8:15 a.m. - 8:30 a.m. EDT Welcome and Orientation

LTG Bob Wood, USA (Ret.)
Executive Vice President
AFCEA International

Mark Emery
AFCEA Homeland Security Committee

8:30 a.m. - 9:00 a.m. EDT

Keynote Address

SIGNAL Coverage - "CMMC Measures Should Be Applied Early"

Katie Arrington
Chief Information Security Officer
Office of the Under Secretary of Defense for Acquisition and Sustainment

9:15 a.m. - 10:15 a.m. EDT

Panel Session: "What is Driving CMMC?"

SIGNAL Coverage - "Connections Are Key to Making CMMC Work"

DoD is rolling out one of the most far-reaching acquisition regulations/requirements in decades.  CMMC will promulgate untold changes in the ways DoD manages the defense industrial base by requiring third-party certification of operational practices – not just accounting practices.  Contracts covered by the FAR also require minimal cyber hygiene practices; third-party certification of the companies awarded these contracts may also be in the future.  CMMC and its offspring could be one of the most impactful efforts to secure the Homeland.
Focus Questions:
  • CMMC, why now?
  • Will civilian agencies adopt a certification regime similar to CMMC?  Will industry be regulated under one, or two (or more) sets of standards?
  • How will DoD and DHS use NIST to rationalize the FCI and CUI protection requirements? (Federal Contract Information and Controlled but Unclassified Information)
  • DoD will allow companies to include CMMC costs in their approved overheads; will civilian agencies do likewise?
  • Why not just add this whole thing to the FedRamp program?
  • It has been shown over and over again that static compliance programs do not protect networks or data; what makes CMMC different?  Why not use an outcome-based approach, with Continuous Cyber Defense Monitoring in place?

Katie Arrington, Chief Information Security Officer, Office of the Under Secretary of Defense for Acquisition and Sustainment

Robert Hanson, Senior Cybersecurity Advisor, CISA, Department of Homeland Security
Ty Schieber, Chair, CMMC Accreditation Body

10:45 a.m. - 12:00 p.m. EDT

Keynote Fireside

SIGNAL Coverage - "CMMC Takes Aim at Supply Chain Security"

Katie Arrington, Chief Information Security Officer, Office of the Under Secretary of Defense for Acquisition and Sustainment

Dwight Deneal, Director, Office of Small Business Programs, Defense Logistics Agency 
RADM Michael Johnston, USCG, Assistant Commandant for Acquisition and Chief Acquisition Officer, U.S. Coast Guard 
Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security 



Recorded Sessions

Recorded Session

Panel Session: "Common Concerns and Perspectives on CMMC"

SIGNAL Coverage - "A Methodical Approach Works Best for Implementing CMMC"

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
This panel will address the Common Concerns and Perspectives with the CMMC framework implementation. This will address contractual, technical and fiscal challenges from the perspective of those enforcing and implementing the requirements.
Focus Questions:
  • The initial implementation of the CMMC is for DoD. What is the potential for broader role for this model beyond DoD?
  • Will all companies conducting business with the DoD, including subcontractors, require certification & by when?
  • How will CMMC measure the maturity of my company’s institutionalization of cybersecurity practices and processes?
  • How to pick a third-party auditor?
  • How will CMMC be evaluated in RFPs/ RFQs?
  • When may certain “higher level assessments” be conducted by government assessors?
  • The anticipated three-year certification cycle follows an older term-based compliance model, while continuous assessment is becoming the norm. Will there be a continuous compliance model in the future?
  • Other than certification term limits, what will trigger the requirement for re-certification?
  • Will the cost of certification be considered an allowable/ reimbursable cost?

Terry Roberts, President & CEO, Whitehawk CEC

Kelley Artz, Technical Expert, Supply Chain Risk Management, General Services Administration
Chris Cummiskey, Senior Fellow, Hume Center for National Security and Technology
Janey Nodeen, President, Burke Consortium, Inc.
Mike Raeder, Deputy Chief Information Security Officer, Director Information Security, Northrop Grumman

Recorded Session

Panel Session: "How I Implemented 800.171 and Survived"

Approved for 1 GIAC CPE
As industry forms compliance strategies for upcoming CMMC deadlines in 2020, we reflect on 2017-2019 by looking back to how some organizations successfully implemented – or helped to implement – NIST 800-171 and DFARS 204.73 compliance. Join us as our panel discusses successes, quick wins, challenges, and lessons learned from their compliance journey, and how this group is prepared for a smooth CMMC path.

Focus Questions:

  • How do we view the similarities and differences between CMMC and DFARS?
  • CMMC is a new line item on the budget. Do we consider this an expense or an investment? Do we expect any ROI?
  • This panel is, arguably, the most optimistic of implementing CMMC. What do we say to others who have concerns over implementation?
  • CMMI, ISO 9001, and other certifications are, technically, optional. CMMC will not be. How do you view this? As an opportunity? A hindrance?
  • Is there (or can there be) any synergy between CMMC and CMMI/ISO internal processes?
  • The entire DIB should already by at or near Level 1. Agree or disagree?
  • Conceptually, the CMMC SRS will maintain the DIB’s compliance artifacts with potentially proprietary information. Does ACQ practices what it preaches? How is it secured?

Dan SchulmanFounder and CTO, Mission: Cyber, LLC

Pirooz Javan, Chief Operating Officer, Easy Dynamics Corp
Melissa McCoy, Chief Technology Officer, Kaizen Approach
Shayla Treadwell, Director, Cyber Compliance, ECS Federal
Bill Wootton, President and Founder, C3 Integrated Solutions

Recorded Session Panel Session: "Techniques and Tools to Enable Compliance - Best Practices and Lessons Learned"

The “Tools for Compliance” panel is here to help demystify the techniques and tools to enable compliance. Specifically, this panel will address the open source vs commercial tools and right-sized tools for the small and medium enterprise. Join us as our panel discusses best practices and lessons learned. 

Armando Seay, Director, DreamPort; Board of Directors, Maryland Innovation & Security Institute

Bernhard Bock, Chief Information Security Officer, SysArc
Dan Carayiannis, Public Sector Director, RSA
Roger Hockenberry, Chief Executive Officer, Cognitio
Horacio Maysonet, President & CEO, Cyber Security Solutions
Joe Sturonas, Chief Technology Officer, PKWARE, Inc.