Information security

DOD CIO Assessing What Should Be Labeled Controlled Unclassified Information

Department of Defense Chief Information Officer John Sherman, a speaker at an upcoming Potomac Officers Club event and a 2022 Wash100 winner, wants to determine whether the government is labeling too many pieces of information as controlled unclassified information.

Controlled unclassified information is one of the document types that the DOD’s Cybersecurity Maturity Model Certification program seeks to protect.

Businesses will eventually be required to meet CMMC standards before they can vie for work with the DOD, mandating the establishment of additional measures to protect CUI.

Sherman specifically wants to know if the government’s tendency to mark documents as controlled unclassified information is raising the barrier of entry too much for small and medium-sized businesses, FCW reported.

The goal is to avoid requiring companies to implement additional levels of unnecessary oversight, Sherman said an event hosted by AFCEA’s Northern Virginia chapter.

In late 2021, the DOD revamped its rules for the CMMC program in an effort to minimize barriers to compliance, especially for businesses only seeking the lowest clearance level.

CMMC 2.0 rules state that companies may secure Level 1 certification by conducting annual self-assessments. Higher clearance levels will require audits by certified third-party assessment organizations or by an internal DOD team.

Deputy Defense Secretary Kathleen Hicks recently put Sherman’s office in charge of overseeing the CMMC program, continuing the work of the office previously led by Katie Arrington, a speaker at a past POC event.

Sherman said that the transition will increase CMMC’s integration with other cybersecurity programs relevant to the defense industrial base.