South Texas ISSA Chapter Meeting - Government Security from FAR to CMMC

Government Security Regulation – Evolution from FAR to CMMC (2 CPEs)

Prerequisites:

• Knowledge of basic network and security concepts

• Fundamental knowledge of supply chain risk management

Abstract:

In 1984, a U.S. Government Council (DOD, GSA, and NASA) introduced the Federal Acquisition Regulation (FAR), codified in 48 CFR, addressing supply chain procedures and contract termination. Over the next 40-plus years, federal regulations, including government safeguards for procurement and cybersecurity, evolved, with the addition of the Defense FAR Supplement (DFARS), which supplements the FAR and applies to all DoD contracts and subcontracts.

Following an extended drafting period, accompanied by evolving changes to 32 CFR and 48 CFR, long-awaited Cybersecurity Maturity Model Certification (CMMC) supply chain security requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) finally became mandatory in November 2025. CMMC, currently in Phase I of rollout, leverages FAR, DFARS, and NIST Special Publication (SP) 800-171 security controls/countermeasures, accompanied by mandatory assessments and penalties for non-compliance.

During this session, regulatory subject-matter advisor and former South Texas ISSA Education Director, Dr. Tom Duffey, will discuss the evolution of supply chain security from FAR to CMMC. Dr. Tom spent over a decade working as a defense contractor for multiple military branches before transitioning his career to industry. As an ISSO and DIACAP/DoD RMF Project Manager, he observed the changes taking place firsthand. During his career, Dr. Tom has continued to work with various regulatory compliance mandates and OT/IT security frameworks. Last year, Dr. Tom leveraged his defense roots to earn his Cyber-AB certifications as a certified lead assessor, professional, and instructor.

Join us for this month's chapter meeting and hear Dr. Tom discuss his regulatory compliance journey, gain vital knowledge on how the recently implemented CMMC mandates impact the defense industrial base (DIB), and learn how you can start or continue your CMMC journey.

Instructor Bio:

Dr. Tom Duffey, Knight Critical Infrastructure Cybersecurity and Compliance Security Principal

Dr. Tom is an engineer, consultant, thought leader, project manager, instructor, and OT/IT cybersecurity and regulatory compliance professional with over 30 years of experience in the defense, energy, and healthcare sectors. His diverse experience also includes supporting multiple U.S. military branches. Dr. Tom spent over a decade as a defense contractor and was an ISSO and DIACAP/DoD RMF Program Manager for a three-star global military command before shifting his focus to industry. He holds multiple DoD 8570/8140 credentials and is a certified CMMC professional, lead assessor, and instructor.

Along with his extensive defense background, Dr. Tom has worked in both commercial IT and OT environments. Dr. Tom specializes in NIST, ISA/IEC, and ISO security frameworks, as well as CMMC, NERC CIP, TSA SD02, HIPAA, and the DoD RMF regulatory mandates. He also serves as the Vice Chair of the NERC Supply Chain Subcommittee (SCS). Through his alliance with Adodo.ai, a Cyber-AB-certified C3PAO and Approved Training Provider (ATP), Dr. Tom leads CMMC compliance and training efforts.

Dr. Tom's motto, which he has adhered to throughout his career and firmly believes in, is "growing" oneself, others, and the organization while giving back to the security community. Therefore, he has participated in various NERC efforts and served in other supporting board and leadership roles for ISA Houston, South Texas ISSA, and the InfraGard Energy CSC. He enjoys helping/mentoring others, and currently has multiple mentees. Teaching and learning remain two of Dr. Tom's biggest passions. In addition to the CMMC curriculum courses (CCP and CCA), he teaches classes for the International Society of Automation (ISA) and Texas A&M Engineering Extension (TEEX).

Along with his doctoral dissertation on NERC CIP regulatory compliance, Dr. Tom is a respected thought leader. He has contributed to numerous security thought-leadership efforts, including a World Economic Forum white paper on electric-industry cyber resilience and domain content for the EC-Council C|CISO certification Body of Knowledge. Outside of work, Dr. Tom also enjoys traveling and working on various projects. He and his wife, Jeanine, also serve on the hospitality team for their local church.

Know what’s Happening Next — before everyone else does.

Get App

Host or Publisher South Texas ISSA