David McKeown, deputy chief information officer for cybersecurity at the Department of Defense, said approximately 80,000 contractors might have to undergo third-party assessments under the second iteration of DOD’s Cybersecurity Maturity Model Certification program, Federal News Network reported Thursday.
“Unfortunately, it looks like pretty much everybody falls into the category of either being a clear defense contractor or having some critical industry tie, that pretty much all of those are going to end up being very important [controlled unclassified information],” McKeown said Thursday at a town hall meeting.
When DOD unveiled the CMMC 2.0 program in late 2021, officials initially anticipated that half of those 80,000 vendors handling less risky data would only need to self-attest to their cybersecurity practices. However, further studies have revealed that all of those companies will need to undergo third-party assessments.
McKeown noted that the Pentagon is working with the CMMC Accreditation Body to build up the “assessment ecosystem” and hinted that the department is not tied to a previous goal of integrating CMMC requirements into all defense contracts by 2025.
“We want to phase this in over a perhaps a longer period of time than the three years,” McKeown said. “We haven’t nailed that down yet. That’s also part of the rulemaking and negotiating with the AB, what we think the capacity is going to be to get through that group of 80,000 companies out there.”