DIB Cyber Cert Agenda 2026
Two days. Four modules. One comprehensive roadmap to DIB cyber compliance. Jump to:
May 4 | Six years of CMMC clarity, compliance, and competitive advantage.
May 4 | The future of the global certification standard in the federal space.
May 5 | Surveying the effort to leverage leading technology for national security.
May 5 | Cloud innovation powered by national security compliance.
Monday, May 4
8:00-9:00 Registration
9:00-10:10 Plenary Keynotes
09:00 Welcome and Introduction (P00a) TBA
09:10 Government Keynote (P00b) TBA
09:40 Industry Keynote (P00c) TBA
10:10-11:00 Networking Break in Exhibits
11:00-12:30 Conference Sessions
Salon E
11:00 When Code Becomes CUI: Conducting CMMC Assessments on Custom Software (M01a) Kyle Lai, President and CISO, KLC Consulting
11:30 What Not to Miss When Scoping CUI in Your Environment (M01b) Rachel Bassford, CUI Consultant, DEFCERT [60 Min]
Salon F
11:00 Understanding the Realities of Continuous Monitoring for the Affirming Official (D01a) George Perezdiaz, Managing Director & Lead CMMC Assessor, PEREZDIAZ [30 Min]
11:30 Engineering for Verification: The Technical Realities of Passing CMMC (D01b) Scott Whitehouse, VP, Compliance, C3 Integrated Solutions [60 Min]
Salon G
11:00 CMMC Vendor Playbook: How to Select a Trusted C3PAO, MSP, CSP, or RPO (K01a) Andrew Freund, Founder & CEO, Kraken Compliance
11:30 Lessons from a C3PAO: Top 10 Insights from the First CMMC Assessments (K01b) Michael Brooks, CMMC Strategy & Engagement Director, A-LIGN
12:00 An Assessors View on False Starts (K01c) Victor Cich, Sr. Compliance Consultant, RADICL
12:30-13:30 Lunch in Exhibits
13:30-15:00 Conference Sessions
13:30 CMMC Guidance from a DOD Perspective (L02a) Derrick Davis, Associate Director DOD OSBP, State and DOD
14:00 Panel Discussion: Forecasting CMMC for 2026 and Beyond (L02b) TBA [60 Min]
13:30 CMMC Assessment Process (CAP) (M02a) Fernando Machado, Managing Principal/CISO, Cybersec Investments
14:00 What to Do (and Not Do) in a CMMC Assessment (M02b) Derek Kernus, CEO, Aethon Security Consulting
14:30 Top 5 Issues of CMMC Level 2 Assessments (M02c) Carter Schoenberg, Lead Assessor and CSO, Soundway Consulting
13:30 Multi-Framework Intelligence: Reusing CMMC Evidence Across ISO 27001, SOC 2, and Beyond (E02a) Justin Beals, Justin Beals, CEO & Founder, Strike Graph Inc., Strike Graph
14:00 Closing the Readiness Gap: What CMMC Assessments Reveal About Contractor Preparedness (E02b) Bill Wootton, Chief Revenue Officer, C3 Integrated Solutions [60 Min]
15:00-15:30 Networking Break in Exhibits
15:30-17:00 Conference Sessions
15:30 CMMC and NATO: Managing Compliance Across the Atlantic (L03a) TBA
16:00 A Trusted Ecosystem Is Essential for Building and Maintaining a Low-Cost & Effective Compliance Program (L03b) Leslie Weinstein, Owner, The Cyber Advisor
16:30 CMMC’s Here, but Is My Supply Chain Ready?: Understanding and Allocating the Risk Presented by CMMC’s Mandatory Flowdown Requirements (L03c) Adam Bartolanzo, Principle, Miles & Stockbridge P.C.
15:30 If It Isn’t Documented, It Doesn’t Exist (M03a) Stuart Itkin, Chief Security Evangelist, Futurefeed
16:00 Evidence Without Chaos: A Practical Blueprint for Faster, Cleaner CMMC Level 2 Readiness (M03b) Troy McCartney, CISSP, Director of Cybersecurity, Compliance & AI Innovation, Alpha Team Solutions
16:30 Insights From Real World CMMC DIB Assessments (M03c) Ali Pabrai, Lead CCA, CCP, RPA, RP, CISSP (ISSAP, ISSMP), HITRUST CCSFP, MSEE, ecfirst
15:30 What Is the Assessor Looking for? Avoiding Pitfalls in Your CMMC Assessment (E03a) David Bedard, Director of Compliance, KTL Solutions
16:00 Say WHAT? – Inside the Mind of a CMMC Certified Assessor (E03b) James Goepel, Executive Vice President, Peak Infosec [60 Min]
17:00 Adjourn
Monday, May 4
08:00-09:00 Registration
09:00-11:00 Conference Session
Salon A
09:00 NIAP – CCEVS/PP Update (R00a) CSfC PMO Speaker TBA
The official U.S. scheme update: current NIAP/CCEVS priorities, Protection Profile (PP) roadmaps, what’s changing operationally for evaluations and maintenance, and what defense buyers should expect to see on the PCL over the next 12–18 months.
