{"id":195331,"date":"2026-03-12T18:26:00","date_gmt":"2026-03-12T22:26:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/12\/dod-to-evaluate-external-cmmc-risks\/"},"modified":"2026-03-12T19:05:10","modified_gmt":"2026-03-12T23:05:10","slug":"dod-to-evaluate-external-cmmc-risks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/03\/12\/dod-to-evaluate-external-cmmc-risks\/","title":{"rendered":"DoD to evaluate \u2018external\u2019 CMMC risks"},"content":{"rendered":"

DoD to evaluate \u2018external\u2019 CMMC risks<\/a><\/p>\n

https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/03\/dod-to-evaluate-external-cmmc-risks\/<\/a><\/p>\n

Publish Date: 2026-03-12 18:26:00<\/a><\/p>\n

Source Domain: federalnewsnetwork.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

A new GAO report found the Pentagon hasn’t fully fleshed out the risks of relying on the private sector to implement the CMMC program.<\/p>\n

Justin Doubleday@jdoubledayWFED<\/p>\n

March 12, 2026 6:23 pm <\/p>\n

3 min read <\/p>\n

The Government Accountability Office is recommending the Defense Department do a better job managing a range of \u201cexternal factors\u201d that could trip up the Cybersecurity Maturity Model Certification, or CMMC, program.
\nGAO\u2019s latest report is a reminder of how DoD has outsourced a large chunk of the contractor cybersecurity verification program. The CMMC program is intended to ensure defense contractors are following requirements for protecting sensitive DoD data on their networks. DoD just began including CMMC requirements in contracts late last year.
\nGAO\u2019s report on defense contractor cybersecurity found DoD has largely met the elements of having a \u201ccomprehensive strategy\u201d for the CMMC program. But the auditor says DoD \u201chas not systematically assessed and documented the external factors that could affect the department meeting its goals.\u201d
\nDoD relies on a no-cost contract with the nonprofit Cyber Accreditation Body to oversee an \u201cecosystem\u201d of private sector assessment teams that will evaluate whether defense contractors are meeting the cybersecurity requirements. Companies that conduct the assessments are known as CMMC Third-Party Assessment Organizations (C3PAOs).]]><\/p>\n

GAO identified \u201cCMMC ecosystem capacity\u201d and \u201cprogram demand\u201d as key external risk factors that DoD should evaluate and document. DoD is relying on the Cyber AB and industry to ensure there are enough C3PAOs and assessors to meet CMMC program requirements.
\n\u201cCMMC program costs and requirements may affect the extent to which existing [defense industrial base] companies decide to continue doing business with D0D,\u201d GAO\u2019s report continues. \u201cFor example, small businesses may decide not to participate in the program due to the cost associated with assessment and certification.\u201d
\nOfficials within DoD\u2019s CMMC Program Management Office told GAO they believe they can manage those risks by waiving CMMC assessment requirements when needed. But GAO counters that the requirements shouldn\u2019t be waived in many cases, such as when the work is led by a cleared defense contractor. And furthermore, GAO points out relying on the waiver process could undermine the goal of ensuring defense contractor cybersecurity.
\n\u201cDepending on the frequency and number of waivers DOD uses, the process could also undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements,\u201d GAO states.
\nGAO found another major challenge for DoD is ensuring the program\u2019s cybersecurity requirements stay-up-to-date. The CMMC requirements are currently based on a 2021 version of the National Institute of Standards and Technology publication for protecting controlled unclassified information in non-government systems.
\nNIST later updated those requirements in 2024. DoD program officials have said they\u2019re sticking with the earlier version of the standards for now, because updating to the latest version would require another lengthy rulemaking period.
\nBut GAO found DoD needs to at least better document the risks associated with the cybersecurity requirements, including how updating them will require associated revisions to training and exam materials for the CMMC assessors.]]><\/p>\n

In response to GAO\u2019s report, DoD agreed to \u201cassess and document significant external factors affecting\u201d CMMC program implementation, including ecosystem capacity, program demand, and evolving cybersecurity requirements.
\n\u201cThe department will also assess the fulsomeness of CMMC requirements to address the National Defense Strategy and secretary priorities,\u201d DoD added.
\nGAO\u2019s report comes as the Pentagon rolls out the CMMC requirements in phases. Starting last fall, DoD began including self-assessment requirements in applicable contracts. Later this year, DoD plans to begin introducing the third-party assessment requirements.
\nIn the meantime, roughly 1,000 companies have voluntarily obtained a third-party CMMC certification or are in the process of getting assessed, according to numbers shared by the Cyber AB at its February meeting.
\n Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

DoD to evaluate \u2018external\u2019 CMMC risks https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/03\/dod-to-evaluate-external-cmmc-risks\/ Publish Date: 2026-03-12 18:26:00 Source Domain: federalnewsnetwork.com Author:…<\/p>\n","protected":false},"author":1,"featured_media":195332,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2017\/06\/nist-062217.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-195331","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195331"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=195331"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195331\/revisions"}],"predecessor-version":[{"id":195333,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/195331\/revisions\/195333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/195332"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=195331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=195331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=195331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}