Trade insights on how export-controlled data becomes CUI—and what that shift means for your contracts, audits, and clients.

• Spot red-flag scenarios that trigger DFARS 7012 & NIST 800-171
• Label and secure legacy files before an assessor (or prime) calls
• Counter "not CUI" myths from contracting officers and customers
• Crowd-source a quick decision flow and action checklist to take home

Contractors and service providers trade real-world tactics to lock down email, protect CUI, and satisfy assessors—without vendor spin.

• Routing & domains: enclaves, split domains, GCC High vs. enclave paths
• FedRAMP "first hop" and shared-responsibility with ESPs/MSPs
• DLP for CUI/ITAR/EAR: labels, rules, inbound/outbound controls
• Multi-domain realities: partner mail, warnings, distribution statements
• Turning email threat intel into training, detections, and IR playbooks

IT often gets drafted to "do CMMC," but the answers live across the business. This roundtable swaps the soft skills and exact questions to ask ops, engineering, HR, finance, and suppliers so you can map scope, surface shadow IT, and document what must change—before an assessment does it for you.

• What to ask each department to trace where FCI/CUI is created, stored, and sent
• How to uncover the unknowns: unmanaged devices, SaaS, shared drives, tribal workflows
• Sorting scope cleanly: L1 vs L2, enclaves, third parties—what's in, what's out, and why
• Turning interviews into artifacts: clear roles, methods, and evidence in the SSP/CRM
• Soft skills that work: framing, listening, and negotiating priorities without formal authority
• Keeping it current: a simple cadence for updates, change control, and ownership

Small manufacturers swap practical ways to meet CMMC without breaking the shop: clear scope, right-sized controls, and implementation that fits real production schedules.

• What's actually in scope on the floor (CUI touchpoints, shared PCs, CNC/PLC, travelers)
• L1 vs. L2 bifurcation: keep FCI workflows separate from CUI—rules, not shortcuts
• Cloud-first on a budget (M365, MDM, EDR, backup, basic logging): what's "enough" for a 20–50 person shop
• OT realities: isolating machines, safe file moves/USB hygiene, and vendor constraints
• Lean policies/procedures that match how small shops really work
• Partners and peer help: MSP/MEP roles, shared responsibility (CRM), and phased rollouts that control cost
• Simple evidence: tickets/configs/sign-offs that an assessor will accept without paperwork bloat

Swap real experiences and language that works when primes mark everything "CUI." We'll clarify what proper markings look like and how OSCs can request fixes—professionally and on the record.

• What "right" looks like: banner/portion marks, category ("Basic"/"Specified"), dissemination controls
• When it's over-marked or vague: how to ask for the basis/category or corrected markings
• Escalation paths that keep relationships intact (prime POC → contracting officer)
• Handling mis-marked docs in the meantime: treat-as-CUI vs. minimum-necessary sharing, and documenting decisions
• Contract & evidence angle: flow-down language, CRM/SSP notes, ticket/email trail to show due diligence

Contractors and service providers compare how they document shared control ownership so assessments are clear, defensible, and true to the architecture.

• Map 800-171A objectives → owner • method • evidence—how much detail is "enough"?
• Inherited vs. implemented vs. hybrid—where does ESP responsibility end, and what still lives with the OSC?
• Make the CRM match reality: MSP/MSSP/CSP splits, enclaves, co-managed tools, and data flows.
• Assessor lens: template dumps, ambiguous roles, and SSP/POA&M mismatches that trigger findings.
• Contract/SOW alignment: flow-downs, proof requests, and asking providers for attestations without friction.
• Keep it living: versioning, change control, and a review cadence pre- and post-assessment.

Contractors and service providers trade ways to turn system data into continuous, assessor-ready evidence—without screenshot drudgery.

• Map 800-171A objectives → signals → owners (OSC ↔ ESP)
• What to collect: logs, configs, tickets, MDM/EPP, cloud control planes
• Alerting that matters: thresholds, noise control, and triage workflows
• Packaging proof: timestamps, hashes, retention, and sampling for assessors
• Auto-updating POA&Ms and aligning with the CRM/shared responsibility
• Toolchain patterns (SIEM/XDR/GRC) that cut effort while staying vendor-neutral

Compare practical ways to meet 3.13.11 with FIPS-validated encryption while still getting CUI to federal recipients and subs—without weakening controls.

• What "validated" really means (CMVP certs, module/mode) and how to note it in SSP/CRM
• Email realities: when M365 Message Encryption fails, and viable alternatives (S/MIME, enforced TLS, secure portals)
• Key exchange & onboarding: CAC/PIV use, certificate distribution, and handling agencies with strict webmail policies
• File transfer options: portal vs. link vs. attachment—link lifetimes, audit trails, and access controls
• Fallbacks without turning off security: pre-approved exceptions, escalation language to primes/COs
• Evidence that lands: configs, cert IDs, delivery logs, and retention that proves compliance

Prep for a CAP-aligned CMMC audit—from first contact to closeout—so there are no surprises on assessment days.

• How do you lock scope and assets before scheduling (boundaries, inventory, SPRS sanity check)?
• What belongs in a kickoff packet (roles, comms, evidence map, tool access)?
• How do you make SSP • CRM • POA&M tell the same story—traceable and versioned?
• Who joins which interviews, and how do you stage live demos/sampling without scripts?
• On assessment days, how do you track requests, share screens safely, and deliver artifacts fast?
• How do you handle closeout: factual-accuracy responses, POA&M updates, and follow-ups?

Contractors and service providers trade playbooks for using CMMC to prevent incidents—not just pass audits.

