Become a
CS5 East Speaker

Scoping shouldn't feel like spelunking through server racks. This fast-paced, plain-English session demystifies the single most misunderstood step in CMMC and other cybersecurity frameworks: figuring out exactly what's in scope, what's out, and why it matters to your bottom line.

Why attend?

• Slash uncertainty and cost. Learn how a smart scope can shrink assessment boundaries, reduce tooling spend, and cut audit prep time in half.
• Speak the language of business. We translate tech-heavy terms—CUI enclaves, boundary controls, segmentation—into risk and dollars executives actually care about.
• Avoid the "scope-creep" trap. Real stories show how companies accidentally doubled their audit footprint—and the simple questions that would have saved them.
• Build a scope map in 30 minutes. Walk through an interactive template that turns org charts, data flows, and supplier lists into a clear, defensible scope statement.
• Future-proof your decisions. See how mergers, cloud moves, and new contracts can blow up a good scope—and the governance checkpoints that keep it intact.

Subtitle: Maximizing Each Hour Spent & Each Dollar Burned

When every week on the calendar and line on the budget matters, how do you move from CMMC planning to a fully compliant organization without draining resources? This session answers that question with a battle-tested playbook for squeezing maximum value out of every task, meeting, and dollar along your CMMC journey.

What we'll cover

• Prioritize with purpose. Explore adaptable strategies for sequencing work—risk, contract, or resource-based—so early successes generate momentum and executive confidence.
• Scope with surgical precision. Shrink assessment boundaries, slash tooling costs, and avoid the hidden labor of "accidental scope-creep."
• Strategic use of service providers. Pinpoint when to lean on RPOs, MSSPs, and niche consultants—buying expertise only where it accelerates progress and caps labor spend.
• Reuse, don't reinvent. Repurpose existing policies, audit logs, and externally hosted evidence so you're not writing documents—or checks—twice.
• Automate the evidence trail. Leverage ticketing systems, SIEM alerts, and asset inventories to produce assessor-ready proof with one click.
• Measure progress in business terms. Transform control status into dashboards that track dollars preserved, risks reduced, and deadlines met.

Whether you're a program manager hunting for efficiencies, a finance lead guarding cash flow, or a CISO orchestrating both, you'll leave with a clear roadmap to deliver compliance on schedule—and on budget—while positioning your organization for future growth.

Subtitle: The Two-Way Pain of Flowdown

With Title 48 expected to be finalized by October 2025, keeping suppliers and subcontractors aligned with CMMC and DFARS 252.204-7020/7021 will be a contractual must for every prime contractor. In this panel discussion, supply-chain leads from major defense primes and veteran CMMC advisors outline what large contractors are already asking for and what lower-tier companies must be ready to deliver as final rules take effect.

Discussion highlights

• Prime flow-down language — The clauses that are becoming standard in master service agreements and purchase orders, and how enforcement will tighten once Title 48 is in force.
• Data-classification gaps — Practical ways to obtain CUI details when they are missing from initial subcontracts, plus examples of stop-work triggers when data mapping falls short.
• Right-sized oversight — Benchmarks for onboarding reviews, continuous-monitoring checkpoints, and annual attestations across single- and multi-tier supply chains.
• Audit-ready evidence — Documentation and reporting practices primes will expect before award, mid-performance, and at renewal, based on 2025 assessment trends.
• Lessons learned — Real-world missteps that led to corrective-action plans, and the fixes that satisfied both assessors and prime contract managers.

Attendees will gain a clear view of the prime-contract expectations coming with Title 48, the most common pitfalls seen in 2025 audits, and practical steps to keep their supplier chain—and their revenue stream—secure, compliant, and ready for the next contract cycle.

Subtitle: Untangling the Truth Behind External Service Provider Promises

External Service Providers (ESPs) can accelerate a CMMC program, but they don't erase your accountability—or an assessor's scrutiny. In this frank panel, a veteran CMMC assessor, an ESP executive, a contracts attorney, and a defense-industry OSC unpack the promises, limits, and documentation every organization must nail down before handing off critical controls.

