G-Tech Studios | Shutterstock

When the Defense Department announced CMMC 2.0, it said that instead of requiring a third-party assessment for all contractors that handle Controlled Unclassified Information, only about half of them would need one, because the CUI handled by the other half wasn’t especially risky. However, DoD’s deputy CIO David McKeown now says that, based on further analysis, “pretty much everybody” handling CUI will need an independent assessment. The roughly 140,000 defense contractors handling only less sensitive “federal contract information” will still only need to submit a self-assessment.
