The Pentagon established new requirements under the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to hold contractors to better protecting sensitive defense data. But the Department of Defense itself hasn’t yet proven it can meet those same standards.
Under CMMC 2.0, contractors will have to meet, at minimum, 110 security practices to do business with the U.S. military on projects that call for cybersecurity beyond the most basic level. But according to the Government Accountability Office, though not legally required to, DOD components have only met 78% of those 110 requirements for systems that manage controlled unclassified information (CUI) — the type of data CMMC aims to safeguard.
“DOD’s components’ systems would not be approved to process, transmit, or store DOD CUI if CMMC version 2.0 applied to the components,” reads a new report from GAO. “This is because CMMC would require defense contractors to comply with all 110 security controls to achieve level 2, advanced cybersecurity. As of January 2022, the DOD components had not met 22 percent of the 110 security controls.”
The Navy and Marine Corps have been more successful, reaching compliance with between 80% and 90% of those controls. Other components, like the Army, Air Force and Defense Health Agency, have complied with between 70% and 80%.
The fiscal 2021 National Defense Authorization Act asked DOD and its components to show that they can meet the same requirements the department is set to hold contractors to. For those that couldn’t meet the requirements, they had to submit details on how they would reach 100% compliance and plans for mitigating risk until they reached that point.
Some lawmakers have dug into the CMMC program after many in the defense industrial base decried the burden the program could put on their businesses. Those concerns were, in part, what led the DOD to revise the program, resulting in CMMC 2.0.
According to GAO, the DOD didn’t necessarily follow lawmakers’ directions in meeting the 110 CMMC controls.
“In response to this statutory requirement, DOD issued a report on June 30, 2021, that used the DOD Risk Management Framework — and not the CMMC framework — to identify the extent to which DOD components were meeting security requirements to protect CUI,” the report reads. “The DOD Risk Management Framework as described in DOD Instruction 8510.01 and the CMMC framework are different models — the former based on risk and the latter on compliance.”
GAO did note, in spite of the 2021 NDAA, that DOD is not legally required to comply with CMMC. But the watchdog does note that as of earlier this year, department components could not meet the very same compliance requirements the Pentagon will soon mandate its industry partners to meet.
A top defense official leading the CMMC 2.0 rollout said last week the department hopes to begin implementing program requirements in contracts in May 2023.