Issue link: https://iconnect007.uberflip.com/i/1472190
42 SMT007 MAGAZINE I JULY 2022 both customer data, whether it's CUI, export controlled, or regulated by other means, and have the same set of knowledge and under- standing for your own data as well. at will serve the business regardless of what happens with CMMC or other regulations. e next posture an organization can adopt is to pursue as many of the NIST 800-171 require- ments that are assigned a five-point value in the DoD assessment methodology. ose are the best chances you have of increasing your over- all score in case new contract clauses introduce minimum scoring thresholds for a requirement to have all five-point requirements completed to be eligible for award. From there, organizations should use what they now know about their data and the difficulties of individual controls implementations and execute scope control. Do not apply CUI safeguard- ing requirements to sys- tems that don't absolutely require it unless there is a clearly identified business benefit. Organizations need to get across their minimum CUI safeguarding finish lines before they can then think about things like optimization and continuous improvement. ere's a series of milestones along the way that I would pursue. Organizations that want to attempt this DIY approach should really use NIST 800-171A as their primary reference document. e assess- ment objectives for a requirement tell you something about the process to follow and what goals you should be achieving along the way. e assessment objects, those documents or responsibilities or organizational processes described in those lists, should give you a breadcrumb trail as you go where you can confirm that you are indeed generating those proofs in the process. is is where I would recommend almost every organization begin. Johnson: From your perspective, where do IPC Validation Services fit? Does that process com- plement CMMC? Bonner: e IPC-1791 process can serve value in two ways that are evident to me. One, it accustoms the organization to outside valida- tion and makes the assessment and validation of information security measures an integrated part of their overall certifica- tion process. Creating that comfort level with being vali- dated by a third party is use- ful information on security topics. e other area where it provides value is the IPC- 1791 process is integrated with an organization's qual- i t y m a n a g e m e n t . In f o r - mation security programs need to function like qual- ity management programs. Wherever there are parallels being drawn between those two functional areas, that's important and useful. When I look at the expe- rience IPC has working with these types of industries, the real value that will emerge over time for the 1791 program is taking the generic requirements that are in 800-171 and CMMC and adapting them into something that's well- suited for a more specialized industry. e 1791 process has the potential to provide value by contextualizing what's in CMMC and maybe even assessing and validating against that unique context. Johnson: Ryan, thank you for the insight. Bonner: You're very welcome. SMT007