TECHEX
DC3 TechEx Spring 2025 Graphic
 

Welcome to the Spring 2025 iteration of the DC3 DIB (Defense Industrial Base) Cybersecurity (CS) Technical Exchange (TechEx). Our theme, Resilience, reflects a core truth about our mission and our community: strength is not defined by an absence of challenges, but by the way we confront adversity, learn, adapt, and emerge stronger together.

This year, we draw visual and thematic inspiration from the Japanese art of Kintsugi, the practice of repairing broken pottery with gold. Rather than disguising the damage, Kintsugi highlights the fracture lines, honoring them as part of the object’s history and transformation. It is a powerful metaphor for our work in cybersecurity: acknowledging complexity, confronting risk, and building back stronger each time, with more wisdom, capability, and unity than before.

The insights and experiences the DIB shares with DC3 are the gold that strengthens our collective defense. Together, we are shaping a more secure and resilient future for the DoD and the DIB.

Over the next two days, participants will experience in a wide-ranging series of discussions focused on advancing cybersecurity, safeguarding our shared networks, and enhancing collaboration. We encourage open, thoughtful engagement across all sessions, and look forward to hearing perspectives as we shape the path forward.

At DC3, our mission is to deliver innovative capabilities and world-class expertise in support of the warfighter. We are grounded in the same enduring values that inspired those who came before us with integrity, service, and commitment to a cause greater than ourselves.

Thank you for your continued participation and for your unwavering dedication to national security. We look forward to a dynamic and inspiring TechEx.

 

AGENDA

📅 Day 1 – Tuesday June 10, 2025

8:00-9:00 AM
Check in and Registration
9:00-9:30 AM
Housekeeping and security, opening remarks - Mr. Joshua Black, DC3 Deputy Executive Director; Mr. Terry Kalka, DCISE Director
9:30-10:00 AM
DCISE Threat Brief - Jason Koehn, DC3 DCISE
10:00-10:15 AM
Break
10:15-11:00 AM
Doing More with Less: Using Automation to Increase Cybersecurity Capabilities and Drive Efficiencies in the Absence of Manpower and Money - Jess Parnell and Kristen DeBruler, GTRI
11:00-11:15 AM
Break
11:15 AM-12:00 PM
Transitioning to a New EDR Platform - Greg Toussaint, L3Harris
12:00-1:00 PM
Lunch
1:00-1:30 PM
Puzzled Prince: Enhancing Payload Weaponization - Cullen Rezendes, DC3 CFL
1:30-1:45 PM
Break
1:45-2:15 PM
Reducing Risk from Edge Device Exploitation - Emily Skahill and Chris Schmaltz, CISA
2:15-2:25 PM
Break
2:25-2:55 PM
Shared Secrets: Hunting Credentials and PII in Open File Shares - Brandon Helton, L3Harris
2:55-3:05 PM
Break
3:05-3:50 PM
Resilience in Action: Your Guide to DIB-VDP Readiness - Kelly Salisbury and Damia Sharp, DC3 VDP
3:50-4:00 PM
Break
4:00-4:45 PM
SPRS: Best Practices and Myth Busting - Wayne Boline, RTX and John Duncan, USN

📅 Day 2 – Wednesday June 11, 2025

8:00-9:00 AM
Check in and Registration
9:00-9:10 AM
Housekeeping and security, opening remarks
9:10-9:40 AM
DCISE3 vs. ENSITE: A Comparative Analysis - Alan Savage, DC3 OED, and Nicholas Roesch, DC3 DCISE
9:40-9:50 AM
Break
9:50-10:20 AM
Zero Trust Architecture - Kenneth Smoyer, ManTech International
10:20-10:30 AM
Break
10:30-11:15 AM
Lessons Learned from Compliance & Regulatory Assessments - Dr. Thomas Autry, Northrop Grumman Corporation
11:15-11:25 AM
Break
11:25-11:55 AM
Navigating the Security Landscape of AI (LLMs, RAG and MCP) - William Glodek, Breakpoint Labs
11:55 AM-1:00 PM
Lunch
1:00-1:45 PM
OP MAGNUS: REDLINE INFOSTEALER - Eddie Kiper, DCIS
1:45-2:00 PM
Break
2:00-2:30 PM
CMMC: Its Origins and why YOUR Company Needs to Act - Shawn Dickman, DTC, LLC
2:30-2:40 PM
Break
2:40-3:30 PM
Demystifying CMMC: Navigating Compliance and Achieving Certification - Katie Dodson, Hive Systems
3:30-3:40 PM
Break
3:40-4:15 PM
Down the Rabbit Hole: Community Analytics from the DCISE3 Platform - John DiGerolamo, Celerium
Back to Top ↑

