DIB Cyber Cert Agenda 2026

Two days. Four modules. One comprehensive roadmap to DIB cyber compliance. Jump to:

09:00 Welcome and Introduction (P00a) Melissa Kaiser, Director, Compliance, SOCSoter

Salon A

09:00 NIAP – CCEVS/PP Update (R00a) CSfC PMO Speaker TBA
The official U.S. scheme update: current NIAP/CCEVS priorities, Protection Profile (PP) roadmaps, what’s changing operationally for evaluations and maintenance, and what defense buyers should expect to see on the PCL over the next 12–18 months.

09:30 Differences Between NDcPP v3.0e and v4.0 (R00b) Kristy Knowles, Security Research Engineering Technical Leader, Cisco
A practical “what’s different now” briefing on CC:2022-era planning: how PP transitions and evolving mutual recognition expectations will impact product strategy, multi-market certification decisions, and schedule risk for DIB suppliers.

10:00 Lessons Learned from Recent Certifications: Reducing Rework in Scope, Evidence, and Crypto Dependencies (R00c) Justin Fisher, CCTL Technical Director, Leidos
Case-study-driven guidance on what actually causes rework late in evaluations: mis-scoped TOE boundaries, evidence gaps, configuration drift, and crypto-validation dependencies—and how successful teams structure engineering and documentation to keep moving.

10:30 Mapping Common Criteria to CSfC, RMF, FedRAMP, and CMMC: How to Cut Duplicate Compliance Work (R00d) Joshua Anzaroot, Principal, JLS Consulting Group; Jussipekka Leiwo, Principal Consultant, Teron Labs
A crosswalk from CC deliverables (PP claims, Security Target assertions, evidence) to what integrators and authorizers need in CSfC and RMF packages—plus where FedRAMP and CMMC efforts can be leveraged instead of repeated.

11:30 Panel: Common Criteria in the DIB—What Buyers, Integrators, Vendors, and Labs Need to Fix Next (R01a) Leader: Shaunak Shah, Manager, Engineering, Intertek Acumen Security/EWA Canada; Panelists: Kristy Knowles, Security Research Engineering Technical Leader, Cisco; Jordan Phillips, Software Engineer, wolfSSL
A candid, operational panel on the friction points everyone feels: PP scope realities, scheduling bottlenecks, sustaining certification in a high-CVE world, and what procurement, labs, and vendors can change that would measurably reduce cost and time without lowering assurance.

13:30 Common Criteria Best Practices for Vendors: Helping your Friendly Neighbourhood Labs Ensure a Smooth Evaluation (R02a) Shaunak Shah, Manager, Engineering, Intertek Acumen Security/EWA Canada
Practical best practices vendors can follow to streamline Common Criteria evaluations. Spanning development to post-evaluation phases, this talk emphasizes early planning involving collaborative gap analysis, and proactive issue resolution. Intended for vendors of all experience levels.

14:00 Vulnerability Handling & Assurance Continuity: Staying Certified While Patching Fast (R02b) Herbert Markle, CC Technical Director and Lead DoDIN APL Consultant, Booz Allen Hamilton
Straight talk about CVEs in certified products: how vendors and labs handle “security-relevant” vulnerabilities, how to avoid certification derailment, and how to build patch workflows that satisfy customers, integrators, and scheme expectations.”

14:30 SBOM Under NIAP: What Evaluators Expect and How to Automate for Speed and Trust (R02c) TBA
SBOM as a certification input: what “good” looks like for NIAP submission and review, common failure modes, and how vendors can automate SBOM generation and dependency hygiene to shorten cycles and improve supply-chain visibility.”

15:00 CCUF and Technical Communities: How to Influence the Next Generation of Protection Profiles (R02d) Brian Wood, Program Manager, Google
How CCUF and iTC work actually drives PP direction—and how product developers, cloud providers, integrators, and labs can get ahead of new requirements in emerging domains (cloud-native architectures, virtualization, IoT/embedded).

16:00 Panel: The Future of Common Criteria—CC:2022 Rollout, Automation, PQ, and New Domains (R03a) Leader: Tom Benkart, Archon Director of Cyber Bertifications, ID Technologies, A CACI Compan Panelists: Brian Wood, Program Manager, Google; Allen Sant, Common Criteria Testing Laboratory Technical Director / Infrastructure Manager, Leidos; Ed Morris, Lab Director, Gossamer Security Solutions
A forward-looking strategy discussion focused on what will change next: CC:2022 transitions, evidence automation, SBOM/vulnerability-intelligence integration, and emerging technical domains (including PQ readiness and virtualization/cloud-native boundary problems).

