk will offer insights into how the cybersecurity landscape can evolve from a market of lemons into one where quality, trust, and transparency prevail, with CMMC potentially leading the way, provided it adheres to its foundational principles of high standards and transparenc

Thursday, May 22nd
Duration: 40 mins.
Speaker 1: Chris Haigh
Speaker 2: TBD

Service providers play a pivotal role in helping contractors navigate the complexities of CMMC compliance, but the way you communicate about CMMC can make or break a client’s understanding and buy-in. This session focuses on how service providers can effectively frame the benefits of compliance while addressing the common concerns and opportunities that contractors face in the Defense Industrial Base (DIB).

We’ll cover:

• Framing CMMC Positively: How to position CMMC compliance as an opportunity to enhance cybersecurity posture, win contracts, and safeguard critical data.
• Talking Points That Resonate: Practical ways to explain why compliance is non-negotiable and the risks of non-compliance, including potential legal and financial repercussions.
• Tailored Solutions: Strategies to present achievable pathways to compliance that align with a contractor’s resources, timeline, and business goals.
• Building Trust Through Expertise: The importance of understanding the DoD’s evolving requirements, leveraging real-world examples, and acting as a trusted advisor in the compliance process.

This session equips service providers with actionable insights and conversation strategies to educate contractors on the value of CMMC, address objections, and guide them toward successful compliance outcomes.

Thursday, May 22nd
Duration: 40 mins.
Speaker 1: Kenneth Benjamin
Speaker 2: TBD

For service providers, recommending Virtual Desktop Infrastructure (VDI) as part of a CMMC compliance strategy requires balancing security, cost, and user experience. In this session, we’ll explore how VDI can help centralize data and reduce compliance scope while addressing its potential challenges, including its impact on the end-user experience. You’ll learn how to evaluate whether VDI aligns with your clients’ needs and how to set realistic expectations for its implementation.

We’ll cover:

• How VDI can enhance security and simplify compliance by centralizing control and securing endpoints.
  The critical role of user experience in VDI adoption, including potential frustrations with performance, latency, and accessibility.
• Practical guidance for designing and deploying VDI solutions that balance compliance requirements with usability.
• Real-world examples of successful VDI implementations—and cautionary tales where poor user experience derailed projects.

By the end of this session, you’ll have the insights to help your clients make informed decisions about VDI, ensuring their compliance efforts succeed without compromising the user experience.

Thursday, May 22nd
Duration: 40 mins.
Speaker 1: TBD
Speaker 2: TBD

Managing CMMC compliance is no small feat for large organizations and Higher Education Institutions (HEIs). With complex IT systems, diverse departments, and collaborations with third-party vendors, ensuring compliance can feel overwhelming. For HEIs, the challenge is compounded by siloed projects with separate budgets and leadership, many of whom lack the bandwidth or understanding to navigate CMMC requirements effectively. This session provides practical strategies to streamline the compliance process while addressing these unique hurdles.

We’ll cover:

• Overcoming Siloed Operations: How to align separate projects, budgets, and leadership teams under a unified compliance strategy.
• NIST SP 800-53 Integration: Simplifying the incorporation of these requirements into your compliance framework while maintaining flexibility for diverse projects.
• Automation and Centralized Tools: Leveraging technology to reduce manual efforts, simplify documentation and reporting, and ensure consistency across departments and systems.
• Tailored Solutions for HEIs: Strategies for educating leadership, managing grant and research compliance, and balancing academic freedom with security requirements.
• Building Sustainable Practices: Developing a compliance system that minimizes risk, adapts to changing federal regulations, and works across disparate teams and budgets.

By the end of this session, you’ll have actionable insights to build a scalable, sustainable compliance system that addresses the specific challenges of your organization—whether you're a large enterprise or a Higher Education Institution.

Friday, May 23rd
Duration: 30 mins.
Speaker 1: TBD
Speaker 2: TBD

Encryption is a foundational requirement for protecting Controlled Unclassified Information (CUI) under CMMC and NIST 800-171, particularly through SC.L2-3.13.11, which mandates the use of FIPS 140-2 validated encryption. While this requirement enhances security, its implementation across diverse IT systems—such as data storage, communication channels, and authentication—can be complex. This session breaks down the essentials for achieving encryption compliance without compromising system functionality or business operations.

We’ll cover:

• A comprehensive overview of FIPS 140-2 validated encryption and its role in CMMC compliance.
• Best practices for implementing FIPS-compliant encryption across IT systems, including data at rest, data in transit, and key management.
• How to address challenges such as compatibility, performance impact, and cost considerations when applying encryption standards.
• Clarifying SC.L2-3.13.11’s scope and its application to critical IT assets, including Security Protection Data (SPD).
• Practical steps to align encryption practices with business objectives and compliance mandates.

This session offers actionable insights to help you implement encryption across your IT landscape, ensuring compliance while strengthening your organization’s security posture.

Friday, May 23rd
Duration: 30 mins.
Speaker 1: TBD
Speaker 2: TBD

Developing a Shared Responsibility Matrix (SRM) and Customer Responsibility Matrix (CRM) is more than a compliance exercise—it’s an opportunity to clarify roles and responsibilities in ways that contracts often fail to do. For service providers, these tools are essential for aligning expectations with clients, minimizing disputes, and ensuring seamless compliance with frameworks like CMMC and NIST 800-171.

We’ll cover:

• Compliance Alignment: How to design SRM/CRM frameworks that meet regulatory requirements without unnecessary complexity.
• Consumable Design: Structuring matrices to clearly define “who is responsible for what,” making them actionable and intuitive for both providers and clients.
• Resolving Ambiguity: Using SRM/CRM tools to reduce points of contention by providing clarity that contracts often lack.
• Referenceability: Organizing matrices as a reliable source of truth for audits, client discussions, and operational reviews.
• Sustainability: Maintaining and updating matrices to reflect evolving responsibilities and compliance needs.

This session offers practical strategies for service providers to create SRM and CRM tools that drive clarity, foster stronger client relationships, and ensure compliance while avoiding costly misunderstandings.

Friday, May 23rd
Duration: 30 mins.
Speaker 1: TBD
Speaker 2: TBD

For service providers, guiding contractors through Plan of Action and Milestones (POA&M) remediation is critical to achieving CMMC certification. This session provides actionable insights for managing the complexities of remediation, including understanding the distinct roles of RPOs and C3PAOs, setting realistic timelines, addressing enduring exceptions, and preparing for reassessments or appeals.

Key Topics:

• Clarifying Roles: Understand the boundaries of C3PAO involvement and the hands-on remediation services RPOs can provide.
• Effective Timelines: Strategies for helping contractors establish and manage remediation timelines to avoid delays.
• Enduring Exceptions: Practical approaches to identify, document, and handle enduring exceptions while maintaining compliance.
• Reassessment Readiness: Best practices for transitioning from remediation to reassessment, whether with the same or a different C3PAO.
• Appeals Support: Guidance on assisting contractors with gathering evidence and navigating the appeals process for unfavorable findings.

This session equips service providers with the tools and strategies needed to ensure contractors successfully remediate POA&Ms, address enduring exceptions, and stay on track for certification.