Issue link: https://iconnect007.uberflip.com/i/1472190
36 SMT007 MAGAZINE I JULY 2022 Bonner: You should be aware of two ways you might be assessed or graded against what you've already done. If you have already worked on 800-171, or even completed your implementation, you have two pathways. e first is being assessed by the government or the defense contract management agency that's done through their DIBCAC (Defense Indus- trial Base Cybersecurity Assessment Center) teams. But the DIBCAC teams, at no cost to you, schedule either a moderate confidence or high confidence assessment and, because of that, assign you a completion score using their assessment methodology. at's one way to be assessed against NIST 800-171. e other pathway is a proactive approach where you seek CMMC certification. is involves the accreditation body and their authorized assessing organizations, which are the C3PAOs coming in and, at your cost, you are assessed and then certified. at certifi- cation is expected to be good for three years. e difference there is that contracting officers are allowed to request your CMMC certifica- tion as a source selection criterion for awards. at's the big shi. Organizations that want to skip many of the government audited steps can go straight to private sector certification, and then have that on file to show you've com- pleted everything in NIST 800-171. ey're not mutually exclusive, so if orga- nizations haven't completed NIST 800-171 implementations, there is an additional change to rulemaking that we expect next March. It will involve setting either certain minimum threshold scores or specifying which of the 800-171 requirements must be done as a pre- requisite for contract awards while other, per- haps less vital implementations, can be saved until a 180-day window aer-contract award. Johnson: Sounds like there's room there to tran- sition without being completely locked out. Bonner: Correct. Organizations should be aware of how compressed a 180-day window is for completing your implementations. It's not a lot of time based on how long it seems to take most contractors to implement. Johnson: Let me ask the question in a different direction. If a company achieves CMMC 2.0 certification, does that automatically get them NIST 800-171? Bonner: CMMC is the third-party verifica- tion method for NIST 800-171; all 110 of the requirements are validated. In that way, it does act as a hand-in-glove verification for 800-171. Johnson: ere are some components needed, including a checklist? Bonner: Yes. ere's an entire document called NIST 800-171A. Its contents are also repeated verbatim in the CMMC assessment guide. at's why we can make the claim of identical models. e contents of the assessment guide are really the measure of success for a contrac- tor's implementation of 800-171. Organizations need to know that in any assessment, whether it's run by the government or by a C3PAO. ose assessments all follow the same 320 assessment objectives. If you want to get a passing outcome or a full points value for your implementation, then you can't just meet the requirement. You must satisfy all the objec- tives for that requirement. Organizations that might have done just a basic implementation against the list of 110 requirements (back when Organizations should be aware of how compressed a 180-day window is for completing your implementations.