09:00 Conference Welcome (P10a) Dominic Perez, CTO, Curtiss-Wright

09:10 CSfC PMO Introduction (P10b) John Dunker, Director CSfC PMO, National Security Agency (NSA)

11:00 CSfC PMO Program Updates and Process Improvements; Ask the PMO Panel (P11a) John Dunker, Director, CSfC Program Management Office, Panelists TBA

9:00 DIB Cloud Compliance Reality Check (CMMC + DFARS + FedRAMP Reuse) (R10a) Bhanu Jagasia, Founding Samurai, Chief Executive Samurai & Chief Technology Samurai, bladestack.io
A walkthrough of what “compliant cloud” means for DIB products in 2026: scoping boundaries, evidence expectations, typical failure modes, and how to avoid building a “compliance dead-end” architecture that can’t sustain CMMC + DoD + FedRAMP demands.

9:30 FedRAMP Modernization — What Changes for Product Teams and Compliance Ops (R10b) Josh Blaher, Manager, Product Security Engineering, Red Hat
Operator impacts of OMB M‑24‑15: “presumption of adequacy,” reuse expectations, what evidence should become machine-readable, and how product teams should design release processes for continuous monitoring rather than episodic “ATO sprints.”

10:00 DoD Cloud SRG Impact Levels — Designing for IL4/IL5 and the Authorization Path (R10c) TBA
What IL4/IL5 mean for architecture and business strategy: where vendors blow it (connectivity constraints, identity boundary assumptions, multi-tenant risk), and how to align cloud-native design with the DoD cloud authorization process and SRG expectations.

10:30 Talk: DoD Zero Trust by FY27 — Vendor Requirements for Identity, Devices, Data, Telemetry (R10d) Sean Frazier, Federal CSO, Okta
A vendor-focused translation of Zero Trust: what DIB product teams must support (identity signals, device posture, data tagging/controls, continuous telemetry), what “target level by FY27” implies for roadmaps, and how vendors can avoid building non-interoperable “one-off” ZT features.

11:30 Panel: One Evidence Story Across CMMC, DFARS 7012, FedRAMP, and DoD PA/ATO (R11a) Michael Brooks, CMMC Strategy & Engagement Director, A-LIGN Panelists: Roger Abbott, Co-chair of the ABA Public Contract Law on Cybersecurity and Emerging Technologies, Miles & Stockbridge; Justin Beals, CEO & Founder, Strike Graph; Bryan Bowlsbey, Director, CGI Federal, US Defense Business Unit; Daniel Turissini, Cyber Security Specialist, Certified CMMC Assessor (CCA), Educare of Northern Virginia
A working session on the hard part: building a single, defensible authorization boundary and evidence narrative that satisfies overlapping frameworks without duplicative audits and rework. Expect concrete discussion of SSP boundaries, inherited controls, evidence automation, and what “continuous monitoring” means in the real world. 

13:30 Cloud Services Network/Security Monitoring (R12a) Carl Rios, Chief Executive Officer, Founder, Rios Enterprises
Effective monitoring is critical to securing cloud environments that support Defense Industrial Base operations. This talk will explore strategies for network and security monitoring across cloud services, with a focus on visibility, threat detection, and compliance.

14:00 Access Through Zero Trust-Aligned Approaches (R12b) Patrick Perry, Director of Emerging Technology, Zscaler
Organizations must rethink how users, devices, and applications securely access cloud and enterprise resources. This talk will examine how zero trust-aligned approaches are transforming access models across the Defense Industrial Base.

14:30 Cloud & Software Supply Chain Risk — SBOM/Attestation at Scale and Third‑Party Reality (R12c) John Osborne, Senior Principal Solutions Engineer, Chainguard
SBOM is not the finish line. This talk focuses on operationalizing SBOMs, signing/attestation, third-party dependency governance, and what the DIB should learn from incidents where the supply chain or a cloud dependency became the outage/root cause.

15:00 Zero-Trust Architecture in Cloud Services (R12d) Richard Breakiron, Senior Director, Strategic Initiatives and Executive Programs, Commvault
Zero-Trust Architecture is rapidly becoming a cornerstone of secure cloud adoption across the Defense Industrial Base. This talk will explore how zero-trust principles—continuous verification, least-privilege access, and data-centric security—are being applied to modern cloud environments supporting DoD missions.

16:00 Panel: Mission Assurance — Resilience, Performance, Cost (FinOps), and Contracting Tradeoffs (R13a) Leader: TBA Panelists: Sridhar Balasubramanian, Principal Product Security Architect, NetApp; Derrick Davis, Senior Fellow of the CREM Institute at UMBC; Joshua Fallon, Senior Network Defense Analyst Monitoring & Response Directorate CERT Division, Software Engineering Institute, Carnegie Mellon University; Adam Golodner, Managing Partner, AMG Global Cyber Law, PLLC 
A closing panel dedicated to the hard tradeoffs: controlling spend without breaking mission performance, designing resilience that survives dependency failures, and writing contracts/SLA language that can be monitored and enforced continuously (not just promised).