November 2-3 | Renaissance Arlington Capital View, Virginia, USA

Agenda 2026

Monday, November 2

Day 1

08:00-09:00 Registration

Foyer

09:00-11:00 Conference Sessions

Salon 2

Opening & Foundations: Understanding Federal IoT Cyber Certification (T00)

Moderator: TBA

09:00 | Where the U.S. Cyber Trust Mark Stands in 2026 (T00a) TBA
09:30 | NISTIR 8425 and the Whole-Product Evidence Model for IoT (T00b) TBA
10:00 | The EU Cyber Resilience Act Compliance Roadmap for ICT Manufacturers (T00c) TBA
10:30 | Reusing Assurance Across Markets with SESIP, PSA Certified, and Common Criteria (T00d) TBA

Salon 1

Foundations of SBOM and Federal Software Supply Chain Compliance (W00)

Moderator: TBA

09:00 After OMB M-26-05: What Federal Buyers Will Ask for Now (W00a) Adam Bartolanzo, Principal, Miles & Stockbridge


09:30 | The CISA SBOM Stack in 2026: Minimum Elements, Framing, Sharing, and VEX (W00b) Robert Martin (invited), Outreach Lead, MITRE


10:00 | Supply Chain Risk Oversight: Insights for Contractors in 2026 (W00c) Leo Alvarez, Principal, Baker Tilly


10:30 | SBOM for AI: What Belongs in the Evidence Package (W00d) TBA


11:00-11:30 Networking Break

Foyer

11:30-12:30 Conference Sessions

Panel Discussion (T01)

Leader: Jay Diem, Founder and CEO, SloariX Security

11:30 | Harmonization or Fragmentation? The Global Path for IoT Cyber Certification (T01a) Panelists: TBA
This panel discussion examines where global convergence is real, where it is still aspirational, and where duplication remains economically irrational for developers. Discussion will focus on Cyber Trust Mark, CRA, EUCC, SESIP, PSA Certified, and GCLI as concrete case studies in whether global recognition will emerge through shared requirements, shared evidence, shared registries, or explicit mutual recognition.

Panel Discussion (W01)

Leader: TBA

11:30 | Cloud and Software Supply Chain Risk at Scale (W01a) Panelists: TBA
This panel brings together cloud, open-source, enterprise software, and assurance perspectives to discuss how organizations can manage software supply chain risk at scale. Topics include runtime transparency, customer demands for SBOMs, vulnerability disclosure, cloud shared responsibility, and the operational limits of static compliance artifacts.

12:30-13:30 Networking Lunch

Foyer

13:30-15:30 Conference Sessions

Real-World Practices: Preparing Products for Certification (T02)

Moderator: TBA

13:30 | The Missing Methodology: Applying Common Criteria to Give the Cyber Trust Mark Real Teeth (T02a) Allen Sant, Common Criteria Testing Laboratory Technical Director / Infrastructure Manager, Leidos
14:00 | Cloud, APIs, Mobile Apps, and Data Services in IoT Compliance Scope (T02b) Smita Mahapatra (invited), Security Industry Specialist, Amazon Web Services (AWS)
14:30 | The Conformity Assessment Playbook for IoT Developers (T02c) Leslie Weinstein, Owner, The Cyber Advisor
15:00 | Creating One Evidence Layer for Many Obligations (T02d) TBA

Pilots, Compliance, and Integration (W02)

Moderator: TBA

13:30 | FDA Cyber Devices and SBOMs as Market Access Artifacts (W02a) TBA
14:00 | CMMC Meets NISPOM: How DIB Contractors Can Operationalize Both Without Breaking Their Security Program (W02b) Tim Novy, Sales Executive, ISI
14:30 | Fortifying the Software Supply Chain using ISO 22373 and MITRE System of Trust (W02c) Gaurav Kumar Srivastava, Senior Key Expert (R&D) for Vulnerability Management, Siemens
15:00 | Certified but Unable to Build: The Hidden Risk of Underscoped CMMC Enclaves (W02d) James Harper, CEO, Quatronics

15:30-16:00 Networking Break

Foyer

16:00-17:00 Conference Sessions

Panel Discussion (T03)

Leader: TBA

16:00 | What Product, Cloud, and Certification Leaders Must Fix Before 2027 (T03a) Panelists: TBA

This panel discussion shifts from policy interpretation to operating-model repair. Discussion will focus on ownership boundaries, update governance, vulnerability reporting, evidence maintenance after product changes, the business case for third-party assurance, and the minimum artifacts that developers should have ready for U.S., EU, and multinational go-to-market strategies.

