Society of American Military Engineers – Capital Week
What to expect: Strategic Discussions, Industry-Government Engagement, and Networking Opportunities
Capital Week provides attendees the opportunity to connect with their fellow SAME members at senior leaders while learning about the upcoming fiscal-year construction programs of the uniformed services and select federal agencies during the DOD & Federal Agency Program Briefings
The DOD program features the Federal Executive Leaders Panel, including leadership from USACE, NAVFAC, Air Force, and the VA. Discussions centered on the upcoming federal budget, the infrastructure bill, and how growing program requirements will increase the support the services need from industry. Open exclusively to SAME members, the event provides a preview of the coming fiscal-year construction programs of the uniformed services and select federal agencies.
Attend our Pre-Event Workshop: CMMC 2.0 – A Deep Dive
Monday, March 27, 2023 from 1 to 5 pm / 2.0 – 4 PDH
We will begin with an overview of the 3 breakout modules: Scoping, Domains, and the CMMC C3PAO audit preparation
- Attendees will break into smaller teams to tackle the issues addressed within each module
- Throughout the workshop you will complete our CMMC Planning Workbook for your organization
- You’ll discuss, within a team setting, how you’ve dealt with, or will deal with, the 110 security controls within NIST 800-171/CMMC
- We’ll talk about cultural changes and challenge
- We’ll share strategies for addressing the 14 Capability Domains
- If you have created a NIST 800-171/CMMC plan, bring it
- We’ll take a look at where organizations are struggling and the challenges their facing similar to yours
- We have a proven methodology for achieving compliance and we will share it
- We will wrap up with a presentation by each of the module teams, sharing with the group their conclusions and lessons learned
Module 1 – Scoping
One of the most critical factors in succeeding at CMMC is ensuring you have an answer to the question of scoping. Scoping is understanding how the framework fits your organization’s individual needs. Every organization looks a little bit different in terms of its use of technology, its competitive advantages and its unique culture – all things that contribute to what CMMC will look like and how you will achieve compliance for your organization.
For example, do you know whether everyone in your organization needs access to CUI, or only an isolated few? Knowing this answer will have a profound impact on the decision and direction your organization will take with CMMC.
Our experts will help guide the teams through the scoping conversation. The groups will discuss what has been tried in their organization and hear about critical considerations for success.
Module 2 – Domains
At each Maturity Level, there are controls that need to be addressed. (For example, at Maturity Level 2 there are 110 controls arranged within 14 control families/domains). The language used by the framework’s authors is not clear and as a result many organizations falter, as too much is left to the organization’s own interpretation. Unfortunately, you will be assessed as to what the DOD’s intent is for each control and not how you have interpreted the requirement. If not done properly from the onset, a misunderstanding of the requirements will likely affect your C3PAO audit, your NIST 800-171 score and the potential to mis-collect the wrong evidence.
In addition, there are multiple alternatives available to the organization. Some of those options depend on the size of an organization, some based upon complexity and still others based upon the organization’s own culture. We will explore available options for addressing these controls.
In this module, our expert will provide guidance around these requirements by walking through each domain and its set of controls. Each team will then be given an opportunity to engage in an open discussion about what has worked and what some of the pitfalls are when implementing change within an organization’s ongoing operations. In addition, we will explore as a group how to shape the conversation for your return to the office.
Module 3 – Putting It All Together
In this module we bring what you’ve learned in this workshop together, to ensure success as you prepare for the C3PAO assessment. We will explore whether you have properly evaluated your infrastructure, including policies and procedures. You will determine: if you have well designed controls, explore how to evaluate and measure execution, and discuss requirements surrounding the evidence.
In our small group breakouts, we will hear about the teams’ collective experiences and challenges with both the C3PAO process and subcontractor compliance. We will explore the timeline for engaging with a C3PAO, considerations for selecting a C3PAO and special circumstances such as taking advantage of the Joint Surveillance Program. We’ll talk about what organizations should expect when going through the C3PAO assessment, including the three forms of evidence that will confirm the existence of a security control – interview, observation and testing. Lastly, we’ll talk about how to make sure you’re ready to support each of the controls and put your best foot forward during the official assessment.
Who Should Attend
- Individuals responsible for DoD contracts
- Individuals responsible for protecting Controlled Unclassified Information (CUI)
- Anyone in the Defense Industrial Base (DIB)
- Organizations that recognize that compliance with CMMC is not an option when working with the DOD
Why Should You Attend
- To learn how to succeed with your CMMC compliance
- Become confident in your ability to meet the demands of the assessment
- To hear from companies and executives about their successes, and obstacles to becoming compliant
- To complete a planning workbook with tangible, executable next steps that you can take back to your organization
- To get a list of applicable resources and a CMMC glossary
- The importance of having a plan of attack for addressing CMMC
- What applies to your organization and what doesn’t
- How to avoid unnecessary system rework and the associated costs
- The value of approaching the journey in an orderly, prioritized fashion
- How to select a C3PAO and what to expect when going through the official assessment