Watchdog urges DOD to address external factors affecting CMMC implementation

In response to findings from the Government Accountability Office, a senior Pentagon official said the department plans to evaluate and define outside variables that could hinder the defense industry’s ability to comply with new standards set by the Cybersecurity Maturity Model Certification 2.0 model.

According to a study published by the GAO on Thursday, the Defense Department has done significant work to build a comprehensive strategy for implementing CMMC 2.0 cybersecurity standards. However, the report found that the department has yet to completely identify factors beyond its control that risk the program’s overall success.

“CMMC planning documentation identifies processes that can help address external factors, including a program waiver process,” the report stated. “However, CMMC planning documentation does not systematically identify the external factors that could affect reaching each goal.”

After six years of development, the department began officially enforcing the CMMC program in November. The framework requires defense contractors to confirm their networks — as well as those of their entire supply chain — have adequate cybersecurity controls to prevent adversaries from accessing sensitive Pentagon data.

CMMC was met with harsh criticism when it was introduced by the first Trump administration, with members of the industrial base claiming the program was overcomplicated and created undue regulatory burdens on companies. A major argument has been that implementing CMMC controls would be cost- and time-prohibitive, especially for small and medium-sized vendors. 

The Pentagon has worked closely with industry to simplify the framework and provide resources to the industrial base to help with compliance.

However, while the department has developed multiple planning documents to guide CMMC’s three-year implementation plan, there are issues that haven’t been addressed, the GAO suggested.

“DOD officials stated that they have not assessed and documented key external factors that could significantly affect the implementation of the CMMC program and developed a set of approaches to address them because these factors are outside the control of the department,” per the watchdog’s report.

The department relies on a CMMC ecosystem comprising private sector stakeholders to carry out the program’s goals. The Cyber AB serves as the official CMMC accreditation body, while technology firm ISACA is responsible for training and certification as Cybersecurity Assessor and Instructor Certification Organization.

Furthermore, contractors handling more sensitive Pentagon data must have their cybersecurity posture validated by a certified third-party assessor organization staffed by certified professionals.

The Pentagon has not analyzed how it will address the capacity of these outside stakeholders if it proves insufficient to meet the CMMC program’s demands, the GAO study found. At the same time, the cybersecurity standards may prove too difficult and costly for some small businesses to meet — even with resources available — which could cause them to stop working with the Defense Department, according to the report.

Changing cybersecurity requirements are another external factor affecting the CMMC rollout. The standards defined by the program are based on those set by the National Institute of Standards and Technology, which were revised as recently as May 2024.

The government watchdog noted that “DOD has yet to update the CMMC program to incorporate this revision. Additionally, updating the training, procedures and associated guidance for the program will take time.”

In response to the GAO’s study, the Pentagon indicated that leaders can give waivers when any external variable causes challenges for industry in reaching CMMC compliance. But the watchdog warned that these waivers would not fix the underlying issues related to these external factors.

“Additionally, depending on the frequency and number of waivers DOD uses, the process could undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements,” the report found.

The GAO recommended that the Pentagon conduct a comprehensive analysis of the key external factors that pose negative impacts to the CMMC program and develop mechanisms to address them. A letter from DOD Chief Information Officer Kirsten Davies indicated that the department concurred with the watchdog’s recommendations.

“The Department will assess and document significant external factors affecting Cybersecurity Maturity Model Certification (CMMC) Program implementation, such as CMMC ecosystem capacity, program demand, and evolving cybersecurity requirements and effectiveness of CMMC requirements to address and reduce risk,” Davies wrote. “The Department will also assess the fulsomeness of CMMC requirements to address the National Defense Strategy and Secretary priorities.”