Defense Contractors Handling CUI Will Be Required to Undergo Third-Party Cyber Assessments

The Department of Defense said around 80,000 defense contractors will require third-party cybersecurity assessments under the second version of the Cybersecurity Maturity Model Certification program.

Pentagon Deputy Chief Information Officer David McKeown said during a town hall meeting that third-party assessments for the contractors are required because they handle controlled unclassified information. When CMMC 2.0 was released, only half of the contractors that manage CUI were required to get a third-party assessment while the remaining only needed to submit a self-assessment because they were managing less risky data, Federal News Network reported Thursday.

McKeown added that more companies will need to secure a third-party assessment. According to the deputy CIO, the Pentagon is working with the CMMC Accreditation Body to improve assessment capabilities.

The department has yet to sort out a timeline as to when CMMC will be required in contracts. McKeown shared that the CIO office wants to have more time than the projected 2025 deadline to fully implement CMMC, and it is one of the things that the CIO office is sorting out with the CMMC-AB.

The Pentagon also needs to go through a rulemaking process to put CMMC requirements into contracts.

DOD CIO and 2022 Wash100 winner John Sherman said during an AFCEA NoVa event on Feb. 10 that he is seeking information from CUI-classed companies and other relevant organizations on how to best implement the cybersecurity standard.

The Pentagon’s CIO Office now oversees the CMMC program after Deputy Defense Secretary Kathleen Hicks ordered the program to be transferred from the Office of the Undersecretary of Defense for Acquisition and Sustainment.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now