What the panel will cover

• Inheritance clarified: Which controls can legitimately pass to CSPs, MSPs, MSSPs, and specialized compliance providers—and which always stay with the OSC.
• Customer Responsibility Matrix (CRM): Why every engagement needs a provider-signed CRM, the minimum details it must contain, and how assessors use it to assign evidence ownership.
• Contract language that stands up: Clauses for SLAs, log retention, and right-to-audit that survive legal review and satisfy auditors.
• Red-flag promises to avoid: Misleading claims such as "We'll close your POA&M" or "FedRAMP covers everything," and the penalties they can trigger.
• Non-delegable high-risk functions: Incident response, privileged access, and continuous monitoring—areas where accountability can never be outsourced.
• Lessons from 2025 audits: Real-world cases where blind trust in ESPs delayed certification—and the corrective actions that brought projects back on track.

You'll leave with a concise checklist for vetting ESPs, verifying CRMs, and keeping provider support aligned with your obligations—so your organization stays compliant, contract-ready, and firmly in control.

Subtitle: The Culture Shift Behind CMMC

CMMC audits live and die on written evidence. Controls may be rock-solid in practice, but if policies, procedures, and activity logs aren't captured and organized, assessors must score them Not Met. This session shows how successful primes and resource-strapped SMBs have transformed "paperwork" into a routine operational output—eliminating last-minute scrambles and costly rework.

Session highlights

• From checklist to culture Real stories of teams that turned one-time policy sprints into living processes everyone can demonstrate on demand.
• The cost of exaggeration Case studies where overstated capabilities triggered findings, budget overruns, and schedule slips—and how a "document what you actually do" mindset prevented repeats.
• Assessor expectations decoded What auditors look for in policies, procedures, and evidence chains—and the gaps that still trip organizations in 2025.
• Right-sizing the paper trail Practical methods to keep documentation current without drowning staff in edits, approvals, and version control.
• Keeping momentum Techniques for embedding ownership and review cadences so documentation stays audit-ready between contracts.

Leave with a clear picture of how "write it down, organize it, prove it" becomes second nature—securing certifications, protecting schedules, and freeing your team to focus on real security work.

Subtitle: Do's, Don'ts and Imagination. (and a few other leading edge technologies)

Large-language models can draft policies, summarize logs, and spot data anomalies in seconds—but they'll also invent citations, skip edge-cases, and present an 80 percent answer with 100 percent confidence. CMMC assessors will grade you on the missing 20. This session shows how forward-leaning defense contractors are harnessing artificial intelligence without surrendering accuracy, accountability, or budget.

In 50 minutes we'll cover

• AI's real value—and real limits Where machine learning speeds evidence tagging, control mapping, and ticket triage, and where you must impose human review to catch hallucinations, bias, and incomplete logic.
• VDI-anchored enclaves Using virtual desktops to corral users, legacy endpoints, and IL4/IL5 cloud services into a single audit-ready boundary—eliminating forklift upgrades while producing a clean log timeline.
• Zero-trust guardrails Segment identities, devices, and data flows so inheritance is obvious and AI tools can't overreach their permissions.
• Governance first, gadgets second Model clauses, approval workflows, and versioning tactics that keep AI output as "draft-until-verified" evidence—protecting you from copy-paste compliance.
• Cost realism CapEx-to-OpEx comparisons that show how SMBs can afford modern enclaves and AI pilots without derailing cash flow.

Expect candid do's, don'ts, and imaginative next steps—from choosing AI copilots that log every prompt to setting up review queues that turn risky suggestions into assessor-ready artifacts. Leave with a blueprint for faster audits and fewer findings, built on technology you trust and evidence you can prove.

You manage firewalls, patch fleets, and monitor SIEMs for defense contractors—yet an assessor can still hand your client a Not Met and send everyone back to square one. Why? Because CMMC success hinges as much on how you frame the work as on the work itself. This session flips the script to focus on the missteps service providers most often make when guiding organizations seeking certification (OSCs).

