Loading Events

July 20, 2022

Webinar: The CMMC 2.0 Paradigm and Contractor Supply Chain Risk Management Obligations

  • This event has passed.

Webinar: The CMMC 2.0 Paradigm and Contractor Supply Chain Risk Management Obligations


 12:30 PM – 2:30 PM (EDT)
 Open – 197 places remaining
 No Fee

 Kellie Peterson (703) 277-7750

 Online Meeting (Live)
 A Virginia PTAC Organized or Sponsored event, Contract Management, Government Contracting, Intermediate Level, Introductory Level, Legal Issues, Other, Risk Management, Selling to Government

The Cybersecurity Maturity Model Certification (CMMC) 2.0 Paradigm and Contractor Supply Chain Risk Management Obligations – What should I do, when and how?

Since January 2018, the Defense Department (and now other agencies) has required prime contractors and subcontractors at all tiers to implement NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Between January 2018 and November 2021, the Defense Department issued numerous guidance memoranda regarding NIST-171 and set up an arrangement with the Cybersecurity Maturity Model Certification – Accreditation Board. In turn, the CMMC-AB developed a “CMMC ecosystem” based on NIST-171 and related NIST guidance in order to identify NIST-171 cybersecurity objectives intended for contractors and subcontractors who handle, create or store “controlled unclassified information” or CUI. A significant element of this ecosystem was the creation of an infrastructure which facilitates education, training and third-party assessment leading to the certification of a DIB company’s implementation of CMMC 1.0 compliance.

The Defense Department paused implementation of the CMMC 1.0 program by introducing CMMC 2.0 through an Advanced Notice of Proposed Rulemaking published November 4, 2021. DoD did not pause compliance with FAR 52.204-2 or DFARS 252.204-7012.

Your company’s level of CMMC 2.0 “cyber hygiene” will directly impact your eligibility to contract or subcontract with the Defense Department (and likely non-DoD agencies such as the GSA and the DHS) as well as impact your competitive posture anywhere in the DoD supply or service chain.

In this Program, you will learn about:

  • The prospective CMMC 2.0 schedule;
  • Federal cybersecurity vocabulary: CUI, FCI, CDI, CTI;
  • CUI marking obligations by government personnel and contractor personnel
  • How CMMC 2.0 “Level 1” (the foundational level) effectively applies to all federal agencies;
  • The requirements of FAR 52.204-21 and DFARS 252.204-7012 and the current DFARS 252.204-7019, 7020, and 7021 clauses;
  • DoD’s Assessment Methodology;
  • The Supplier Performance Risk System (SPRS);
  • The DoD guidance available to achieve CMMC 2.0 Level 1 and Level 2 (the advanced level);
  • The available self-assessment programs;
  • The requirements under [Draft] NIST SP 800-172 contained in CMMC Level 3 to address Advance Persistent Threats;
  • The quality of a System Security Plan and the CMMC 2.0 emphasis of a Plan of Action & Milestones)
  • CMMC 2.0, the Cloud and FedRAMP;
  • The government-wide supply chain obligations regarding Chinese sources
    • DoD guidance
    • GSA guidance
  • DoD supply chain obligations regarding Chinese and Russian sources
    • DoD guidance


David Dempsey, founding partner of Dempsey Law, PLLC, with over 43 years of experience in procurement laws, regulations and policies pertinent to contracting with federal, state, and international agencies. David’s practice areas include rights in technical data and software; cybersecurity requirements and obligations; DCAA audits, cost principles; ITAR/EAR export controls, foreign and contingency contracting; OCIs, ethics and corporate compliance; small business size issues; protection of intellectual property and trade secrets; IDIQ contracts; contract management and terminations; Service Contract Act issues; contract litigation and bid protests.

Melissa Ellis is co-owner of Systems Management Enterprises, Inc. (SME) where she is Vice President and CFO. SME is a Virginia-based Information Technology and Security Company providing data center services, managed security, compliance solutions, and technical support to businesses nationwide. Melissa focuses on compliance programs in multiple industries including the Federal contracting world.  Melissa’s background includes Criminal Justice at Radford University and is a Certified HIPAA Professional, Certified Security Awareness Practitioner (CSAP), and a Certified Data Privacy Solutions Engineer (CDPSE). SME is a Registered Provider Organization (RPO) through the CMMC-AB with Registered Practitioners (RP) on staff.  Melissa works closely with companies to understand their specific compliance requirements and has the ability to take what may appear to be an overwhelming process and break it down in manageable and attainable steps.

Webinar information will be sent to registrants prior to the class and will be conducted via GoToWebinar. After registration is complete, your email confirmation will contain the link. You MUST register your name and email and receive the login information and calendar invite before you can join the webinar. You may attend without downloading the software, but please understand your webinar functions may be limited.

By registering for this training event, you consent to having your name and contact information, along with your registration and attendance status shared with the instructor. Instructors do not have access to other confidential client information and often simply use it to send follow-up class materials. As in-kind donors, each instructor has agreed not to use information in any way contrary to the interests of Virginia PTAC, its sponsors, grantors, or clients (you), including but not limited to unauthorized marketing and sales. If you have questions or concerns, please email ptac@gmu.edu to discuss with the host of this training or do not register for this session.

Event Details

Date & Time

July 20, 2022 @ 12:30 pm - 2:30 pm