The defense industrial base is under pressure from every direction—cyber threats, supply chain vulnerabilities, workforce shortages, and a procurement system struggling to keep pace with modern threats. How resilient is the DIB, and what will it take to strengthen it? This Q&A with Mike Derrios, Director of the Greg and Camille Baroni Center for Government Contracting at George Mason University, will take stock of the industrial base that underpins U.S. national security. From the most pressing cybersecurity risks to the talent pipeline challenges that could shape the DIB's long-term capacity, Derrios will offer a practitioner's perspective on where the gaps are and who needs to close them.

The Pentagon's cybersecurity certification program for defense contractors is entering a critical implementation phase, and a new government watchdog report says the Department of Defense needs to do more to prepare for the obstacles ahead. Join us for an exclusive conversation with one of the authors of a newly released GAO report on the Cybersecurity Maturity Model Certification (CMMC) program, which found that while DoD's rollout plans are largely on track, the department has yet to fully account for key external risks. Our guest will walk through the findings and what they mean for contractors navigating CMMC compliance.

CMMC assessment scope follows the data — not the org chart — meaning that Controlled Unclassified Information (CUI) drives what must be protected and assessed, regardless of where it resides or through whom it flows. As CMMC implementation timelines tighten and agencies and contractors wrestle with SBOM expectations and zero-trust mandates, unmanaged vendor risk is emerging as a key finding in third-party assessments and a source-selection differentiator.

In this session, we unpack how assessors and acquisition stakeholders are shifting from a checklist mindset to real-world risk evaluation by probing three failure points across the software supply chain:
Prevent — ensuring intake controls actually stop vulnerable and malicious components before they enter build pipelines, beyond NVD-only blocking;
Govern — documenting and bounding policy exceptions with compensating controls, especially for end-of-life and high-risk components;
Prove — demonstrating compliance as a living signal through continuous monitoring, impact analysis, and reproducible artifacts like SBOMs.
We close with concrete flow-down expectations for primes and vendors alike — including intake controls, exception management discipline, and continuously updated component inventories — and show why visibility into both prime and vendor software supply chains is the essential first step to surviving CMMC assessments. With enforcement tightening, continuous verification of vendor security isn’t optional — it’s a competitive advantage.

With ISACA now managing CMMC assessor certifications, contractors and assessors alike are adapting to a new landscape. During this session, Todd Gagnon from ISACA will examine how assessor credentialing, training pathways, and quality assurance processes are evolving, and what those changes mean for contractors planning for certification. This session will also address assessor capacity, market readiness, and practical steps organizations can take to position themselves for successful assessments amid growing demand.

Protecting the defense industrial base depends on more than policy; it requires organizations to implement CMMC across every level of operations. This session will feature practitioners and industry leaders sharing real-world lessons from early implementation efforts, including scoping and boundary definition, control prioritization, tooling versus process decisions, and managing cost and timeline expectations. Speakers will discuss common pitfalls, proven approaches, and how organizations can build sustainable cybersecurity programs that strengthen security posture while supporting mission delivery.