CMMC Industry Days and Modern Information Security Topics
July 26-27, 2022
Washington D.C.
About CS2 Washington D.C.
- CMMC 2.0
- NIST 800-171
- The DFARS 70 Series (7012, 7019, 7020)
- ITAR regulations
- Handling CUI and FCI
- And much more
Cloud Security and Compliance Series events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.
HYBRID EVENT
(In-Person and Virtual Attendance)
The Speakers
RICHARD WAKEMAN
CHIEF ARCHITECT - AEROSPACE & DEFENSE AT MICROSOFT
ROBERT METZGER
MITRE CONSULTANT, CO-AUTHOR 'DELIVER UNCOMPROMISED,' RENOWNED ATTORNEY
STACY BOSTJANICK
Director of CMMC, OSD DOD CIO
VICTORIA PILLITERRI
Acting Manager, Security Engineering & Risk Management Group, NIST
AMANDA BRESLER
Chief Strategy Officer at PW Communications
SCOTT EDWARDS
CEO, Summit 7
JACOB HORNE
Chief Cybersecurity Evangelist, Summit 7
SAIF RAHMAN
Quzara Co-Founder
AMIRA ARMOND
Vice Chair C3PAO Stakeholder Forum, President of Kieri Solutions
ANDRIANI BUCK
Government Contracts & Global Trade Practice
MATTHEW RAMSEY
Chief Information Officer (CIO), BLUEHALO
ALEX TRAFTON
SENIOR DIRECTOR, ANKURA
COL CANDICE FROST
Commander at United States Cyber Command
B. STEPHANIE SIEGMANN
Litigation Partner & Chair of International Trade and Global Security Practice at Hinckley Allen
DANIEL AKRIDGE
SENIOR CLIENT ENGAGEMENT MANAGER AT SUMMIT 7
JOY BELAND
Senior Cybersecurity Consultant/Instructor, Edwards Performance Solutions
Day One
0800 - 0845: Registration
0845 - 0900: Opening Remarks
COL Candice Frost
0900 - 1000: Insight on DCMA/DIBCAC Findings
Nick DelRosso
Insights from multiple DIBCAC assessments to include unique challenges facing both large and small contractors.
1015 - 1115: Cyber Insurance, NIST SP 800-171, and CMMC 2.0
Robert Metzger
Cyber insurance is for enterprise protection. CMMC is for DoD compliance. Insurers are becoming increasingly rigorous in the “due diligence” they conduct of companies before they write cyber insurance. Coverage prices are going up, limits are coming down, and exclusions are increasing. Some companies are finding they can’t afford the coverage offered, while others can’t get coverage at all. This session will explore what companies can do to preserve the insurance they have, demonstrate security that insurers now are likely to expect or demand, while fitting these near-term actions into the measures and plans of action that will prepare for CMMC assessment and certification requirements. The objective is to align actions taken now to get and keep cyber insurance coverage with parallel actions for CMMC readiness.
1130 - 1230: A Predictable Surprise: The CMMC 2.0 Final Rule
Jacob Horne
Over 850 public comments were submitted to the 2020 CMMC interim final rule. We analyzed them all. There is nothing in the criticisms of the CMMC program that has not been thoroughly addressed in previous DFARS cybersecurity rulemaking. As a result, we don’t have to wait for the CMMC final rule to know what the rule will say on controversial topics like the cost of compliance; regulation as a barrier to entry; or the impact of DFARS requirements on small businesses. This talk will show these issues transcend the current “era” of DFARS cybersecurity rulemaking and that the DoD is unlikely to fundamentally change their policy positions in the upcoming CMMC final rule.
1230 - 1400: Networking and Lunch
Lunch
1400 - 1500: Technical Breakout
Threats and Adversaries to the DIB: A Defender's Perspective
Saif Rahman
Year after year the defense industrial base is pummeled by cyber threat actors developing and exploiting new security vulnerabilities. To make matters worse, increasing regulatory requirements for incident reporting drive compliance-focused solutions that often make breach mitigation more expensive than it needs to be. This session explores the perspective of cyber defenders operating a modern Security Operations Center utilizing Microsoft Azure and what DoD contractors need to know to be successful with SOC-as-a-service solutions.
1400 - 1500: Executive Breakout
DOJ and Cyber Fraud: Costs of Non-Compliance
B. Stephanie Siegmann
What is the likelihood that DOJ will target small and mid-sized DoD suppliers under DOJ’s new Civil Cyber-Fraud Initiative? Hear from B. Stephanie Siegmann, a former National Security Chief and experienced trial attorney, about DOJ’s new initiative, its renewed emphasis on corporate crime, and its intention to aggressively use the False Claims Act to bring cyber-related claims against government contractors. Stephanie will provide her perspective on two recent settlements involving Comprehensive Health Services LLC and Aerojet Rocketdyne Holdings, Inc., the increased scrutiny of contractor cybersecurity compliance, and how to avoid becoming the next DOJ target.
1515 - 1615: Technical Breakout
CMMC 2.0 Inheritance: Proving Your Cloud is Protecting CUI
Amira Armond
After a year of hard work, you finally finished all your compliance preps and you reached out to an assessment company to schedule. The first form they send you asks, “Do you have System Security Plans, Customer Responsibility Matrixes, and/or third party audit reports for EACH of your cloud vendors?” Why is this so important that a C3PAO asks about it before they accept you as an assessment client? It turns out those documents (evidence of inheritance) are often more important to your assessment than your own System Security Plan. This talk will explain why inheritance is important, what counts as evidence, and how assessors review it. It also discusses the way forward for small service providers that support DIB clients.