ABSTRACTS

Best Practices

 

Lessons Learned from Compliance & Regulatory Assessments

Dr. Thomas Autry, Northrop Grumman Corporation

As cyberattacks increase around the globe, countries are increasingly requiring contractors to provide self or third-party assessments prior to any contract awards. In the US, DoD contractors have been required to assess their organizations against NIST SP 800-171 revision 2 and submit self-assessment scores for several years. Now, with CMMC, many will be required to obtain third party assessments prior to contract award once the final pieces of the regulation are released. This briefing aims to present concepts from a different perspective and to provide lessons learned and best practices to help other organizations prepare for their assessments.

Transitioning to a New EDR Platform

Greg Toussaint, L3Harris

Transitioning from one Endpoint Detection and Response (EDR) tool to another is a critical undertaking that can significantly impact an organization's cybersecurity posture. In this presentation, we will walk through our experience migrating from Trellix HX to SentinelOne, although the presentation is relevant to any EDR tool. We will highlight the strategic decisions, technical challenges, and lessons learned throughout the process. We will explore what drove the change, the evaluation criteria we used, and how we managed the deployment and integration phases. Attendees will gain insights into what worked well and what we would approach differently if we had the chance to do it again.

Zero Trust Architecture

Kenneth Smoyer, ManTech International

At the forefront of implementation, ManTech shares their efforts in the realm of Zero Trust Architecture (ZTA), particularly within the Department of Defense (DoD) and the Defense Information Systems Agency (DISA), including its key role in developing and publishing the DoD's ZT Reference Architecture and DISA's ZT Implementation Plan. ManTech focuses on their internal journey of ZT implementation, as well as working with the DoD, noting internal and external customer common concerns, pain points, and lessons learned. Additionally, ManTech continues to evolve R&D and testing on Zero Trust solutions, including the Zero Trust Assessment Tool (ZTAT).

SPRS: Best Practices & Myth Busting

Wayne Boline and John Duncan, RTX and US Navy

On September 9, 2020, the DoD published DFARS Case 2019-D041 in the Federal Register with an effective date of November 30, 2020. The case introduced DFARS 7019/7020, which among things, requires a contractor to perform a basic self-assessment of its compliance with NIST 800-171 and to load the self-assessment score into the Supplier Performance Risk System (SPRS). Since that time, there has been great misunderstanding on the application and use of the rule by both the USG and the DIB community.

 

In this presentation, we will cover the proper application of the rule, when it applies, and the conditions that drive the requirement to comply. We will also cover the relationship between the SAM database and SPRS and how critical it is to manage your CAGE codes properly to prevent loss of contract award if you are unable to load a SPRS score due to an administrative issue with a CAGE code. John Duncan, SPRS Program Manager, will provide insight into the government’s perspective on SPRS from a high-level view, as well as specific details related to the NIST 800-171 cyber self-assessment scores required by the DFARS rule. This popular presentation, given several times, has been fully updated to reflect the recent CMMC additions to SPRS.

Back to Top ↑

Partner Onboarding

 

Resilience in Action: Your Guide to DIB-VDP Readiness

Kelly Salisbury and Damia Sharp, DC3 VDP

Program covering what is DIB-VDP, coverage of our dual sealed products to include an overview of the DCSA and DCISE collaboration and partnership. Our team will cover the "life of a ticket," technologies used, data analysis (trajectory, month -to -month view), and CVE/CWE impact for DIBCOs. We will also highlight the top CVEs and CWEs, researcher and stakeholder engagement, and other relevant articles, presentations, and RFIs (including press releases, congressional taskers, and a Wall Street Journal article). We will cover the DIB-VDP Pilot Feasibility Study, lessons learned from the Pilot, best practices, Real testimonies, Metrics that Matter to reflect a high-level program overview, and lastly cover the benefit of having working relationships with the DIBCOs companies (feedback survey), and give the onboarding process (white glove support) followed by a call to action, and Q&A.

