DoD to evaluate ‘external’ CMMC risks

https://federalnewsnetwork.com/cybersecurity/2026/03/dod-to-evaluate-external-cmmc-risks/

Publish Date: 2026-03-12 18:26:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

A new GAO report found the Pentagon hasn’t fully fleshed out the risks of relying on the private sector to implement the CMMC program.

Justin Doubleday@jdoubledayWFED

March 12, 2026 6:23 pm

3 min read

The Government Accountability Office is recommending the Defense Department do a better job managing a range of “external factors” that could trip up the Cybersecurity Maturity Model Certification, or CMMC, program.
GAO’s latest report is a reminder of how DoD has outsourced a large chunk of the contractor cybersecurity verification program. The CMMC program is intended to ensure defense contractors are following requirements for protecting sensitive DoD data on their networks. DoD just began including CMMC requirements in contracts late last year.
GAO’s report on defense contractor cybersecurity found DoD has largely met the elements of having a “comprehensive strategy” for the CMMC program. But the auditor says DoD “has not systematically assessed and documented the external factors that could affect the department meeting its goals.”
DoD relies on a no-cost contract with the nonprofit Cyber Accreditation Body to oversee an “ecosystem” of private sector assessment teams that will evaluate whether defense contractors are meeting the cybersecurity requirements. Companies that conduct the assessments are known as CMMC Third-Party Assessment Organizations (C3PAOs).]]>

GAO identified “CMMC ecosystem capacity” and “program demand” as key external risk factors that DoD should evaluate and document. DoD is relying on the Cyber AB and industry to ensure there are enough C3PAOs and assessors to meet CMMC program requirements.
“CMMC program costs and requirements may affect the extent to which existing [defense industrial base] companies decide to continue doing business with D0D,” GAO’s report continues. “For example, small businesses may decide not to participate in the program due to the cost associated with assessment and certification.”
Officials within DoD’s CMMC Program Management Office told GAO they believe they can manage those risks by waiving CMMC assessment requirements when needed. But GAO counters that the requirements shouldn’t be waived in many cases, such as when the work is led by a cleared defense contractor. And furthermore, GAO points out relying on the waiver process could undermine the goal of ensuring defense contractor cybersecurity.
“Depending on the frequency and number of waivers DOD uses, the process could also undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements,” GAO states.
GAO found another major challenge for DoD is ensuring the program’s cybersecurity requirements stay-up-to-date. The CMMC requirements are currently based on a 2021 version of the National Institute of Standards and Technology publication for protecting controlled unclassified information in non-government systems.
NIST later updated those requirements in 2024. DoD program officials have said they’re sticking with the earlier version of the standards for now, because updating to the latest version would require another lengthy rulemaking period.
But GAO found DoD needs to at least better document the risks associated with the cybersecurity requirements, including how updating them will require associated revisions to training and exam materials for the CMMC assessors.]]>

In response to GAO’s report, DoD agreed to “assess and document significant external factors affecting” CMMC program implementation, including ecosystem capacity, program demand, and evolving cybersecurity requirements.
“The department will also assess the fulsomeness of CMMC requirements to address the National Defense Strategy and secretary priorities,” DoD added.
GAO’s report comes as the Pentagon rolls out the CMMC requirements in phases. Starting last fall, DoD began including self-assessment requirements in applicable contracts. Later this year, DoD plans to begin introducing the third-party assessment requirements.
In the meantime, roughly 1,000 companies have voluntarily obtained a third-party CMMC certification or are in the process of getting assessed, according to numbers shared by the Cyber AB at its February meeting.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.