• Scoping that sticks: Draw a defendable CUI boundary before deploying tools, so your services—and your invoices—align with what assessors actually review.
• Practice vs. objective gap: Translate the 110 practices into 320 assessment objectives, and map ticket data, dashboards, and change records to each one.
• Inheritance without illusion: Understand how assessors verify shared-responsibility claims, and the artifacts you must deliver to prove your controls protect the OSC.
• Document-first delivery: Adopt a "write, do, prove" cadence—policies, diagrams, and POA&Ms drafted alongside engineering tasks—to keep the client's SSP and your statement of work in sync.
• Timing & training traps: Avoid last-minute rollouts and ad-hoc user briefings that undermine otherwise solid implementations.
• Provider readiness roadmap: Prioritized actions and communication tactics that convert technical excellence into certifiable compliance for every engagement.

If you're an MSP, MSSP, RPO, or any external team supporting the defense industrial base, this session will sharpen your strategy, tighten your evidence trail, and position both you and your clients for first-pass success.

Dashboards that "auto-map" controls, AI engines that "close" POA&Ms, one-click platforms that "solve CMMC." The market is overflowing with products that promise effortless compliance—yet a poor choice can drain budgets, distort scope, and leave gaps an assessor will spot in minutes. This session equips service providers and OSCs with a vendor-agnostic checklist for separating genuine enablers from costly distractions.

• Define the job before the tool: Pin every feature request to a specific control objective—evidence management, continuous monitoring, risk analytics—before you read a sales deck.
• Proof over promises: Require artifacts, log samples, and role mappings that demonstrate how the product satisfies assessment objectives, not just practice buzzwords.
• Integration reality—how much and where? Decide whether to pipe compliance data into everyday dashboards and client reports or keep it siloed and simply point auditors to the source; deep APIs boost real-time decision-making but add failure points, upkeep, and scope creep.
• Operational reuse of compliance intel: Select platforms that let management repurpose collected evidence—policies, logs, metrics—into board dashboards, capacity planning, and service-provider health reports, turning audit data into continuous business insight.
• Watch for scope inflation: Spot features that silently widen the compliance boundary or duplicate tools you already own.
• Usability where it counts: Ensure admins, auditors, and executives can each pull what they need—no vendor hand-holding required.
• Total cost of ownership: Look past license fees to setup labor, scripting, annual reassessment updates, and hidden "premium" modules.
• Snake-oil red flags: Flag claims that clash with DFARS or Title 48 ("self-certification guaranteed," "no documentation necessary")—and know when to walk away.

Leave with a practical evaluation matrix and the confidence to ask tough questions—so every tool you adopt accelerates compliance and generates management insight instead of becoming your next expensive trap.

The False Claims Act (FCA) empowers whistleblowers to sue on the government's behalf when they believe a contractor is committing fraud—recovering billions for taxpayers every year. Amid persistent confusion over CMMC, CUI handling, and cybersecurity in general, FCA filings have climbed steadily, and the DOJ's Civil Cyber-Fraud Initiative is accelerating that trend. With Title 48, new DFARS clauses, and a forthcoming FAR CUI rule set to make third-party certification the norm by October 2025, legal exposure for both primes and service providers is poised to spike.

This legal-centric briefing—delivered by government-contract attorneys, former DOJ cyber-fraud prosecutors, and veteran C3PAO assessors—breaks down the latest enforcement data, average settlement figures, and hard-won lessons every contractor and managed service provider needs before their next audit.

• Fresh enforcement landscape: Title 48's final text, mandatory C3PAO certification for nearly all Level 2 contracts, and stepped-up DIBCAC spot checks redefine "material misrepresentation" for primes and their MSPs, RPOs, and SaaS vendors.
• Whistleblower war stories: Qui tam cases triggered by a breach report, a fudged SPRS score, or an ignored POA&M—complete with multimillion-dollar settlements and co-defendant service providers.
• Fragile self-attestation: Level 1—and the few Level 2 carve-outs—still rely on self-scores, but a whistleblower claim can put every assertion under a microscope, leaving no time to close gaps before DOJ or prime scrutiny hits.
• Privilege architecture: Structuring attorney-client/Kovel engagements so readiness gaps are remediated under legal cover—privilege cannot be bolted on after an RPO is already engaged.
• Contract flow-down liabilities: What primes now demand in affidavits and supplier attestations, and how a provider's misstep can drag an entire program into litigation.
• Insurance & M&A ripple effects: How carriers, investors, and acquirers are tightening cyber due-diligence checklists and exclusions as FCA risk rises.

