Update from DoD Town Hall: Got CUI? Expect a Third-Party Assessment

In a Department of Defense (DoD) Town Hall held on February 10, led by David McKeown, DoD’s Senior Information Security Officer and Deputy CISO, we heard some news about CMMC. Defense contractors holding Controlled Unclassified Information (CUI) will need a third-party assessment to obtain certification.

The “bifurcation” approach is apparently gone, or at least has one and half feet out the door.  This approach was one of the changes the DoD made to the original CMMC program, and it meant that some companies in the Defense Industrial Base (DIB) would be able to self-assess, even if they had CUI. Some CUI, it seems is more “C” (controlled) than others. Consequently, many DIB members were counting on self-assessment — which is less expensive (and likely less stringent), than a third-party review. The decision was based on a study by INSA.

For now, the self-assessment language will remain in the rule, but it will be only sparingly applicable, and it may disappear completely. The change of heart results from straightforward analysis and examination of companies currently holding CUI:  none of them would have been eligible for self-assessment, making that approach moot. 

Want to hear it for yourself? There are two more Zoom.gov Town Halls scheduled for Feb 17 and 24 and videos of the town halls will be made available.

The Town Hall covered more than the new approach to CUI. It started with a good overview of the differences between CMMC 1.0 and CMMC 2.0, and also explained some important initiatives regarding public/private collaboration on security, and on the increased partnership between DoD and INSA, including:

  • threat information sharing
  • incident reporting and sharing
  • collaboration on technical assistance

The main takeaway from this DoD Town Hall is the news that most companies handling CUI — currently estimated at about 80,000 firms – will need a third-party assessment.

Download the slides of the first Town Hall.