DCMMC is a practitioner-led, vendor-neutral CMMC community delivering real security outcomes for the DIB—plus a chance to connect with DC’s defense peers.
February 18, 2026
Panel Sessions: 4:30 - 5:30 PM
Networking Reception: 5:30 - 7:30 PM
1801 Pennsylvania Avenue, NW | 5th Floor | Washington, DC 20006
This inaugural DCMMC event convenes assessors, C3PAOs, DIB leaders, and policy voices to put outcomes back at the center of CMMC. Join us for panel discussions, networking with peers, and walk away with practical guidance and connections that advance credible, outcome-driven CMMC readiness.
04:00 PM - 04:30 PM ET
Check-In / Registration
04:30 PM - 04:40 PM ET
Welcome
04:40 PM - 05:40 PM ET
Panel Sessions
04:40 PM
Defense Over Pretense: Making Audits Easy and Exfiltration Hard
The clock to November 2026 is ticking, and the Defense Industrial Base is drowning in CMMC noise—advisors, assessors, and acronyms piling up while nation‑state adversaries keep walking out with our data. Amid the scramble, one truth is clear: security and compliance are not one in the same. Compliance shows conformance at a point in time; security reduces risk every day. If a control can’t stop exfiltration or meaningfully reduce risk to CUI, why is it in your SSP?
As the Cyber AB scales the ecosystem, variability in assessor approach and technical depth is inevitable. This panel focuses on how to raise the bar without crushing capacity—how DIB organizations can vet for real depth, how assessors can demonstrate technical knowledge and competence, and how we align on evidence that proves data defense, not just documentation.
Moderator:
Juan Salinas,
Manager, Solutions Engineering, Virtru
Speakers:
.jpg)
Stuart Itkin,
CRO & Chief Security Evangelist, FutureFeed
05:10 PM
Pass once, Protect always: Choosing CMMC Level 2 partners who deliver
Shiny badges and quick compliance offers are everywhere. However, Level 2 readiness is an engineering outcome, not a logo. Pick the wrong guide and you’ll buy paperwork while your CUI stays exposed. The right partner designs for containment, proves it with objective evidence, and leaves controls that stand up under assessment methods today and six months from now.
This panel turns consultant selection into evidence‑first buy. We’ll cover how to separate implementers from assessors (and avoid conflicts), what RPO/C3PAO status does and what it means,, and how to vet real technical depth across identity, endpoints, logging, boundary/egress, and enclave strategy. Expect practical buyer tactics: scenario questions that reveal competence, the artifacts to demand (assessment‑objective–mapped evidence, traceable SSPs, risk‑reducing POA&Ms), and SOW language that ties payment to delivered controls and verified evidence.
Moderator:
Andrew Lynch,
Vice President of Sales
Speakers:
/Carissa/Derrich%20Phillips.jpeg)
Derrich Phillips,
Lead CMMC Assessor, Aspire Cyber
05:40 PM - 08:00 PM ET
Networking Reception