Issue link: https://iconnect007.uberflip.com/i/1472190
38 SMT007 MAGAZINE I JULY 2022 cussed. Her direct response was, "Not likely; it would be very difficult to do that." at's because of the sensitivity of the data. When we look at that and at the industries we're most oen interacting with—manufac- turing, electronics, microelectronics, semi- conductor industry, you name it—they thrive on complex technical information, so they're more likely to have the kinds of information that qualifies for CMMC level two and are likely to consider or to require third party vali- dation or certification. Johnson: It sounds like companies should be aiming for CMMC level two. Bonner: I would say that in most cases, that's true. We see organizations dropping down to CMMC level one when they almost exclusively sell commercial off-the-shelf goods to their customers. e only information that they exchange is related to the procurement or pur- chasing of those COTS products. Conversely, the only time we see organizations pursuing a higher level, such as CMMC level three, is very clearly communicated up front by the pro- gram managers or contracts officers for that program, because they understand that it is a critical weapons system or DoD platform, and is more oen targeted by advanced persistent threats, which is the entire purpose of CMMC level three. For most organizations we inter- act with, especially in electronics or precision manufacturing, CMMC level two is where they land. Johnson: Does level three certification go all the way through the supply chain, even to the board fabricator for that particular compo- nent? In other words, must everyone in the supply chain be CMMC level three? Bonner: When we think about the way require- ments can flow down from a higher CMMC level into the supply chain where subcontrac- tors may be producing less detailed or less sig- nificant parts of an overall component or an overall assembly, there's a huge opportunity and a need for contractors to control their own destiny through better data management. By default, a higher level, and more robust requirements like CMMC or even CMMC level two, will continue to flow down, add- ing additional burden and cost to the sup- ply chain unless subcontractors and suppli- ers work together to reverse the flow of that trend. at only happens when organizations have complete control and discretion over how much information from customer designs and requirements is brought into their internal designs. It requires a distinct understanding of which data sets are proprietary to the contractor and which data sets belong to the government under full or shared use rights. at is the dividing line between proprietary information and controlled unclassified information, which activates CMMC levels two and three. Classi- fied information is above and beyond the CUI side of the house. is is a match pair to clas- sified information: it's controlled unclassified information. Johnson: at makes sense. If the component that I'm providing ends up in a system intended for government or milaero-type use, and that system is subject to CMMC, then the subsys- tem I'm supplying is not required to be CMMC level three. Am I oversimplifying? Bonner: Information that you create internally and fully own outright, meaning that it is pro- prietary according to the National Archives and Records Administration (NARA) which runs the CUI program— that information is not CUI, even though it may be marked as CUI upon receipt, just to make sure it's protected at the same level. But for the organization that owns it, it's not CUI. at's rather confusing because you could very well be handling information that belongs to you marked CUI and it would not be con-