09:30 CC:2022 Transition & Mutual Recognition: What It Changes for DIB Product Roadmaps (R00b) TBA
A practical “what’s different now” briefing on CC:2022-era planning: how PP transitions and evolving mutual recognition expectations will impact product strategy, multi-market certification decisions, and schedule risk for DIB suppliers.
10:00 Lessons Learned from Recent Certifications: Reducing Rework in Scope, Evidence, and Crypto Dependencies (R00c) TBA
Case-study-driven guidance on what actually causes rework late in evaluations: mis-scoped TOE boundaries, evidence gaps, configuration drift, and crypto-validation dependencies—and how successful teams structure engineering and documentation to keep moving.
10:30 Mapping Common Criteria to CSfC, RMF, FedRAMP, and CMMC: How to Cut Duplicate Compliance Work (R00d) TBA
A crosswalk from CC deliverables (PP claims, Security Target assertions, evidence) to what integrators and authorizers need in CSfC and RMF packages—plus where FedRAMP and CMMC efforts can be leveraged instead of repeated.
11:00-11:30 Networking Break in Exhibits
11:30-12:30 Panel Discussion
11:30 Panel: Common Criteria in the DIB—What Buyers, Integrators, Vendors, and Labs Need to Fix Next (R01a) TBA
A candid, operational panel on the friction points everyone feels: PP scope realities, scheduling bottlenecks, sustaining certification in a high-CVE world, and what procurement, labs, and vendors can change that would measurably reduce cost and time without lowering assurance.
12:30-13:30 Lunch in Exhibits
13:30-15:30 Conference Session
13:30 Cloud/SaaS Evaluations in Practice: FedRAMP Preconditions, Shared Responsibility, and Certification Drift (R02a) TBA
What changes when the TOE is a service: structuring SaaS/cloud architectures so evaluation is feasible, aligning with FedRAMP realities, and handling the hardest operational problem—continuous updates without losing the evaluated security posture.”
14:00 Vulnerability Handling & Assurance Continuity: Staying Certified While Patching Fast (R02b) TBA
Straight talk about CVEs in certified products: how vendors and labs handle “security-relevant” vulnerabilities, how to avoid certification derailment, and how to build patch workflows that satisfy customers, integrators, and scheme expectations.”
14:30 SBOM Under NIAP: What Evaluators Expect and How to Automate for Speed and Trust (R02c) TBA
SBOM as a certification input: what “good” looks like for NIAP submission and review, common failure modes, and how vendors can automate SBOM generation and dependency hygiene to shorten cycles and improve supply-chain visibility.”
15:00 CCUF and Technical Communities: How to Influence the Next Generation of Protection Profiles (R02d) TBA
How CCUF and iTC work actually drives PP direction—and how product developers, cloud providers, integrators, and labs can get ahead of new requirements in emerging domains (cloud-native architectures, virtualization, IoT/embedded).
15:30-16:00 Networking Break in Exhibits
16:00-17:00 Panel Discussion
16:00 Panel: The Future of Common Criteria—CC:2022 Rollout, Automation, PQ, and New Domains (R03a) TBA
A forward-looking strategy discussion focused on what will change next: CC:2022 transitions, evidence automation, SBOM/vulnerability-intelligence integration, and emerging technical domains (including PQ readiness and virtualization/cloud-native boundary problems).
17:00 Adjourn
Tuesday, May 5
08:00-09:00 Registration
09:00 - 10:20 Opening Plenary Session
09:00 Conference Welcome (P10a) Dominic Perez, CTO, Curtiss-Wright
09:10 CSfC PMO Introduction (P10b) John Dunker, Director CSfC PMO, National Security Agency (NSA)
09:20 Government Keynote (P10c) TBA
09:50 Industry Keynote (P10d) TBA
10:20-11:00 Networking Break in Exhibits
11:00-12:00 Plenary Panel Session
11:00 CSfC PMO Program Updates and Process Improvements; Ask the PMO Panel (P11a) John Dunker, Director, CSfC Program Management Office, Panelists TBA
12:00–13:00 Lunch in Exhibit Area
13:00-14:30 Track Sessions
Salon A
13:00:00 CSfC Components List Process (N12a) CSfC PMO Speaker TBA
14:00 CSfC Solution Registration Process Overview (N12b) CSfC PMO Speaker TBA [60 Min]
Salon E
| Integrators Experience (R12) |
| Moderator: TBA |
13:00 CSfC Trusted Integrator Process (R12a) CSfC PMO Speaker TBA
13:30 Panel Discussion: Trusted Integrator (TI) Perspective (R12b) Leader: Fred Elliott, Sr. Manager, Business Development, Curtiss-Wright Panelists: TBA [60 Min]
14:30-15:00 Networking Break in Exhibits
15:00-17:00 Track Sessions
15:00 CSfC EUD Composition Guidance Addendum 2.0.0 and Retransmission Device Protection Profile (N13a) CSfC PMO Speaker TBA [60 Min]
16:00 CSfC Engineering Capability Package & Annex Roadmap (N13c) CSfC PMO Speaker TBA [60 Min]
Salon F
| PQ Cyber (Q13) |
| Moderator: TBA |
