Skip to content
CS2 Full Logo White-1

CMMC Industry Days and Modern Information Security Topics

July 26-27, 2022

Washington D.C.


About CS2 Washington D.C.

The Cloud Security and Compliance Series (CS2) is strictly for government contractors and those in higher education research institutions looking to meet cybersecurity regulations, address security threats, and glean best practices for their cloud investments.
Areas of focus for CS2 events include, but are not limited to
  • CMMC 2.0
  • NIST 800-171
  • The DFARS 70 Series (7012, 7019, 7020)
  • ITAR regulations
  • Handling CUI and FCI
  • And much more

Cloud Security and Compliance Series events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.


(In-Person and Virtual Attendance)


  See The Venue


The Speakers






Director of CMMC, OSD DOD CIO


Acting Manager, Security Engineering & Risk Management Group, NIST


Chief Strategy Officer at PW Communications


CEO, Summit 7


Chief Cybersecurity Evangelist, Summit 7


Quzara Co-Founder


Vice Chair C3PAO Stakeholder Forum, President of Kieri Solutions


Government Contracts & Global Trade Practice


Chief Information Officer (CIO), BLUEHALO




Commander at United States Cyber Command


Litigation Partner & Chair of International Trade and Global Security Practice at Hinckley Allen




Senior Cybersecurity Consultant/Instructor, Edwards Performance Solutions

The Agenda

General and breakout sessions for two days.

Day One

0800 - 0845: Registration

0845 - 0900: Opening Remarks

COL Candice Frost

0900 - 1000: Insight on DCMA/DIBCAC Findings

Nick DelRosso

Insights from multiple DIBCAC assessments to include unique challenges facing both large and small contractors.

1015 - 1115: Cyber Insurance, NIST SP 800-171, and CMMC 2.0

Robert Metzger

Cyber insurance is for enterprise protection. CMMC is for DoD compliance. Insurers are becoming increasingly rigorous in the “due diligence” they conduct of companies before they write cyber insurance. Coverage prices are going up, limits are coming down, and exclusions are increasing. Some companies are finding they can’t afford the coverage offered, while others can’t get coverage at all. This session will explore what companies can do to preserve the insurance they have, demonstrate security that insurers now are likely to expect or demand, while fitting these near-term actions into the measures and plans of action that will prepare for CMMC assessment and certification requirements. The objective is to align actions taken now to get and keep cyber insurance coverage with parallel actions for CMMC readiness.

1130 - 1230: A Predictable Surprise: The CMMC 2.0 Final Rule

Jacob Horne

Over 850 public comments were submitted to the 2020 CMMC interim final rule. We analyzed them all. There is nothing in the criticisms of the CMMC program that has not been thoroughly addressed in previous DFARS cybersecurity rulemaking. As a result, we don’t have to wait for the CMMC final rule to know what the rule will say on controversial topics like the cost of compliance; regulation as a barrier to entry; or the impact of DFARS requirements on small businesses. This talk will show these issues transcend the current “era” of DFARS cybersecurity rulemaking and that the DoD is unlikely to fundamentally change their policy positions in the upcoming CMMC final rule.

1230 - 1400: Networking and Lunch


1400 - 1500: Technical Breakout
Threats and Adversaries to the DIB: A Defender's Perspective

Saif Rahman

Year after year the defense industrial base is pummeled by cyber threat actors developing and exploiting new security vulnerabilities. To make matters worse, increasing regulatory requirements for incident reporting drive compliance-focused solutions that often make breach mitigation more expensive than it needs to be. This session explores the perspective of cyber defenders operating a modern Security Operations Center utilizing Microsoft Azure and what DoD contractors need to know to be successful with SOC-as-a-service solutions.

1400 - 1500: Executive Breakout
DOJ and Cyber Fraud: Costs of Non-Compliance

B. Stephanie Siegmann

What is the likelihood that DOJ will target small and mid-sized DoD suppliers under DOJ’s new Civil Cyber-Fraud Initiative? Hear from B. Stephanie Siegmann, a former National Security Chief and experienced trial attorney, about DOJ’s new initiative, its renewed emphasis on corporate crime, and its intention to aggressively use the False Claims Act to bring cyber-related claims against government contractors. Stephanie will provide her perspective on two recent settlements involving Comprehensive Health Services LLC and Aerojet Rocketdyne Holdings, Inc., the increased scrutiny of contractor cybersecurity compliance, and how to avoid becoming the next DOJ target.

1515 - 1615: Technical Breakout
CMMC 2.0 Inheritance: Proving Your Cloud is Protecting CUI

Amira Armond

After a year of hard work, you finally finished all your compliance preps and you reached out to an assessment company to schedule.  The first form they send you asks, “Do you have System Security Plans, Customer Responsibility Matrixes, and/or third party audit reports for EACH of your cloud vendors?”  Why is this so important that a C3PAO asks about it before they accept you as an assessment client?   It turns out those documents (evidence of inheritance) are often more important to your assessment than your own System Security Plan. This talk will explain why inheritance is important, what counts as evidence, and how assessors review it.  It also discusses the way forward for small service providers that support DIB clients.

