{"id":195262,"date":"2026-03-12T15:16:00","date_gmt":"2026-03-12T19:16:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/12\/watchdog-urges-dod-to-address-external-factors-affecting-cmmc-implementation\/"},"modified":"2026-03-12T15:30:12","modified_gmt":"2026-03-12T19:30:12","slug":"watchdog-urges-dod-to-address-external-factors-affecting-cmmc-implementation","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/12\/watchdog-urges-dod-to-address-external-factors-affecting-cmmc-implementation\/","title":{"rendered":"Watchdog urges DOD to address external factors affecting CMMC implementation"},"content":{"rendered":"<p><a href=\"https:\/\/defensescoop.com\/2026\/03\/12\/cmmc-implementation-gao-report-kirsten-davies-dod-cio\/\">Watchdog urges DOD to address external factors affecting CMMC implementation<\/a><\/p>\n<p><a href=\"https:\/\/defensescoop.com\/2026\/03\/12\/cmmc-implementation-gao-report-kirsten-davies-dod-cio\/\">https:\/\/defensescoop.com\/2026\/03\/12\/cmmc-implementation-gao-report-kirsten-davies-dod-cio\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-12 15:16:00<\/a><\/p>\n<p>Source Domain: <a href=\"defensescoop.com\">defensescoop.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>In response to findings from the Government Accountability Office, a senior Pentagon official said the department plans to evaluate and define outside variables that could hinder the defense industry\u2019s ability to comply with new standards set by the Cybersecurity Maturity Model Certification 2.0 model.<\/p>\n<p>According to a study published by the GAO on Thursday, the Defense Department has done significant work to build a comprehensive strategy for implementing CMMC 2.0 cybersecurity standards. However, the report found that the department has yet to completely identify factors beyond its control that risk the program\u2019s overall success.<\/p>\n<p>\u201cCMMC planning documentation identifies processes that can help address external factors, including a program waiver process,\u201d the report stated. \u201cHowever, CMMC planning documentation does not systematically identify the external factors that could affect reaching each goal.\u201d<\/p>\n<p>After six years of development, the department began officially enforcing the CMMC program in November. The framework requires defense contractors to confirm their networks \u2014 as well as those of their entire supply chain \u2014 have adequate cybersecurity controls to prevent adversaries from accessing sensitive Pentagon data.<\/p>\n<p>CMMC was met with harsh criticism when it was introduced by the first Trump administration, with members of the industrial base claiming the program was overcomplicated and created undue regulatory burdens on companies. A major argument has been that implementing CMMC controls would be cost- and time-prohibitive, especially for small and medium-sized vendors.\u00a0<\/p>\n<p>The Pentagon has worked closely with industry to simplify the framework and provide resources to the industrial base to help with compliance.  <\/p>\n<p>However, while the department has developed multiple planning documents to guide CMMC\u2019s three-year implementation plan, there are issues that haven\u2019t been addressed, the GAO suggested.<\/p>\n<p>\u201cDOD officials stated that they have not assessed and documented key external factors that could significantly affect the implementation of the CMMC program and developed a set of approaches to address them because these factors are outside the control of the department,\u201d per the watchdog\u2019s report.<\/p>\n<p>The department relies on a CMMC ecosystem comprising private sector stakeholders to carry out the program\u2019s goals. The Cyber AB serves as the official CMMC accreditation body, while technology firm ISACA is responsible for training and certification as Cybersecurity Assessor and Instructor Certification Organization.<\/p>\n<p>Furthermore, contractors handling more sensitive Pentagon data must have their cybersecurity posture validated by a certified third-party assessor organization staffed by certified professionals.<\/p>\n<p>The Pentagon has not analyzed how it will address the capacity of these outside stakeholders if it proves insufficient to meet the CMMC program\u2019s demands, the GAO study found. At the same time, the cybersecurity standards may prove too difficult and costly for some small businesses to meet \u2014 even with resources available \u2014 which could cause them to stop working with the Defense Department, according to the report.<\/p>\n<p>Changing cybersecurity requirements are another external factor affecting the CMMC rollout. The standards defined by the program are based on those set by the National Institute of Standards and Technology, which were revised as recently as May 2024.<\/p>\n<p>The government watchdog noted that \u201cDOD has yet to update the CMMC program to incorporate this revision. Additionally, updating the training, procedures and associated guidance for the program will take time.\u201d<\/p>\n<p>In response to the GAO\u2019s study, the Pentagon indicated that leaders can give waivers when any external variable causes challenges for industry in reaching CMMC compliance. But the watchdog warned that these waivers would not fix the underlying issues related to these external factors.<\/p>\n<p>\u201cAdditionally, depending on the frequency and number of waivers DOD uses, the process could undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements,\u201d the report found.<\/p>\n<p>The GAO recommended that the Pentagon conduct a comprehensive analysis of the key external factors that pose negative impacts to the CMMC program and develop mechanisms to address them. A letter from DOD Chief Information Officer Kirsten Davies indicated that the department concurred with the watchdog\u2019s recommendations.<\/p>\n<p>\u201cThe Department will assess and document significant external factors affecting Cybersecurity Maturity Model Certification (CMMC) Program implementation, such as CMMC ecosystem capacity, program demand, and evolving cybersecurity requirements and effectiveness of CMMC requirements to address and reduce risk,\u201d Davies wrote. \u201cThe Department will also assess the fulsomeness of CMMC requirements to address the National Defense Strategy and Secretary priorities.\u201d<\/p>\n<p>\t\t\tWritten by Mikayla Easley<br \/>\n\t\t\tMikayla Easley reports on the Pentagon\u2019s acquisition and use of emerging technologies. Prior to joining DefenseScoop, she covered national security and the defense industry for National Defense Magazine. She received a BA in Russian language and literature from the University of Michigan and a MA in journalism from the University of Missouri. You can follow her on Twitter @MikaylaEasley\t\t<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Watchdog urges DOD to address external factors affecting CMMC implementation https:\/\/defensescoop.com\/2026\/03\/12\/cmmc-implementation-gao-report-kirsten-davies-dod-cio\/ Publish Date: 2026-03-12 15:16:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":195263,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/2.gravatar.com\/avatar\/ea8b076b398ee48b71cfaecf898c582b?s=192&d=mm&r=g","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-195262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195262"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=195262"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195262\/revisions"}],"predecessor-version":[{"id":195264,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195262\/revisions\/195264"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/195263"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=195262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=195262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=195262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}