April 10, 2025 | 4 min read | Redspin Blog
Redspin is heading to RSA this year, and we couldn’t be more excited to join the global cybersecurity community from April 28–May 1 in San Francisco. With an impressive lineup of speakers, innovative sessions, and timely conversations about the future of cyber regulation, we’re looking forward to digging into what matters most to the Defense Industrial Base (DIB), paying special attention to how and where Cybersecurity Maturity Model Certification (CMMC) shows up at the conference.
RSA is one of the world’s biggest stages for cybersecurity dialogue, and 2025 is shaping up to be its most impactful year yet. With the finalization of the CMMC program (32 CFR) and more eyes on the DIB’s cyber posture, Redspin is attending RSA to stay ahead of emerging trends, hear directly from top leaders, and bring our insights and experience to the RSA table and back to the broader CMMC ecosystem, and with you.
Thomas Graham, VP and CISO at Redspin, Lead CMMC Assessor, CCA/CCP Instructor, and the mastermind behind Redspin becoming the first authorized C3PAO (aka the person to thank, and maybe blame, for everything we’re doing in the CMMC space).
Jeremy Mares, VP, Federal Sales at Redspin. Our go-to expert for translating CMMC complexity into real-world solutions for DIB contractors.
Steve Akers, CTO and Corporate CISO at Redspin and Clearwater (Redspin’s parent company). Steve is the leader of our SOC and Managed Cloud Services, making sure we practice what we preach when it comes to cybersecurity.
Dave Bailey, VP, Consulting Services, Security at Redspin and Clearwater (Redspin’s parent company). Always bringing the warfighter’s mindset, Dave brings a mission-first perspective to compliance. He knows firsthand what’s at stake when security fails and helps our clients approach cybersecurity like lives depend on it, because sometimes, they do
Laura Martin, Sr. Account Executive at Clearwater, our go-to for the healthcare side of the house. Laura understands the intersection of cybersecurity, compliance, and care delivery, making her the perfect partner for organizations navigating HIPAA and now CMMC in healthcare.
What We’re Watching at RSA
Here are a four sessions Redspin is especially excited about, and we recommend you add them to your calendar, too:
#1 Turning Breach Fails into Best Practices | Tuesday, April 29, 9:40 – 10:30 (PT)
Speakers: Stacy Bostjanick, The Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity (DCIO(CS)), Office of the Chief Information Office and Tara Lemieux, a Lead CMMC Assessor
This session takes a hard look at recent breaches within the DoD and DIB, unpacking how attackers got in and how certain cybersecurity controls (*cough*, the ones that CMMC validates) could have stopped them. The two speakers will bring critical insights to reinforce the program’s mission: securing the data that defends our nation.
At Redspin, we’ve long advocated that CMMC isn’t just a “set it and forget it” compliance checkbox. It’s a necessity for confirming defense. We’re eager to hear how this session underscores the urgency of proactive cyber readiness and validates the work we’re doing with DIB contractors every day.
#2 Shaping Cybersecurity: How Regulation Shapes Operational Cyber Defense | Thursday, May 1 9:40 – 10:30 (PT)
Speakers: Christiane Kirketerp de Viron, Director for Digital Society, Trust and Cybersecurity, DG Connect, European Commission, Tim Maurer, Senior Director, Global Cybersecurity Policy, Microsoft, Ari Schwartz, Managing Director, Cybersecurity Services, Venable LLP, Josephine Wolff, Associate Professor of Cybersecurity Policy, Tufts University, The Fletcher School, Florian Schütz, Director, NCSC – National Cybersecurity Centre
This session explores the government’s efforts to strengthen cybersecurity and resilience through regulation, its impact on influencing real-world cybersecurity operations, and where more alignment is needed.
For Redspin, this is a must-attend. It’s a reminder that regulated requirements (like CMMC) don’t just protect data. They’re a cornerstone of national defense strategy. With headlines like Michael Duffey’s recent statement that he’ll review the Pentagon’s “controversial” CMMC 2.0 initiative if confirmed, staying informed on the regulatory climate is more important than ever for helping our clients understand “the why” and stay mission-ready in a shifting landscape.
#3 Using the NIST CSF Maturity Toolkit to Evaluate Your Security Program | Tuesday, April 29, 1:15 – 2:05 (PT)
Speaker: John Masserini, Founder of Senticon Security
This session introduces the NIST CSF Maturity toolkit, an open-source solution that helps organizations assess security maturity using the NIST Cybersecurity Framework. For those working to align their environment with CMMC, tools like this can be eye-opening, especially in identifying hidden risks or gaps that might not be obvious in a static checklist.
Redspin supports any effort that brings clarity to the murky world of cybersecurity readiness, especially for organizations trying to determine whether they’re responsible for CMMC and what gaps they need to close.
#4 Dismantle the Three Lines of Defense: Embrace Continuous Risk Management! | Monday, April 28, 2:20 – 3:10 (PT)
Speakers: Cody Scott, Senior Industry Analyst, Security and Risk at Forrester Research and Alla Valente, Senior Analyst at Forrester Research
Let’s be honest: many organizations are still living in fear from audit to audit/assessment to re-assessment. And finally, someone’s saying it out loud! Backed by fresh research, this session will break down the shortcomings of the traditional Three Lines of Defense model and make the case for replacing it with a continuous risk management lifecycle.
We couldn’t agree more. This approach aligns perfectly with the DIB’s growing shift toward ongoing compliance, which looks beyond just “passing the assessment and getting certified” to staying ready every day between certifications. We’re all about helping clients move from one-and-done assessments to continuous improvement and documentation readiness. This session supports that evolution, and we’re raising a glass to it and excited to support and learn.
Let’s Meet Up
RSA is a whirlwind. We’re here if you need a thought partner to break down the trends, share what’s happening in the CMMC ecosystem, or help you figure out what’s signal and what’s noise.
Redspin and Clearwater will also be attending networking events and Carahsoft’s Public Sector Day, so there are plenty of opportunities to connect. Schedule a meeting with our team here.
Let’s talk CMMC, defense, and the road ahead. See you in San Francisco!
Book a meeting to get CMMC ready with Redspin: