Issue link: https://iconnect007.uberflip.com/i/1472190
JULY 2022 I SMT007 MAGAZINE 41 pletely delineates classified and unclassified information in all its forms, document names, and so forth. at's simply not true. Program managers are saddled with many tasks and responsibilities, and it's unlikely that subcontractors will ever have access to even the original security classification guide used on these contracts. With that in mind, the reality of who needs to own this should be the first orga- nization in the supply chain, the one that acts as its own design authority. ose organizations are best positioned to preserve their own supply chain and to more effectively separate proprie- tary information from CUI early in the process. Johnson: Ultimately, it's the designers, the specifiers of the bill of materials for the com- ponents and the board, who are the ones on the hook. Bonner: Absolutely. is becomes a discussion of not just designing the part, but designing the data set, meaning it's determined early on which documents are expected to flow to third parties and which documents are expected to adapt the requiring activity or agencies needs into technical designs and match those with contract clauses, determining the technical rights for those data. ere is a strategic process these OEMs need to follow by which they understand which data sets will be owed to the government as a deliverable, and which ones will not—to cre- ate that clear divide between CUI and proprie- tary information early on, and not allow cross- contamination between those data sets. at's how you preserve your supply chain and avoid situations where you are flowing CUI to sup- pliers when you don't need to. Johnson: is conversation is opening my eyes to some of the implications here. Suddenly this becomes a very important step for a design bureau. ey will be on the hook. e design bureaus will need to be CMMC certified, won't they? Bonner: is idea of an independent design function is increasingly common in many industries, whether you're working in the con- struction trades with architectural and engi- neering firms or in product design with rapid prototyping; you name it, this is a commonly outsourced function. It is absolutely a lever- age point in the entire equation for data rights, data sensitivity, and data management. Johnson: It most certainly is. What's your rec- ommendation to the electronics manufactur- ing supply chain, Ryan? How would you rec- ommend they respond right now? Bonner: Organizations need to avoid false dichotomies where they assume that either CMMC is a go or it's not happening at all. All the government mandated reviews to keep CMMC moving forward, resulting in new con- tract clauses, are already underway. e rule making is scheduled; it will happen. Rather than waiting for it to surprise you, organiza- tions can begin work now to prepare them- selves for that eventuality, regardless of when it fully crystallizes. When we look at how long it takes organiza- tions to implement their safeguarding obliga- tions, I believe that there are some defensive positions, if you will, these organizations can adopt that will make them successful regard- less of timelines and outcomes. e first step is to truly know your data ownership posture for All the government mandated reviews to keep CMMC moving forward, resulting in new contract clauses, are already underway.