Overclassification and CMMC

Getty Images

After taking over the Pentagon's cyber security program for contractors, CIO John Sherman wants to zero-in on controlled unclassified information.

The Defense Department's chief information officer wants to take a look at how much information needed to make contracts is labeled "controlled unclassified," which could impact the cybersecurity levels companies looking to do business with the DOD need to meet.

"We're trying to make this clearer," DOD CIO John Sherman said about the revamping of the Cybersecurity Maturity Model Certification program during a Feb. 10 keynote speech during AFCEA NOVA's Space Force IT Day event. He told attendees that he would want more clarity if he were a contractor having to comply with CMMC requirements.

The federal government's  proclivity to over-classify information is well-documented and has often been blamed for hampering the sharing of cybersecurity threat information between the government and private companies.

Now that the CMMC program is under the Pentagon CIO's purview, Sherman said he is focused on engaging with small to medium-sized companies – those with a few hundred employees or less – with controlled unclassified information as a topic of concern. 

"So I want to listen, I want to hear from folks," Sherman said, noting a conversation with an in-person conference attendee. "We talked about how much stuff is getting stamped CUI and if...does that raise the bar? Yeah, it does, and are too many things getting stamped CUI? That's the kind of information I want to take back and so it doesn't trigger additional levels of wire brushing and oversight that may not be necessary"

The DOD CIO's comments come a week after the office subsumed the Pentagon office and personnel responsible for overseeing the CMMC program. Sherman has previously indicated that he was eager to make CMMC easier for small businesses to comply with, which was a frequent criticism of the program.

Additionally, Sherman defended the program saying that CMMC was a "key building block" to the defense industry base's cybersecurity and while it may not be "relished," there's a downside to not having it. 

"There's a cost to your [intellectual property], there's a cost to the U.S. government. And there's a benefit to our adversaries if we don't do something like this," he said. "So I know CMMC has [had] a lot of turn around...But this ought to be something that we all see the utility of. It may not be something that is necessarily relished, but I wanted to make sense to you. And I want this to make it harder for our enemies to do what they're trying to do."

Separately, DOD chief information security officer Dave McKeown said he expected about 80,000 companies that handle CUI to be subject to third-party CMMC assessments at a Feb. 10 town hall event. Recent revisions to the CMMC program had indicated that self-assessment would be an option for some defense industrial base companies, however it appears that third-party assessment will be the norm, according to accounts of the meeting on LinkedIn.