1515 - 1615: Executive Breakout
Analyzing the Composition of the DoD Small Business Industrial Base
Amanda Bresler
The Department of Defense (DOD) spends billions of dollars annually funding innovation programs, rapid acquisition programs and small business set-aside programs that have the stated purpose of attracting innovative companies into the defense industrial base and leveling the playing field for small and nontraditional businesses in the defense market. Yet in spite of these initiatives, the number of small and innovative/nontraditional businesses contracting with the DOD continues to decline every year. Why have these initiatives failed to achieve their stated objectives? This talk focuses on the underlying issues that keep small and innovative/nontraditional companies from succeeding in the defense market and offers a series of recommendations for how the DOD, and other government agencies, can better structure and measure their programs to make the public sector more opportune for the best and brightest companies.
Day Two
0900 - 1000: NIST SP 800-171 Rev 3 Update
Victoria Pilliterri
Originally released in 2015, NIST Special Publication (SP) 800-171 started a series of publications that is now used to protect the confidentiality of federal controlled unclassified information. Since the original publication of SP 800-171 and subsequent supporting guidance on conducting security requirement assessments and the enhanced security requirements, there have been significant changes in the cybersecurity risk landscape, cybersecurity capabilities, technologies, and resources to manage the risk. As NIST prepares to update the SP 800-171 series of publications, gathering feedback on the use, effectiveness, adequacy, and ongoing opportunities for improvement is critical. Learn more about the about the NIST Pre-Draft Call for Comments on the SP 800-171 series, share your feedback and lessons learned with NIST, and get engaged as we begin this update process.
1015 - 1115: Perspectives From a Former KO
Andriani Buck and Jacob Horne
No government position is as fundamental to DFARS cybersecurity compliance than the contract officer. Perhaps no position is as misunderstood either. DoD contractors are constantly told to “ask the customer” for clarity and guidance on everything from specific security requirements to whether data should be designated as Controlled Unclassified Information. Is the contractor officer really the one pulling the strings or are they trapped in the middle with everyone else? This Q&A forum features a former DoD contract officer who will explain what it’s like to navigate the maze of cybersecurity requirements from the other side.
1130 - 1230: Mergers and Acquisitions In The DIB
Scott Edwards, Matt Ramsey, Alex Trafton
The Defense Industrial Base will experience significant consolidation as a result of increased cybersecurity regulation. But what does that mean for DoD contractors who find themselves exiting the DIB via a merger or acquisition? What do large firms look for in the cybersecurity posture of acquisition targets and how does it ultimately affect the value of a firm? This panel discussion will explore the macro factors at play driving consolidation in the sub-tiers of the DoD supply chain and what that means in the context of real-world deals.
1230 - 1400: Networking and Lunch
Lunch
1400 - 1500: Technical Breakout
Enclaves and CMMC 2.0 Compliance
Daniel Akridge
Nearly every company considers a cloud enclave solution when preparing for CMMC. However, most companies decide on a solution before they fully understand the nature of the problem they are trying to solve. Cloud enclaves work wonders for companies that can contain their Controlled Unclassified Information (CUI) within an enclave. Unfortunately, CUI data flows tend to closely follow business data flows. As a result, most companies dramatically under-scope and underfund their cloud and on-premises environments while simultaneously setting themselves up for failure during a CMMC assessment. This talk will explain what DoD contractors need to know to be successful with cloud enclave solutions in CMMC environments.
1400 - 1500: CMMC 2.0 Update
Stacy Bostjanick
A quick status update for CMMC 2.0 and where we stand with regards to the overall program.
1515 - 1615: Technical Breakout
Beyond Compliance: The Microsoft Security Suite
Richard Wakeman
Passing a CMMC or DIBCAC assessment is laser focused on compliance to meet cybersecurity requirements. However, the underlying intent is to secure your information systems. As cyber attacks are becoming more frequent and sophisticated, Microsoft is on the front lines with a boundless responsibility to protect customers. Microsoft is the largest security vendor in the world, investing billions in security and compliance solutions including the Microsoft 365 suite of products that provide baselines for security while also accelerating you to CMMC compliance. However, the Microsoft security suite is a product and service soup. This talk will give a high-level overview of the security suite and help demystify how to secure your environment and what services map to CMMC practices for holistic compliance.
1515 - 1615: Executive Breakout
CMMC 2.0 Assessment Process Guide (CAP)
Joy Beland
InterContinental Washington D.C. – Perfectly placed on the beautiful Potomac River, InterContinental Washington D.C. – The Wharf enjoys the most incredible waterfront views of D.C. Steps away from America’s political epicenter, the hotel embraces guests with an exquisitely curated resort destination that reignites the river’s edge.
"For anyone in the CMMC ecosystem, I highly recommend attending the CS2 conferences. The team at Summit7 does a great job finding speakers with diverse backgrounds who present a wide variety of topics that you wouldn’t usually hear on your average webinar. I attended both the Austin and San Diego events and found tremendous value in the content. In addition, the opportunity to network and build relationships with individuals working to achieve similar goals was invaluable."
Landon C.
ISSM, INTEGRATED DATA SERVICES
"All CMMC webinars should just be held to the CS2 event standard, be equal or better otherwise it's not worth attending."
Matthew H.
IT MANAGER, LATITUDE CORP
CS2 DC Registration Includes:
Access to industry thought leaders (in-person)
Post-event access to session recordings and presenter slides
Live Q&A with all session speakers
Networking opportunities with other IT professionals and decision-makers (in-person)
Exclusive industry updates regarding DoD rulemaking
Special coffee beverages, event-day lunches, and special food options (in-person)
Event Sponsors
