3 min read

What I Took Away From the 2026 NCMS Seminar

What I Took Away From the 2026 NCMS Seminar
Photo by Headway / Unsplash

The 62nd Annual NCMS Training Seminar occurred June 9-11, 2026 in Atlanta, Georgia. It left me with a fresh Notion notebook full of ideas and a renewed sense that none of this work is as impossible as it can feel day to day. Rather than recap the agenda, I want to share a handful of themes that stuck with me; the kind of practical, hard-won wisdom that's worth carrying back to your own program. Everything below is my own summary of widely applicable concepts and I've deliberately left out anyone's proprietary materials, contact details, and the specifics of individual presentations.

Documentation is your best defense

If there was one drumbeat across the sessions, it was this: make an honest effort, then write it all down. The expectation isn't perfection; it's that you took reasonable precautions, identified issues, made decisions, and documented why. A real compliance program demonstrates that you understand what's expected of you and that any gaps are exceptions rather than the norm. Failing to keep proof of your self-assessment isn't a paperwork nuisance - it's the kind of gap that can create genuine liability. The encouraging flip side is that good documentation is entirely within reach for an organization of any size.

CUI is less complicated than it looks

A recurring message was that CUI, for all its reputation, follows a fairly clean logic. It's unclassified information, created or received for or on behalf of the government, that a law, regulation, or government-wide policy says must be safeguarded or limited in distribution. Designating something as CUI is an inherently governmental act, which means contractors generally can't self-designate - and that's actually a useful lever: if a customer hasn't told you what's CUI, you can and should push back for clarity, which often helps you right-size your scope. A practical reminder that came up more than once: some things are CUI even when they aren't marked, so when in doubt, mark it.

The supply chain is a door, not just a checklist

One of the more sobering threads was supply chain risk. Adversaries rarely go straight at the prime; they look a few tiers down, at the suppliers and the suppliers' suppliers, where attention is thinnest. The reframing that stuck with me is that the supply chain isn't only an attack vector; it's a door someone can walk through, because the real question is who has access and how that access could be used without you noticing. That's not purely a procurement problem, and it's worth helping leadership see the potential financial impact so security gets the attention it deserves. The takeaway for the rest of us: know your vendors, prioritize by criticality, and don't assume the approved-vendor list is the same thing as a secure one.

Automation gives small teams their time back

On a more hopeful note, there was real enthusiasm for automating the repetitive parts of security administration, foreign travel notices, visit access requests, training reminders, and the like. You don't need to be a programmer to start; you need a willingness to climb a modest learning curve and the discipline to start small, test with sample data, and build alerts that tell you only when something fails. The mindset I appreciated most was that persistence is its own kind of talent: chip away at one workflow at a time and you'll be amazed how much of the busywork disappears, freeing you for the judgment calls that actually need a human.

Where this leaves us

If I had to compress this year's seminar into a single sentence, it would be that security and compliance are achievable for any organization willing to be honest, document its work, and keep chipping away. None of these themes require a big budget or a big team - just clarity about what's expected and the steady habit of meeting it. That's the spirit I try to bring to this blog, and it's the spirit I'll carry into the year ahead. If you were there too and took away something different, feel free to share your experience in the comments below.

Thanks for reading!

Mug courtesy of https://peakinfosec.com/