National Defense ISAC leader raises questions over CMMC assessment capacity, controlled unclassified information

The long-awaited rollout of contract requirements for the Pentagon’s Cybersecurity Maturity Model Certification program raises questions about the current capacity for getting a level two assessment and reducing the flow of controlled unclassified information, according to defense info-sharing leader Steve Shirley.

A final rule to start the three-year implementation timeline for putting CMMC requirements into defense contracts went into effect on Nov. 10. The first year focuses on CMMC level one but doesn’t prevent acquisition officials from asking...