Issue link: https://iconnect007.uberflip.com/i/1472190
34 SMT007 MAGAZINE I JULY 2022 Feature Interview by Nolan Johnson I-CONNECT007 Nolan Johnson discusses with Ryan Bon- ner of DEFCERT exactly where and how EMS companies should aim for CMMC certifica- tion. Organizations, he says, "need to avoid false dichotomies where they assume that either CMMC is a go or it's not happening at all. All the government mandated reviews to keep CMMC moving forward, result- ing in new contract clauses, are already underway. e rule making is scheduled; it will happen." Nolan Johnson: Ryan , what's the status of CMMC 2.0? Ryan Bonner: T h e aspects of CMMC 2.0 that those con- tractors can act on now, even while we wait on other com- ponents, are the model i t s e l f a n d t h e a s s e s s - ment guide. Those are the two documents that are most appropriate for contractors. Because those two items are in place, there is a path for ward for CMMC, even while second- ar y aspects of CMMC, like the C3PAOs assessment process or the eventual contract clauses that will drive adoption, are under the surface, if you will, and are going through rule making. Johnson: ere is something tangible that we can proceed with in anticipation of everything else coming into place. Bonner: Absolutely. Many organizations don't realize that the shi to CMMC 2.0 was the out- come of a review by the Government Account- ability Office. I believe it was congres- sionally mandated as well under the National Defense Authori- zation Act. at process has already been completed. e big change com- ing out of that review process was to shrink the model back to o n l y t h e r e q u i r e - m e n t s d e s c r i b e d i n t h e o r i g i n a l parent document, NIST 800-171. That c r e a te s a s i tu a t i o n where now the CMMC model under 2.0 is iden- tical to the requirements and assessment content that's in both NIST 800-171 and NIST 800-171A (the document used to assess 800-171). ose are identical. ey're in lockstep. ere's no appreciable difference between the two. Johnson: If my company has already completed NIST 800-171, what does this mean regarding CMMC? CMMC 2.0: Are You Ready?