Title 48, DFARS 7020/7021, and the coming FAR CUI rule have thrust service providers onto the front line of CMMC compliance. This session gives providers the playbook to stay profitable while meeting assessor and legal scrutiny.

• Regulatory clarity: How current rules bound ESP, MSP, and CSP responsibility—and the penalties for crossing the line.
• CRM that sells and survives: Elements of an assessor-ready Customer Responsibility Matrix, how to showcase it in proposals without overcommitting, and the template shortcuts that invite findings.
• Service bundles that fit: Packaging support, monitoring, and IR so they map cleanly to Level 2 objectives without scope creep.
• Pricing levers: Recurring-revenue and project-fee models that reflect effort, risk, and measurable outcomes.
• Contract language that stands up: Clauses for SLAs, log retention, and right-to-audit that clear legal review and satisfy auditors.
• Non-delegable high-risk functions: Incident response, privileged access, and continuous monitoring—areas where accountability can never be outsourced.
• Red-flag promises to avoid: Claims like "We'll close your POA&M" or "FedRAMP covers everything," and the False Claims Act exposure they trigger.
• Scaling talent: Lessons from the "MSP Collective" on recruiting, tooling, and automation in a market demanding rapid growth and airtight security.

Hear candid insights from competing MSP leaders, a CMMC assessor, and a contracts attorney—so you can refine offerings, draft stronger CRMs, and navigate the compliance minefield with confidence.

Subtitle: AND... the case for contractors to have their own CCP

The CMMC Certified Professional (CCP) badge is marketed as the on-ramp to assessment teams and consulting roles—yet many new holders discover that real-world credibility demands far more than exam scores. This session dissects the gap between certification and practice, then shows how to turn the CCP into tangible career leverage.

• Credential ≠ role | Why a CCP alone seldom lands you on a C3PAO roster or high-stakes engagement.
• What hiring managers really want | Hands-on control implementation, evidence mapping, client coaching, and tool fluency—skills no multiple-choice test can prove.
• Translator value inside the OSC | A CCP bridges language barriers, aligning service-provider deliverables with internal operations and clarifying intent for auditors—reducing friction on both sides of the table.
• Career multiplier | Used strategically, the CCP opens diverse paths: in-house compliance lead, RPO consultant, tooling specialist, or stepping-stone to CCA/RPA credentials.
• Closing the experience gap | Apprenticeships, shadow assessments, and project portfolios that convert theory into assessor-valued proof.
• Myth-busting the echo chamber | Debunking LinkedIn lore and "self-evident" DFARS assumptions that stall real progress.

Hear candid insights from CCP holders, OSC security leads, and C3PAO hiring managers who have navigated the reality check—so you can transform a certificate into a thriving career, not a paper credential.

With CMMC live since December 16 2024—and the complementary 48 CFR acquisition rule slated for release this fall—defense contractors now juggle CMMC alongside ISO 27001, NIST CSF, HIPAA, PCI-DSS, and more. Maintaining separate policies and evidence sets for each mandate wastes time and money. The Secure Controls Framework (SCF) fixes that by unifying requirements into a single, outcome-focused control library.

• One standard, many mandates: How SCF's 32 domains map natively to CMMC 2.0 Level 2 practices, NIST 800-171, ISO 27001, and dozens of other regulations—eliminating duplicate documentation.
• Evidence once, report many: Building a shared control repository so the same artifacts satisfy CMMC assessors, ISO auditors, and customer questionnaires.
• Lower cost, less drag: Real numbers on how SCF users cut policy-writing time by half and reduced audit prep hours by 40%.
• Tooling strategies: Options—GRC platforms, wikis, spreadsheets—for hosting SCF content, version control, and change monitoring.
• Service-provider alignment: Embedding SCF references in Statements of Work and Customer Responsibility Matrices to clarify shared controls and streamline onboarding.
• Common traps to avoid: Over-mapping, unclear domain ownership, and losing audit scope—pitfalls that can turn SCF from accelerator to anchor.

Whether you're an OSC chasing CMMC certification or a service provider supporting multiple frameworks, you'll learn how to deploy SCF to synchronize controls, reduce effort, and future-proof your compliance program.