Issue link: https://iconnect007.uberflip.com/i/1472190
JULY 2022 I SMT007 MAGAZINE 37 those were released) and perhaps overlooked the later publication of the assessment guide could be in for a rude awakening when they open that document for the first time and real- ize there are additional details in those objec- tives and in the lists of objects that will be used in an assessment. ose lists of assessment objects are the best way for contractors to understand where they stand now, even without engaging the ser- vices of a third party to validate their imple- mentation. is is because each of those lists for each requirement has unique character- istics that organizations can seek out in their implementation to see if they are matching what's described there. I'll give you the exam- ples here. For each of those lists of objects, we have examinable documents, responsibilities assigned to personnel, and some sort of testable process or mechanism, something that can be observed or viewed in system configurations. If I'm not finding any described objects in those lists that sound or feel like something I have, whether it's an assigned responsibility or a specific document on a certain topic, or per- haps the ability to show someone in a system that something is configured, that should be a yellow flag to me; I'm not finding any home on these lists for the work that I've done. You don't need an exact match for what's described in the list, but you should have something that serves the same function or purpose as what's described in those lists. Johnson: Makes sense. e process right now is to find your gaps. Bonner: Absolutely. If I don't have any pol- icy statements as described in the assessment guide for a requirement or any of the docu- mented procedures, if I have no one in my organization who's been assigned responsibil- ities that are germane to that set of objectives, if I can't show any physical or systems proof that something has been done—either through a shoulder surf or in documents—that should tell me that assessors will struggle to validate the work that I've done. Johnson: Which of course all leads back to the fact that we can expect that everybody is going to need CMMC certification because undoubt- edly somewhere along the whole supply chain they're involved in something that will be CMMC required. Bonner: Yes. e key thing to remember with the shi to CMMC 2.0 is that level one has fallen back into a self-attestation model for meeting those minimum requirements. at shis the focus significantly to CMMC level two and deciding early as to whether that is required for your organization based on your contracts profile and the kind of information that you handle. Earlier this year, I asked Stacy Bostjanick, who leads the CMMC PMOs office, whether she believed ITAR, which is export-controlled information or controlled technical informa- tion (CTI), would ever be allowed to be self- attested for its safeguarding or protection under the bifurcated model that's being dis- Ryan Bonner