Securing the Supply Chain and Managing Modern Cyber Threats

Pick up your badge and enjoy networking with your peers!

Washington Technology will kick off day by introducing our 1st speaker and setting the stage for today’s discussions.

During this keynote address, Hon. Kirsten Davies will discuss the efforts underway in the Department and her office to transform IT, Cyber, and C3 initiatives to support making the U.S. military the most ready and lethal in the world. Hon. Davies will highlight how the CIO’s office is aligning programs and policy to drive change across the Department and support the Arsenal of Freedom. She will highlight the criticality of DIB Cybersecurity and how industry can support the nation’s Warfighters. Finally, she will provide her thoughts on critical initiatives ranging from OT Security to the cyber workforce.

CMMC assessment scope follows the data — not the org chart — meaning that Controlled Unclassified Information (CUI) drives what must be protected and assessed, regardless of where it resides or through whom it flows. As CMMC implementation timelines tighten and agencies and contractors wrestle with SBOM expectations and zero-trust mandates, unmanaged vendor risk is emerging as a key finding in third-party assessments and a source-selection differentiator.

In this session, we unpack how assessors and acquisition stakeholders are shifting from a checklist mindset to real-world risk evaluation by probing three failure points across the software supply chain:
Prevent — ensuring intake controls actually stop vulnerable and malicious components before they enter build pipelines, beyond NVD-only blocking;
Govern — documenting and bounding policy exceptions with compensating controls, especially for end-of-life and high-risk components;
Prove — demonstrating compliance as a living signal through continuous monitoring, impact analysis, and reproducible artifacts like SBOMs.
We close with concrete flow-down expectations for primes and vendors alike — including intake controls, exception management discipline, and continuously updated component inventories — and show why visibility into both prime and vendor software supply chains is the essential first step to surviving CMMC assessments. With enforcement tightening, continuous verification of vendor security isn’t optional — it’s a competitive advantage.

With ISACA now managing CMMC assessor certifications, contractors and assessors alike are adapting to a new landscape. During this session, Todd Gagnon from ISACA will examine how assessor credentialing, training pathways, and quality assurance processes are evolving, and what those changes mean for contractors planning for certification. This session will also address assessor capacity, market readiness, and practical steps organizations can take to position themselves for successful assessments amid growing demand.

Protecting the defense industrial base depends on more than policy; it requires organizations to implement CMMC across every level of operations. This session will feature practitioners and industry leaders sharing real-world lessons from early implementation efforts, including scoping and boundary definition, control prioritization, tooling versus process decisions, and managing cost and timeline expectations. Speakers will discuss common pitfalls, proven approaches, and how organizations can build sustainable cybersecurity programs that strengthen security posture while supporting mission delivery.