More companies may have to get a CMMC assessment after all

The Pentagon’s revamped Cybersecurity Maturity Model Certification program is moving forward under the Defense Department chief information officer, but DoD is rolling back an aspect of the plan that would have allowed some 40,000 companies to self-attest to their cybersecurity practices.

When the Pentagon initially announced the “CMMC 2.0″ changes late last year, DoD planned on “bifurcating” requirements for the approximately 80,000 contractors that handle controlled unclassified information (CUI).

At the time, officials said only half of those 80,000 manage CUI that is truly sensitive if it were to fall into the hands of U.S. adversaries. While those contractors would still be required to get a third-party assessment, officials anticipated the other 40,000 managing less risky data would only need to submit a self-assessment.

But during a Feb. 10 town hall, Deputy DoD CIO David McKeown said further analysis has shown all 80,000 will require third-party assessments.

“Unfortunately, it looks like pretty much everybody falls into the category of either being a clear defense contractor or having some critical industry tie, that pretty much all of those are going to end up being very important CUI,” he said.

Still, the CMMC 2.0 changes mean about 140,000 defense contractors that handle less sensitive “federal contract information” will only need to submit a self-assessment of their cybersecurity practices to comply with CMMC Level One requirements.

But the re-addition of potentially 40,000 companies that will need to have their cybersecurity practices audited in order to win defense contracts is important for several reasons.

The Government Accountability Office recently found the majority of defense contractors who have been audited in recent years are failing to fully implement the cybersecurity standards that form the basis of the CMMC requirement.

Moreover, additional companies will need to secure a third-party assessment, and the market for CMMC assessors is nascent. McKeown said DoD is working with the CMMC Accreditation Body, which accredits third-party assessment organizations, to ramp up the “assessment ecosystem.”

But he suggested the Pentagon is not necessarily married to a previous goal that would have seen CMMC fully implemented in all contracts by the end of 2025.

“We want to phase this in over a perhaps a longer period of time than the three years,” McKeown said. “We haven’t nailed that down yet. That’s also part of the rulemaking and negotiating with the AB, what we think the capacity is going to be to get through that group of 80,000 companies out there.”

The Pentagon still has to go through a lengthy rulemaking process to put CMMC requirements into contracts. But the shifting requirements are raising perennial questions about how DoD marks, shares and requires protections for CUI.

A recent paper published by the Intelligence and National Security alliance recommended a wholesale reevaluation of the federal CUI program.

“The CUI Program’s principal goal is to label sensitive but unclassified information clearly so it can be shared in a secure manner,” the paper states. “However, the explosion of CUI categories, overly complex protection/handling guidelines, and a lack of strong centralized management authority undermine the program’s effectiveness.”

During a separate event hosted by AFCEA NoVa on Feb. 10, DoD CIO John Sherman acknowledged the concerns and said he wants to get more feedback from industry.

“We talk about how much stuff is getting stamped CUI . . . and are too many things getting stamped CUI?” Sherman said. “That’s the kind of information I want to take back, so it doesn’t trigger additional levels of wire brushing and oversight that may not be necessary.”

A separate DoD directorate, the office of the undersecretary for intelligence and security, oversees the department’s CUI policies. McKeown said the intelligence and security directorate has “a keen interest in getting some guidance out” regarding CUI.

“In order for us to know that we have to protect a certain type of data, we’ve got to appropriately label it and identify it,” he said. “It’s not just you DIB partners. Internally, we want to know as well and be able to label things and protect it appropriately.”

McKeown is now overseeing CMMC after Deputy Defense Secretary Kathleen Hicks officially ordered the transition of the program from the Pentagon’s acquisition directorate to the DoD CIO’s office last week.

“Our job here is to safeguard DoD Information,” McKeown said. “And that information could be resident on DoD networks, or it could be resident on [defense industrial base] partner networks. And so I think it’s a good fit.”

The CIO’s office manages several other cybersecurity programs for the defense industrial base, which McKeown and other officials sought to highlight during today’s town hall. It was the first of three such events the CIO’s office plans on hosting this month.