• Build enforceable baselines (MFA, least privilege, secure configs) and watch for drift
• Make training stick: metrics that prove behavior change
• Vulnerability mgmt SLAs: find → triage → remediate → exception
• Config auditing mapped to 800-171 (CIS/STIG) for defensible evidence
• Supply chain: flow-downs, CRM with ESPs/MSPs, and vendor risk gates

Trade practical ways to turn policy into engineered, testable security—using Systems Security Engineering (CMMC 3.13.2) so controls are designed-in, not bolted on.

• Start with mission needs → clear security objectives that drive scope
• Map mission threads/data flows to boundaries, components, and risks
• Tailor applicability per component/env; clarify OSC ↔ ESP (CRM) ownership
• Build trustworthy designs: segmentation, least privilege, logging-by-design
• Make it traceable: objectives → requirements → tests/assurance cases → evidence
• Keep it living: design decisions, change control, and metrics that show it works

Contractors and service providers trade practical Zero Trust patterns that reduce blast radius and produce assessor-ready evidence.

• Identity & access: MFA everywhere, JIT/JEA, NPEs, federation
• Microsegmentation: zoning on-prem/cloud to contain failure
• Continuous validation: device posture, behavioral analytics, kill "trusted network"
• ZTNA rollout: what scales for small OSCs vs. multi-tier primes
• Evidence that passes: map controls to 800-171/172 with defensible artifacts
• Pitfalls to dodge: siloed IAM, tool sprawl, inconsistent policies; KPIs for maturity

Swap proven tactics to make security training actually change behavior—not just satisfy assessors.

• What works: micro-learning, simulated phishing, just-in-time prompts, peer champions
• Metrics that matter: beyond completion rates to real behavior change (click rates, report rates, policy violations)
• Role-based content: different approaches for engineers, finance, executives, and shop floor
• Budget-friendly delivery: internal champions, vendor partnerships, and scalable formats
• Evidence for assessors: curriculum maps to 800-171, completion tracking, incident correlation
• Sustaining momentum: refreshers, new-hire onboarding, and incident-driven updates

Contractors compare real-world GCC High migrations: what works, what costs more than expected, and how to avoid vendor lock-in.

• Migration sequencing: email first vs. files first vs. all-at-once—lessons learned
• Cost control: licensing surprises, bandwidth requirements, and training overhead
• Shared responsibility: what Microsoft handles vs. what's still your problem (CRM implications)
• Integration challenges: legacy apps, third-party tools, and hybrid scenarios
• Evidence collection: audit logs, compliance dashboards, and assessor expectations
• Exit strategies: avoiding lock-in while getting compliance benefits

Prime contractors share how they manage OSC compliance across their supply chain: effective flow-downs, risk assessment, and ongoing monitoring.

• Flow-down language that works: specific requirements vs. general clauses
• Risk-based tiering: different requirements for different supplier risk levels
• Supplier assessment: questionnaires, attestations, and third-party validation
• Ongoing monitoring: what to track, how often, and when to act
• Remediation approaches: support vs. replacement decisions
• Evidence management: maintaining defensible records of supplier compliance

Contractors share what physical security controls actually work for CMMC—and what assessors really look for during site visits.

• Access control realities: badge systems, visitor management, and dual-person authorization
• Monitoring that matters: cameras, logs, and incident response procedures
• Secure areas: server rooms, storage, and work areas—how much separation is enough?
• Media controls: device handling, sanitization, and destruction procedures
• Evidence collection: logs, photos, procedures that satisfy assessors
• Cost-effective approaches: what works for small vs. large facilities

Trade proven approaches to POA&M development that satisfy assessors and actually drive security improvements.

• Writing deficiencies that pass: root cause analysis, risk scoring, and remediation specificity
• Milestone planning: realistic timelines, resource allocation, and dependency management
• Evidence linkage: connecting findings to controls and tracking remediation proof
• Risk management: accepting, mitigating, and transferring risks appropriately
• Ongoing maintenance: tracking progress, updating timelines, and closing items
• Assessor perspective: what makes a POA&M acceptable vs. what triggers re-work

Understanding the CMMC assessment ecosystem: how DIBCAC, C3PAOs, and OSCs work together effectively.

• Role clarity: what DIBCAC oversees vs. what C3PAOs control
• C3PAO selection: evaluation criteria, pricing models, and relationship management
• Assessment preparation: what OSCs should expect from their C3PAO
• Quality assurance: DIBCAC oversight and C3PAO accountability
• Issue resolution: handling disputes, appeals, and corrective actions
• Market dynamics: supply, demand, and pricing trends

Contractors share approaches to managing AI tool proliferation while protecting CUI and maintaining CMMC compliance.

• Discovery and inventory: finding AI tools already in use across the organization
• Risk assessment: data exposure, model training, and third-party processing
• Policy development: acceptable use, data handling, and approval processes
• Technical controls: DLP integration, network monitoring, and access restrictions
• Vendor management: AI service provider assessments and contract terms
• Training and awareness: helping employees understand AI risks and proper usage

Legal and compliance professionals share contract review processes that identify cybersecurity obligations and map them to implementation requirements.

• Flow-down identification: finding CMMC, DFARS, and ITAR requirements in contracts
• Compliance mapping: translating contract language to technical controls
• Risk assessment: understanding penalties, liability, and enforcement
• Negotiation strategies: pushing back on unreasonable requirements
• Documentation practices: maintaining compliance evidence and audit trails
• Change management: handling contract modifications and new requirements

Contractors share strategies for cleanly separating Level 1 and Level 2 environments to control costs while maintaining compliance.

• Business process mapping: identifying true FCI vs. CUI touchpoints
• Technical separation: network segmentation, access controls, and data flows
• Workflow design: keeping FCI processes in lower-cost environments
• Change management: preventing scope creep and maintaining boundaries
• Cost optimization: maximizing Level 1 utilization while ensuring compliance
• Assessment preparation: documenting bifurcation decisions and maintaining evidence