Damon Hacker, Vestige President, is presenting to the SAME Mt. Tacoma Post & engineering students at the University of Washington-Tacoma on April 9.

2023 SAME Capital Week

2023 SAME Capital Week

Bethesda North Marriott Hotel & Conference Center
5701 Marinelli Rd, Rockville, MD 20852

Society of American Military Engineers – Capital Week

What to expect: Strategic Discussions, Industry-Government Engagement, and Networking Opportunities

Capital Week provides attendees the opportunity to connect with their fellow SAME members at senior leaders while learning about the upcoming fiscal-year construction programs of the uniformed services and select federal agencies during the DOD & Federal Agency Program Briefings

The DOD program features the Federal Executive Leaders Panel, including leadership from USACE, NAVFAC, Air Force, and the VA. Discussions centered on the upcoming federal budget, the infrastructure bill, and how growing program requirements will increase the support the services need from industry. Open exclusively to SAME members, the event provides a preview of the coming fiscal-year construction programs of the uniformed services and select federal agencies.

Attend our Pre-Event Workshop:  CMMC 2.0  –  A Deep Dive

Monday, March 27, 2023 from 1 to 5 pm /  2.0 – 4 PDH

We will begin with an overview of the 3 breakout modules: Scoping, Domains, and the CMMC C3PAO audit preparation

    • Attendees will break into smaller teams to tackle the issues addressed within each module
    • Throughout the workshop you will complete our CMMC Planning Workbook for your organization
    • You’ll discuss, within a team setting, how you’ve dealt with, or will deal with, the 110 security controls within NIST 800-171/CMMC
    • We’ll talk about cultural changes and challenge
    • We’ll share strategies for addressing the 14 Capability Domains
    • If you have created a NIST 800-171/CMMC plan, bring it
    • We’ll take a look at where organizations are struggling and the challenges their facing similar to yours
    • We have a proven methodology for achieving compliance and we will share it
    • We will wrap up with a presentation by each of the module teams, sharing with the group their conclusions and lessons learned

Module 1 – Scoping

One of the most critical factors in succeeding at CMMC is ensuring you have an answer to the question of scoping.  Scoping is understanding how the framework fits your organization’s individual needs.  Every organization looks a little bit different in terms of its use of technology, its competitive advantages and its unique culture – all things that contribute to what CMMC will look like and how you will achieve compliance for your organization.

For example, do you know whether everyone in your organization needs access to CUI, or only an isolated few?  Knowing this answer will have a profound impact on the decision and direction your organization will take with CMMC.

Our experts will help guide the teams through the scoping conversation.  The groups will discuss what has been tried in their organization and hear about critical considerations for success.

Module 2 – Domains

At each Maturity Level, there are controls that need to be addressed.  (For example, at Maturity Level 2 there are 110 controls arranged within 14 control families/domains).  The language used by the framework’s authors is not clear and as a result many organizations falter, as too much is left to the organization’s own interpretation.  Unfortunately, you will be assessed as to what the DOD’s intent is for each control and not how you have interpreted the requirement.  If not done properly from the onset, a misunderstanding of the requirements will likely affect your C3PAO audit, your NIST 800-171 score and the potential to mis-collect the wrong evidence.

In addition, there are multiple alternatives available to the organization.  Some of those options depend on the size of an organization, some based upon complexity and still others based upon the organization’s own culture.  We will explore available options for addressing these controls.

In this module, our expert will provide guidance around these requirements by walking through each domain and its set of controls.  Each team will then be given an opportunity to engage in an open discussion about what has worked and what some of the pitfalls are when implementing change within an organization’s ongoing operations.  In addition, we will explore as a group how to shape the conversation for your return to the office.

Module 3 – Putting It All Together

In this module we bring what you’ve learned in this workshop together, to ensure success as you prepare for the C3PAO assessment.  We will explore whether you have properly evaluated your infrastructure, including policies and procedures.  You will determine: if you have well designed controls, explore how to evaluate and measure execution, and discuss requirements surrounding the evidence.

In our small group breakouts, we will hear about the teams’ collective experiences and challenges with both the C3PAO process and subcontractor compliance.  We will explore the timeline for engaging with a C3PAO, considerations for selecting a C3PAO and special circumstances such as taking advantage of the Joint Surveillance Program.  We’ll talk about what organizations should expect when going through the C3PAO assessment, including the three forms of evidence that will confirm the existence of a security control – interview, observation and testing.  Lastly, we’ll talk about how to make sure you’re ready to support each of the controls and put your best foot forward during the official assessment.

Who Should Attend

    • Individuals responsible for DoD contracts
    • Individuals responsible for protecting Controlled Unclassified Information (CUI)
    • Anyone in the Defense Industrial Base (DIB)
    • Organizations that recognize that compliance with CMMC is not an option when working with the DOD

Why Should You Attend

    • To learn how to succeed with your CMMC compliance
    • Become confident in your ability to meet the demands of the assessment
    • To hear from companies and executives about their successes, and obstacles to becoming compliant
    • To complete a planning workbook with tangible, executable next steps that you can take back to your organization
    • To get a list of applicable resources and a CMMC glossary

Learning Objectives

    • The importance of having a plan of attack for addressing CMMC
    • What applies to your organization and what doesn’t
    • How to avoid unnecessary system rework and the associated costs
    • The value of approaching the journey in an orderly, prioritized fashion
    • How to select a C3PAO and what to expect when going through the official assessment

Speaking

Damon Hacker, President & CEO | Founder
MBA, CISA, CSXF, CMMC-RP

Damon Hacker is President, CEO and co-owner of Vestige Digital Investigations, a leading technology company specializing in CyberSecurity (proactive & reactive as well as compliance), Digital Forensics and Electronically Stored Information (ESI). He brings more than 30 years of experience in the arena, including a background in IT Security and IT Auditing.

He helps to improve the techniques, processes and technology in cybersecurity. He actively assists clients achieve compliance across multiple cybersecurity frameworks.

Damon is an in-demand speaker on local, state and national levels. He speaks on the subjects of DoD CMMC cybersecurity compliance, IT security, IT auditing, computer fraud, white-collar crime, data breach, non-compete and intellectual property theft.

He earned both his MBA from the Weatherhead School of Management, and his undergraduate degree from Case Western Reserve University, Cleveland, OH. He is a Certified Information Systems Auditor (CISA), CSX Cybersecurity Nexus Fundamentals certification from the Information Systems Audit and Control Association (ISACA), and is Cybersecurity Maturity Model Certification – Registered Practitioner (CMMC-RP) for U.S. Department of Defense contractor cybersecurity compliance.

READ FULL BIO

Jade Brown, Cybersecurity Analyst
BA, C|EH, GCTI

Jade Brown resides in Beachwood, OH. She earned a Bachelor of Arts Degree in Linguistics from Ohio University in Athens, OH. Jade served as an Ambassador for the Taiwan-U.S. Sister Alliance (TUSA) and was a TUSA Scholarship recipient.  The pattern-thinking style which served Jade well in subjects such as language acquisition, and political science enabled her to cultivate her interests in technology, cyber forensics, and threat intelligence.

READ FULL BIO