1515 - 1615: Executive Breakout
Analyzing the Composition of the DoD Small Business Industrial Base

Amanda Bresler

The Department of Defense (DOD) spends billions of dollars annually funding innovation programs, rapid acquisition programs and small business set-aside programs that have the stated purpose of attracting innovative companies into the defense industrial base and leveling the playing field for small and nontraditional businesses in the defense market. Yet in spite of these initiatives, the number of small and innovative/nontraditional businesses contracting with the DOD continues to decline every year. Why have these initiatives failed to achieve their stated objectives? This talk focuses on the underlying issues that keep small and innovative/nontraditional companies from succeeding in the defense market and offers a series of recommendations for how the DOD, and other government agencies, can better structure and measure their programs to make the public sector more opportune for the best and brightest companies.

Day Two

0900 - 1000: NIST SP 800-171 Rev 3 Update

Victoria Pilliterri

Originally released in 2015, NIST Special Publication (SP) 800-171 started a series of publications that is now used to protect the confidentiality of federal controlled unclassified information. Since the original publication of SP 800-171 and subsequent supporting guidance on conducting security requirement assessments and the enhanced security requirements, there have been significant changes in the cybersecurity risk landscape, cybersecurity capabilities, technologies, and resources to manage the risk. As NIST prepares to update the SP 800-171 series of publications, gathering feedback on the use, effectiveness, adequacy, and ongoing opportunities for improvement is critical. Learn more about the about the NIST Pre-Draft Call for Comments on the SP 800-171 series, share your feedback and lessons learned with NIST, and get engaged as we begin this update process.

1015 - 1115: Perspectives From a Former KO

Andriani Buck and Jacob Horne

No government position is as fundamental to DFARS cybersecurity compliance than the contract officer. Perhaps no position is as misunderstood either. DoD contractors are constantly told to “ask the customer” for clarity and guidance on everything from specific security requirements to whether data should be designated as Controlled Unclassified Information. Is the contractor officer really the one pulling the strings or are they trapped in the middle with everyone else? This Q&A forum features a former DoD contract officer who will explain what it’s like to navigate the maze of cybersecurity requirements from the other side.

1130 - 1230: Mergers and Acquisitions In The DIB

Scott Edwards, Matt Ramsey, Alex Trafton

The Defense Industrial Base will experience significant consolidation as a result of increased cybersecurity regulation. But what does that mean for DoD contractors who find themselves exiting the DIB via a merger or acquisition? What do large firms look for in the cybersecurity posture of acquisition targets and how does it ultimately affect the value of a firm? This panel discussion will explore the macro factors at play driving consolidation in the sub-tiers of the DoD supply chain and what that means in the context of real-world deals.

1230 - 1400: Networking and Lunch


1400 - 1500: Technical Breakout
Enclaves and CMMC 2.0 Compliance

Daniel Akridge

Nearly every company considers a cloud enclave solution when preparing for CMMC. However, most companies decide on a solution before they fully understand the nature of the problem they are trying to solve. Cloud enclaves work wonders for companies that can contain their Controlled Unclassified Information (CUI) within an enclave. Unfortunately, CUI data flows tend to closely follow business data flows. As a result, most companies dramatically under-scope and underfund their cloud and on-premises environments while simultaneously setting themselves up for failure during a CMMC assessment. This talk will explain what DoD contractors need to know to be successful with cloud enclave solutions in CMMC environments.

1400 - 1500: CMMC 2.0 Update

Stacy Bostjanick

A quick status update for CMMC 2.0 and where we stand with regards to the overall program.

1515 - 1615: Technical Breakout
Beyond Compliance: The Microsoft Security Suite

Richard Wakeman

Passing a CMMC or DIBCAC assessment is laser focused on compliance to meet cybersecurity requirements. However, the underlying intent is to secure your information systems. As cyber attacks are becoming more frequent and sophisticated, Microsoft is on the front lines with a boundless responsibility to protect customers. Microsoft is the largest security vendor in the world, investing billions in security and compliance solutions including the Microsoft 365 suite of products that provide baselines for security while also accelerating you to CMMC compliance. However, the Microsoft security suite is a product and service soup. This talk will give a high-level overview of the security suite and help demystify how to secure your environment and what services map to CMMC practices for holistic compliance.

1515 - 1615: Executive Breakout
CMMC 2.0 Assessment Process Guide (CAP)

Joy Beland

InterContinental Washington D.C. – Perfectly placed on the beautiful Potomac River, InterContinental Washington D.C. – The Wharf enjoys the most incredible waterfront views of D.C. Steps away from America’s political epicenter, the hotel embraces guests with an exquisitely curated resort destination that reignites the river’s edge.

CS2 Attendee Testimonials

"For anyone in the CMMC ecosystem, I highly recommend attending the CS2 conferences. The team at Summit7 does a great job finding speakers with diverse backgrounds who present a wide variety of topics that you wouldn’t usually hear on your average webinar. I attended both the Austin and San Diego events and found tremendous value in the content. In addition, the opportunity to network and build relationships with individuals working to achieve similar goals was invaluable."

Landon C.

"All CMMC webinars should just be held to the CS2 event standard, be equal or better otherwise it's not worth attending."

Matthew H.

CS2 DC Registration Includes:

Access to industry thought leaders (in-person)

Post-event access to session recordings and presenter slides

Live Q&A with all session speakers

Networking opportunities with other IT professionals and decision-makers (in-person)

Exclusive industry updates regarding DoD rulemaking

Special coffee beverages, event-day lunches, and special food options (in-person)

Event Sponsors


What to Expect