15:00 CSfC CNSA 2.0 Post Quantum Implementation Roadmap (Q13a) CSfC PMO Speaker TBA
15:30 PQC Migration for Federal Agencies—Mandates, Architecture, and an Actionable Playbook (Q13b) Suprotik Ghose, CISO, Graphene Security
16:00 Post Quantum Cryptography – Much Ado About… Something? (Q13c) Joshua Marpet, Chief Compliance Officer, Cyturus [60 Min]
Salon G
| CSfC in Practice (C13) |
| Moderator: TBA |
15:00 Identity and Access Control Gaps that Derail CSfC and CMMC Implementations (C13a) Herbert Decker, Cybersecurity Practitioner and Security Strategist, Tretechpro
15:30 The Route to True Drive Encryption Integrity (C13b) Conner Crisafulli, Field Solutions Engineer, Cigent
16:00 Panel Discussion: Enabling Ipad and Iphone Classified Mobility Panel (C13c) Daniel Odonohue, EVP, Owl Cyber Defense [60 Min]
17:00 Adjourn
Tuesday, May 5
08:00-09:00 Registration
09:00-11:00 Conference Session
9:00 DIB Cloud Compliance Reality Check (CMMC + DFARS + FedRAMP Reuse) (R10a) TBA
A walkthrough of what “compliant cloud” means for DIB products in 2026: scoping boundaries, evidence expectations, typical failure modes, and how to avoid building a “compliance dead-end” architecture that can’t sustain CMMC + DoD + FedRAMP demands.
9:30 FedRAMP Modernization — What Changes for Product Teams and Compliance Ops (R10b) TBA
Operator impacts of OMB M‑24‑15: “presumption of adequacy,” reuse expectations, what evidence should become machine-readable, and how product teams should design release processes for continuous monitoring rather than episodic “ATO sprints.”
10:00 DoD Cloud SRG Impact Levels — Designing for IL4/IL5 and the Authorization Path (R10c) TBA
What IL4/IL5 mean for architecture and business strategy: where vendors blow it (connectivity constraints, identity boundary assumptions, multi-tenant risk), and how to align cloud-native design with the DoD cloud authorization process and SRG expectations.
10:30 Talk: DoD Zero Trust by FY27 — Vendor Requirements for Identity, Devices, Data, Telemetry (R10d) TBA
A vendor-focused translation of Zero Trust: what DIB product teams must support (identity signals, device posture, data tagging/controls, continuous telemetry), what “target level by FY27” implies for roadmaps, and how vendors can avoid building non-interoperable “one-off” ZT features.
11:00-11:30 Networking Break in Exhibits
11:30-12:30 Panel Discussion
11:30 Panel: One Evidence Story Across CMMC, DFARS 7012, FedRAMP, and DoD PA/ATO (R11a) TBA
A working session on the hard part: building a single, defensible authorization boundary and evidence narrative that satisfies overlapping frameworks without duplicative audits and rework. Expect concrete discussion of SSP boundaries, inherited controls, evidence automation, and what “continuous monitoring” means in the real world.
12:30-13:30 Lunch in Exhibits
13:30-15:30 Conference Session
13:30 Secure DevSecOps & cATO — Continuous Evidence, Pipelines, and “Factory-to-ATO” Tactics (R12a) TBA
How product teams prove security continuously: pipeline-based evidence, policy-as-code, artifact integrity, audit-ready logs, and how to keep speed without accumulating authorization debt. The talk should be explicit about what’s different for regulated buyers vs commercial “DevSecOps theater.”
14:00 Container/Kubernetes Security for Regulated Workloads — Hardening, Runtime Defense, and Isolation (R12b) TBA
A pragmatic guide to shipping container/K8s workloads that can survive regulated scrutiny: image provenance, admission control, runtime detection, least privilege, node hardening, and what breaks when you introduce multi-tenant/managed services into CUI environments.
14:30 Cloud & Software Supply Chain Risk — SBOM/Attestation at Scale and Third‑Party Reality (R12c) TBA
SBOM is not the finish line. This talk focuses on operationalizing SBOMs, signing/attestation, third-party dependency governance, and what the DIB should learn from incidents where the supply chain or a cloud dependency became the outage/root cause.
15:00 High-Assurance Protection — KMS/HSM, CMKs, Enclaves/TEE, and Confidential Computing (R12d) TBA
For DIB workloads, “encrypt at rest/in transit” is table stakes. This session focuses on key management patterns (CMKs, separation of duties, HSM integration), enclave/TEE value and limits, remote attestation, and when confidential computing materially changes risk in multi-tenant environments.
15:30-16:00 Networking Break in Exhibits
16:00-17:00 Panel Discussion
16:00 Panel: Mission Assurance — Resilience, Performance, Cost (FinOps), and Contracting Tradeoffs (R13a) TBA
A closing panel dedicated to the hard tradeoffs: controlling spend without breaking mission performance, designing resilience that survives dependency failures, and writing contracts/SLA language that can be monitored and enforced continuously (not just promised).