Panel Discussion (W03)

Leader: Shashi Karanam (invited), Senior Assurance Consultant, Comcast 

16:00 | One Evidence Story Across FedRAMP, CMMC, FDA, and EU CRA (W03a) Panelists: TBA

This closing panel will connect SBOM and software transparency to broader certification and compliance programs. The discussion will focus on how vendors can reuse evidence across federal procurement, FedRAMP-style cloud assurance, CMMC supply chain expectations, FDA device submissions, EU CRA obligations, and customer due diligence.

17:00 Adjourn

Tuesday, November 3

Day 2

08:00-09:00 Registration

Foyer

09:00-11:00 Conference Sessions

Salon 2

Market Status and Real-World Cryptography (Q10)

Moderator: TBA

09:00 | From Research Topic to Procurement Deadline (Q10a) TBA
09:30 | NIST PQC Standards in Mid-Transition (Q10b) TBA
10:00 | You Cannot Migrate What You Cannot See (Q10c) TBA
10:30 | Validation Pressure (Q10d) TBA

Salon 1

Foundations of FedRAMP: Program Overview and Quantum Horizons (F10)

Moderator: TBA

09:00 | FedRAMP Certification in 2027, a 3PAO Vantage Point (F10a) Jim Neidich, VP, Cybersecurity Services, Kratos Defense and Security Solutions
09:30 | What NIST SP 800-53 Release 5.2.0 Means for FedRAMP Rev5 and Cloud Product Teams (F10b) TBA
10:00 | OSCAL in Production: From Compliance Documents to Machine-Readable Security Evidence (F10c) TBA
10:30 | From FedRAMP to NIS2: What Compliance Work You Can Reuse (F10d) Max Schiessl, Amazon Web Services (AWS)

11:00-11:30 Networking Break

Foyer

11:30-12:30 Conference Sessions

Panel Discussion (Q11)

Leader: TBA

11:30 | Cloud and Identity Under PQC (Q11a) Panelists: TBA

Discussion will focus on what breaks or changes first in SaaS, PaaS, and IaaS: TLS handshakes, KMS and HSM dependencies, PKI, certificate lifecycle, APIs, JWTs, code signing, tenant defaults, and the performance/interoperability trade-offs in real deployments.

Panel Discussion (F11)

Leader: TBA

11:30 | Independent Assessment Services After the 3PAO Reset (F11a) Panelists: TBA

Discussion will cover the FedRAMP Consolidated Rules that took effect July 4, 2026, A2LA dependence, performance standards, staff qualifications, foreign-interest reporting, remediation exposure, and the two-year advisory-separation rule that directly affects how providers shop for assessment and prep support.

12:30-13:30 Networking Lunch

Foyer

13:30-15:30 Conference Sessions

PQ Implementation & Outlook (Q12)

Moderator: TBA

13:30 | How the EU and Other Governments Are Setting the Pace (Q12a) TBA
14:00 | The Future of Cryptographic Infrastructure (Q12b) TBA
14:30 | Securing Manufacturing in the Post-Quantum Era (Q12c) Aliza Maftun, Senior Key Expert – Supply Chain Security, Siemens
15:00 | The 24-Month Action Plan for SaaS, PaaS, IaaS, and Software Products (Q12d) Kevin Micciche, Senior Manager, Product Security, Aruba, A Hewlett Packard Enterprise Co.

Vendor and Implementation Perspectives: Lessons from the Field (F11)

Moderator: TBA

13:30 | AI Compliance in Cloud Environments: Preparing for Emerging Federal Certification Standards (F12a) Camille Gloster, CEO and Founder, CAS Strategies


14:00 | AI Certification: Navigating What Comes Before the Standard Exists (F12b) Morteza Irdmousa, VP of Engineering and AI, ISI


14:30 | The 20x Authorization Gap: What CSPs Risk Missing and What AOs Need to Ask (F12c) Tony Bai, Chief Solutions Officer, RISCPoint


15:00 | What We Learned Turning FedRAMP 20x Into Software (F12d) Sam Leestma, Vice President of Solutions Engineering, 38North Security


15:30-16:00 Networking Break

Foyer

16:00-17:00 Conference Sessions

Panel Discussion (Q13)

Leader: Neil Horman (invited), Software Engineer, OpenSSL Corp.

16:00 | Who Owns the Migration? (Q13a) Panelists: TBA

A discussion focusing on governance. The real blockers are usually organizational: product versus platform, engineering versus compliance, procurement versus architecture, and customer commitments versus standards reality. This panel will provide practical answers about ownership, sequencing, and evidence.

Panel Discussion (F13)

Leader: Andrew Freund (invited), Founder & CEO, Kraken Compliance

16:00 | Scaling Federal Trust Without Re-Creating Compliance Theater (F13a) Panelists: TBA

Discussion will focus on key issues: How to scale FedRAMP to many more services without losing rigor, while reducing duplicated effort across frameworks, parties, and evidence formats.

17:00 Adjourn