Back to Top ↑

Small/Med DIB Partner Track

 

Demystifying CMMC: Navigating Compliance and Achieving Certification

Katie Dodson, Hive Systems Defense Solutions

The Cybersecurity Maturity Model Certification (CMMC) is a critical framework for organizations operating within the Defense Industrial Base (DIB). Noncompliance will result in the loss of Department of Defense (DoD) contracts worth millions of dollars, but understanding the complexities of CMMC and successfully navigating a Certified Third-Party Assessment Organization (C3PAO) audit can be challenging.

This session, led by Katie Dodson, a Lead Certified CMMC Assessor (CCA), will provide a comprehensive overview of CMMC for companies of all sizes. She'll break down key requirements across different maturity levels and outline actionable insights into preparing for an assessment.

Attendees will gain practical knowledge on:

  • Key CMMC domains and controls
  • Common pitfalls and challenges organizations face
  • Best practices for achieving and maintaining compliance
  • The C3PAO assessment process: what to expect and how to prepare
  • Strategies for a successful audit outcome

Whether you're just starting your CMMC journey or are preparing for an upcoming assessment, this presentation will equip you with the tools and understanding needed to navigate the compliance landscape with confidence.

Doing More with Less: Using Automation to Increase Cybersecurity Capabilities and Drive Efficiencies in the Absence of Manpower and Money

Jess Parnell and Kristen DeBruler, Georgia Tech Research Institute (GTRI)

The Georgia Tech Research Institute (GTRI) will discuss how it implemented Security Orchestration, Automation, and Response (SOAR) to automate processes within our Security Operations Center (SOC), enhancing cybersecurity defenses while addressing budgetary and talent constraints. In doing so, GTRI will demonstrate how this approach has increased in capabilities, greater responsiveness to customers, reduced errors, and enhanced defenses by greatly reducing our detection and response times in areas such as suspicious emails, foreign travel, and security misconfigurations.

CMMC – Its origins AND why YOUR company needs to act

Shawn D. Dickman, Col USAFR, DTC, LLC

Mr. Dickman presents the story of the agencies involved in the discovery of US IP theft, the NCIJTF's early analysis, and the resulting whole -of- government approach for enhancing cybersecurity across the DIB. The discussion focuses on China and their relentless pursuit of hacking to advance their military and industrial procurement activities. The legislative walk-through regarding USG acquisition regulations provides context for exactly what CMMC is and is not.

Back to Top ↑

Threats

 

Reducing Risk from Edge Device Exploitation

Emily Skahill & Chris Schmaltz, CISA

The exploitation of edge devices represents a growing cybersecurity threat, with Verizon's annual Data Breach Investigation Report noting that the percentage of edge devices and VPNs targeted increased eightfold from 2023 to 2024. Edge devices are attractive targets for attackers because these appliances are internet accessible, provide a good initial access point, and have limited Endpoint Detection and Response (EDR) visibility, making them blind spots for security teams. Cyber actors from the People's Republic of China (PRC) cyber actors have proven particularly adept at identifying and exploiting vulnerabilities in edge devices.

CISA's Joint Cyber Defense Collaborative (JCDC) Operations Office will provide an overview of the organization’s role in aggregating insights and unifying efforts across CISA to drive action, highlighting a recent edge device vulnerability as a vignette. Additionally, JCDC will highlight how these operations inform long term planning efforts such as Project CHAINBREAKER, a public-private campaign to enhance the cyber defense of U.S. critical infrastructure from PRC malicious cyber activity. Under CHAINBREAKER's Enterprise Edge Device Abatement (EEVA) Working Group, CISA has brought together edge device vendors to ensure these products are secure by design.

Shared Secrets: Hunting credentials and PII in open file shares

Jason Koehn, DC3 DCISE

The DC3 DCISE threat brief covers current threats to the Defense Industrial Base (DIB) as reported by the DIB, United States Government entities, and through open-source reporting. Highlighted topics include ransomware trends, recent advanced persistent threat activity, and frequently targeted technologies.

