“The Pentagon’s revamped Cybersecurity Maturity Model Certification program is moving forward under the Defense Department chief information officer, but DoD is rolling back an aspect of the plan that would have allowed some 40,000 companies to self-attest to their cybersecurity practices.
When the Pentagon initially announced the ‘CMMC 2.0’ changes late last year, DoD planned on ‘bifurcating’ requirements for the approximately 80,000 contractors that handle controlled unclassified information (CUI)…”
“But during a Feb. 10 town hall, Deputy DoD CIO David McKeown said further analysis has shown all 80,000 will require third-party assessments.
‘Unfortunately, it looks like pretty much everybody falls into the category of either being a clear defense contractor or having some critical industry tie, that pretty much all of those are going to end up being very important CUI,’ he said…”
“The Government Accountability Office recently found the majority of defense contractors who have been audited in recent years are failing to fully implement the cybersecurity standards that form the basis of the CMMC requirement.
Moreover, additional companies will need to secure a third-party assessment, and the market for CMMC assessors is nascent. McKeown said DoD is working with the CMMC Accreditation Body, which accredits third-party assessment organizations, to ramp up the ‘assessment ecosystem.’…” Read the full article here.
Source: More companies may have to get a CMMC assessment after all – By Justin Doubleday, February 10, 2022. Federal News Network.
