Securing the Supply Chain and Managing Modern Cyber Threats

Pick up your badge and enjoy networking with your peers!

Washington Technology will kick off day by introducing our 1st speaker and setting the stage for today’s discussions.

As CMMC shifts from policy framework to acquisition reality, agencies and contractors are beginning to see how requirements will be enforced in solicitations, evaluations, and contract performance. This session will provide an update on the Phase 1 rollout, how CMMC is being integrated into acquisition and program oversight, and what early implementation is revealing about readiness across the defense industrial base. Hon. Kirsten Davies, CIO at the Department of War, will outline what organizations should prioritize now to prepare for Phase 2, align internal stakeholders, and reduce friction between security, contracting, and mission teams.

CMMC assessment scope follows the data — not the org chart — meaning that Controlled Unclassified Information (CUI) drives what must be protected and assessed, regardless of where it resides or through whom it flows. As CMMC implementation timelines tighten and agencies and contractors wrestle with SBOM expectations and zero-trust mandates, unmanaged vendor risk is emerging as a key finding in third-party assessments and a source-selection differentiator.

In this session, we unpack how assessors and acquisition stakeholders are shifting from a checklist mindset to real-world risk evaluation by probing three failure points across the software supply chain:
Prevent — ensuring intake controls actually stop vulnerable and malicious components before they enter build pipelines, beyond NVD-only blocking;
Govern — documenting and bounding policy exceptions with compensating controls, especially for end-of-life and high-risk components;
Prove — demonstrating compliance as a living signal through continuous monitoring, impact analysis, and reproducible artifacts like SBOMs.
We close with concrete flow-down expectations for primes and vendors alike — including intake controls, exception management discipline, and continuously updated component inventories — and show why visibility into both prime and vendor software supply chains is the essential first step to surviving CMMC assessments. With enforcement tightening, continuous verification of vendor security isn’t optional — it’s a competitive advantage.

With ISACA now managing CMMC assessor certifications, contractors and assessors alike are adapting to a new landscape. During this session, Todd Gagnon from ISACA will examine how assessor credentialing, training pathways, and quality assurance processes are evolving, and what those changes mean for contractors planning for certification. This session will also address assessor capacity, market readiness, and practical steps organizations can take to position themselves for successful assessments amid growing demand.

Protecting the defense industrial base depends on more than policy; it requires organizations to implement CMMC across every level of operations. This session will feature practitioners and industry leaders sharing real-world lessons from early implementation efforts, including scoping and boundary definition, control prioritization, tooling versus process decisions, and managing cost and timeline expectations. Speakers will discuss common pitfalls, proven approaches, and how organizations can build sustainable cybersecurity programs that strengthen security posture while supporting mission delivery. 

As cybersecurity requirements expand beyond the Pentagon, civilian agencies are developing their own frameworks that mirror CMMC. This conversation will explore how agencies are approaching Controlled Unclassified Information (CUI) protection, vendor risk management, and supply chain security. Speakers will discuss where priorities are converging, what contractors should expect in future solicitations, and how organizations can build a unified approach that supports both markets.