OP MAGNUS - REDLINE INFOSTEALER

Fines "Eddie" Kiper, Defense Criminal Investigative Service

Presentation will provide a background and organizational structure of DCIS, roles, responsibilities, and Cyber Field Office Mission Brief. Presentation will also include examples of the wide variety of criminal investigations under the purview of the DCIS Cyber Field Office, including criminal statutes. Presentation will transition to the Op Magnus - Redline Info stealer investigation, including how the investigation was initiated, evolution into a global coordination with international law enforcement agencies, and takedown.
Back to Top ↑

Tools

 

Shared Secrets: Hunting credentials and PII in open file shares

Brandon Helton, L3Harris Technologies

This presentation will highlight how automated tools can rapidly scan thousands of open file shares to uncover exposed credentials and sensitive PII. We'll focus on how common development missteps - like storing secrets in web application configuration files and CI/CD pipelines - can lead to serious data exposure and security risks. Attendees will gain insight into the scale of these risks as it pertains to our company and how to detect and remediate them effectively.

Denial & Deception Technologies - A Success Story

Ben Loveless, Safran Defense & Space, Inc.

Discover the power of Denial & Deception (D&D) techniques in cybersecurity with our presentation. We will showcase our deception tools, highlighted during a targeted penetration test, where they achieved no false positives and evaded detection by skilled pen testers. Utilizing Thinkst Canary appliances and tokens, our approach deploys decoy systems across VLANs and physical locations, mimicking critical assets like servers and routers, while strategically placed tokens, such as deceptive Office files and AWS API keys, create tripwires throughout the network. Highly cost-effective, these tools are accessible to the SMB space, providing real-time, high-fidelity alerts for both external threats and insider risks. We’ve further extended and enhanced their impact with custom API integrations with firewalls and Active Directory, enabling automated responses such as dynamic blocking and account disabling. Join us to learn how these innovative, last-resort defenses can fortify your network security with minimal risks and low investment.

Puzzled Prince: Enhancing Payload Weaponization

Cullen Rezendes, DC3 CFL

Puzzled Prince is a modular payload weaponization platform that aims to provide evasion and loader mechanisms for a target payload built on the practical experience of threat actor capabilities. Puzzled Prince seeks to address the difficulties that adversary emulation operators face when needing to constantly modify their payloads as security vendors continuously update their products. An operator can enhance their payload by wrapping it with numerous evasion techniques, including shellcode/string encryption, EDR evasion techniques, sleep/delays, sandbox evasion, and more. Additionally, Puzzled Prince can assist operators in loading their payloads into memory via DLL hijacking, HTML Application (HTA) loaders, COM hijacking, Microsoft Word loaders, and more.

DCISE3 vs ENSITE, A Comparative Analysis

Alan Savage and Nicholas Roesch, DC3 DCISE, OED

DCISE3, ENSITE, Firewalls, Sensors, what does it all mean? Let us guide you through both of these DC3 capabilities and demonstrate how they complement each other. By the end, you should be able to fully understand these capabilities and how they help you meet specific NIST SP 800-171 requirements.

Down the Rabbit Hole - Community Analytics from the DCISE3 Platform

John DiGerolamo, Celerium, Inc.

The DCISE3 Program allows DCISE analyst teams to view near-real time traffic data across hundreds of DIB company network gateways. This coupled with commercial intel provided by technology partner Celerium allows these teams to provide meaningful context and weight to their findings and enables them to track and respond to DIB-specific threats and attacks. This presentation highlights primary examples of how the DCISE3 Program makes this possible.

Navigating the Security Landscape of AI (LLMs, RAG and MCP)

William Glodek, BreakPoint Labs

The presentation discusses the integration of Artificial Intelligence (AI) technologies, specifically Large Language Models (LLMs), Retrieval-Augmented Generation (RAG), and the Model Context Protocol (MCP), within the cybersecurity domain. It highlights the dual nature of these technologies, acknowledging their potential to revolutionize workflows and processes while simultaneously introducing novel vulnerabilities such as prompt injection, data poisoning, and the disclosure of sensitive information . Tailored for cybersecurity professionals, the presentation aims to define these core technologies, analyze principal LLM security vulnerabilities (referencing the OWASP Top 10 for LLMs), detail specific RAG system security challenges, and explain MCP's purpose in standardizing context management, alongside its security implications. Furthermore, it will illuminate the security considerations for integrated AI systems, outlining attack vectors and mitigation strategies.

Back to Top ↑