Agenda

The verification procedures in NIST Special Publication 800-171A are a double-edged sword. On one hand they tell you exactly what questions will be asked during your assessment. On the other hand they are repetitive, redundant, and difficult to read. Unfortunately, the CMMC program is directly "aligned" to NIST standards so the Department of Defense has little room to edit the contents of SP 800-171 and SP 800-171A. There is a way forward. This presentation will showcase a method for reformatting the contents of the CMMC assessment guide to make it shorter, more understandable, and much easier to use - all without changing the substance of the NIST requirements at all. The government may never adopt this approach, but you'll get access to the proof of concept formatting for your own use on your CMMC journey.

Every Friday, the CUI Hotline goes live to answer the toughest questions about CMMC, DFARS, NIST, and CUI—the acronyms everyone loves to hate. This time, instead of answering questions from behind a screen, we are bringing the conversation to CS2 for a live, in-person session. No scripts, no canned responses—just real discussions about the compliance and security challenges facing the Defense Industrial Base. Whether you're dealing with regulations, struggling with implementation, or just looking for clarity, this is your chance to ask questions and get straight answers from industry experts. Bring your questions and join the conversation—the CUI Hotline is live at CS2.

As the defense industry transforms under CMMC, large prime contractors are setting the pace for early adoption and supply chain security. Their decisions on Controlled Unclassified Information (CUI) flow, certification timelines, and subcontractor expectations will define the path forward for thousands of suppliers. In this panel, key leaders from aerospace, defense, and critical infrastructure sectors share their perspectives on the compliance landscape, the real-world challenges of securing the supply chain, and what they expect from subcontractors moving forward. Whether you're a small business or a mid-tier supplier, understanding how primes are approaching CMMC is crucial to staying competitive in the defense ecosystem.

The penetration testing team at PKF O’Connor Davies has years of experience conducting offensive security operations in cooperation with the defense industrial base. During these tests, we find ourselves abusing the same security weaknesses across over and over again, many of which stem from weak security configurations rather than vulnerable software. During this talk, PKFOD’s red team lead will outline the top 5 configuration weaknesses that are putting your organization at risk. We will be diving deep into a subset of NIST SP 800-171 configuration management security controls to outline ways the defense industrial base can prevent the most common hacker tactics, techniques, and procedures, while also demonstrating compliance with NIST and CMMC requirements.

Creating a CMMC enclave is a proven strategy for achieving compliance while minimizing disruption to an organization’s broader IT environment. However, the best approach to designing and managing an enclave depends heavily on the industry. A solution that works seamlessly for a manufacturing company may pose significant challenges for a university conducting regulated research or an AEC firm handling controlled design data. With varying needs in security, accessibility, and cost, how can organizations determine the right approach?

This session will explore the unique enclave considerations for manufacturing, regulated research (higher education), and architectural, engineering, and construction (AEC) industries. We’ll discuss the pros and cons of different deployment models, share lessons learned from real-world implementations, and provide actionable insights to help organizations make informed decisions about their compliance strategy.

CMMC creates certification requirements that flow down to your suppliers. But many subcontractors are nowhere close to achieving a CMMC Level 2 certification. How can defense contractors continue to perform in a reality where critical suppliers won't be certified in time to receive future awards? We'll discuss a multidisciplinary approach that will reduce or eliminate Controlled Unclassified Information (CUI) from supplier relationships, reclaim indirect costs, and preserve supply chains during this period of consolidation in the defense industrial base.

Wrap up Day 1 of CS2 with a drink and networking at the CS2 Happy Hour, sponsored by Carahsoft. Join us to connect with sponsors, engage with fellow attendees, and unwind after a day of insightful sessions. This is the perfect opportunity to continue discussions, build relationships, and gear up for Day 2!

If you were privy to the original version 1.0 of the “draft” CMMC Assessment Process (CAP) document, then you likely agree that version 2.0 released by the Cyber AB in December 2024 is a huge improvement.  After all, the CAP is the authoritative document followed by all C3PAOs in conducting a CMMC Assessment for OSAs, and success (or failure) can be found in the detailed guidance.

There’s a few areas that were left open to interpretation, however … and those gaps in guidance have been tricky for the C3PAO assessors to navigate.  In this session, we will sit down with three of the leading C3PAO firms to talk through how they have been addressing things like:
•    Assessing ESPs (External Service Providers) who by and large do not process, store or transmit CUI, but provide the capability to do so on behalf of their customers
•    What a “lower burden of proof” looks like when reviewing evidence from an OSA who is using a CMMC L2 Assessment Certified ESP for some portion of their control implementation
•    What type of Not Met control implementation would be considered unacceptable for the OSA to fix the 10-day window following the active assessment period, if any?
•    How difficult is the review of FedRAMP Moderate Equivalent evidence packages?

Are all C3PAOs doing the same thing?  Is there a common understanding and expectation, or is each assessment team doing it their own way?  Let’s find out in this lively and informative discussion between our panel of experts.

Defense contractors across the industry are working toward CMMC compliance to secure their place in the Defense Industrial Base. But passing an assessment isn’t always straightforward. Organizations face challenges in understanding requirements, implementing the right security measures, and navigating the assessment process. With impending DoD requirements and urgent expectations from prime contractors, how can businesses ensure they are on the right track?

Hear directly from defense contractors who have successfully met compliance standards, passed assessments, and strengthened their cybersecurity posture. Panelists will share their real-world experiences, key challenges, and lessons learned to help others on the same journey. This discussion will offer a candid look at what worked, what didn’t, and what companies wish they had known before starting the process. Attendees will gain practical takeaways to apply in their own compliance efforts.

To meet the growing demands of defense contractors facing CMMC, External Service Providers (ESPs) have transformed significantly. As clients become more aware of CMMC requirements, their needs have grown, prompting ESPs to evolve their service offerings to eliminate deficiencies. Each phase of this transformation represents a shift in compliance roles and responsibilities, increasing the shared responsibility in achieving and maintaining certification. This presentation will explore Summit 7's evolution in supporting clients from contract to compliance and what's next in our journey.

The DIB is under increasing pressure to modernize IT infrastructure while maintaining the highest levels of security and compliance for classified workloads. Traditional on-premises solutions and SCIF-based data storage come with high costs, scalability challenges, and complex maintenance requirements. At the same time, shifting classified workloads to the cloud raises questions about security, compliance, and seamless access while meeting DoD Impact Level 6 (IL6) standards.

This session will break down Azure Government Secret, Microsoft’s secure cloud platform built to handle classified workloads at IL6. The discussion will cover what Azure Government Secret is, how organizations can gain access, key integration considerations, available services, and real-world applications. Deployment timelines and best practices will also be explored, providing a clear picture of how defense contractors and government partners can take advantage of this secure cloud environment while staying ahead of evolving cybersecurity requirements.