A Day with CMMC Assessors (separate registration is required)

Wednesday, May 01 | 8:00AM–4:00PM CT | Nicollet Ballroom D, First Floor
Session Type: Additional Fee Program
Delivery Format: Preconference Workshop

This full-day workshop builds on the community-created System Security Plan (SSP) responses from the 2023 Advanced System Security Plan Workshop (SSP). In 2023, community members found consensus to develop responses to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls in a hypothetical shared SSP. In this year’s advanced skill workshop, attendees will gain a better understanding of the preparation required for the eventual third-party Cybersecurity Maturity Model Certification (CMMC) assessment for research enclave(s) and labs by engaging with the Certified CMMC Assessors (CCAs).

This workshop will feature presentations and discussions with CCAs who will share exclusive lessons learned and tips. Content for this workshop is tailored to assess research activities by recognizing the similarities and differences between large prime contractors and higher education institutions. Those attending should expect to gain or build upon their fundamental grasp of cybersecurity compliance requirements for CMMC. This can enable organizational preparation for CMMC assessments in higher education and better preparedness to engage with Certified Third-Party Assessment Organizations (C3PAOs), which can help reduce an institution’s cost to CMMC compliance. Through presentations and group discussions, participants will walk away with expert knowledge of how to best position their institutions in pursuit of CMMC assessment certification.

Expected Outcomes: Participants will walk away with expert knowledge to best position their institution in pursuit of their CMMC assessment certification through presentations and group discussions. 

Agenda: The morning is dedicated to the early foundational work of self-assessing your CMMC enclave. We will then take a deep dive into scoping for your CMMC assessment, as it is the start and end of your assessment journey. How you define each of the asset categories, also determines how closely the assessors are obligated to evaluate each asset. Your defined scope will impact overall costs; it can either keep the costs down for the assessment or it can compound costs with over-scoped security assets.

After addressing scoping, we’ll move to building your SSP for success. This document should serve as guide for assessors and the U.S. Department of Defense (DoD); an SSP done well can save time and money. We’ll address how to approach cross referencing security controls and where to get the biggest bang for the effort within your SSP.

After lunch, the focus becomes preparing for the assessment (and operating within these new procedures, once you become certified). The Certified CMMC Assessors will engage around the other supporting pieces of documentation and how you know you are delivering the proper evidence. We’ll discuss the different ways you could prove you are satisfying the controls. During this topic, you will gain a stronger understanding around the connectedness of both Federal resource documentation and your institution’s documentation.

Finally, we’ll dive into what this relationship will look like with your C3PAO as you proceed in your CMMC assessment journey. This includes prior to committing to a C3PAO, interviewing for their degree of expertise, and fit for assessing a research institution. We’ll address how to prepare your institution’s team for what can happen during your assessment. Finally, after you have acquired your CMMC assessment certification, we will discuss the ongoing efforts to maintain compliance as your certified enclave evolves.

For possible funding support: Please visit www.regulatedresearch.org/cppcworkshop24

The registration fee for this preconference workshop includes:
• Lunch on Wednesday, May 1 from 11:30 a.m. - 12:30 p.m.
• Refreshment breaks
• All workshop materials


  • Carolyn Ellis

    Director, Research Cybersecurity and Compliance, Arizona State University
  • Wendy Epley

    Principal Analyst, Information Security GRC, The University of Arizona
  • Joe Kurlanski

    President, Monarch Information Security Consulting
  • Derrich Phillips

    President & Founder, Aspire Cyber
  • Laura Raderman

    Team Lead, Policy and Compliance Coordinator, Carnegie Mellon University
  • Michael Snyder

    Cybersecurity Assessor, Monarch Information Security Consulting