The Department of Defense (DOD) needs to address external factors that could impede implementation of a major new cybersecurity program that has faced pushback from industry, the Government Accountability Office (GAO) said.
In a report issued March 12, GAO said DOD – which the Trump administration has rebranded as the Department of War – has not systematically identified the key factors outside of its control that could affect the success of the Cybersecurity Maturity Model Certification (CMMC) program.
The program, which took effect in November and will be implemented in four phases over the next three years, requires contractors to meet cybersecurity benchmarks based on the sensitivity of the information they handle.
Without identifying those external factors – which include the ability of private sector stakeholders to assess if defense contractors are complying with CMMC requirements – DOD “is increasing the risk that the program will not achieve its strategic goals,” the report said.
“Assessing and documenting key external factors that could significantly affect the implementation of the CMMC program and developing a set of approaches to address those factors will increase the likelihood that the program will achieve its goals. This includes the safeguarding of sensitive information,” it added.
The GAO report recommended that DOD “document key external factors that could significantly affect the CMMC program and develop approaches to address these factors.” The report assesses CMMC’s implementation and was ordered in a Senate report accompanying the National Defense Authorization Act for Fiscal Year 2025.
DOD concurred with the recommendation, with Chief Information Officer (CIO) Kirsten A. Davies writing that the department “is in general agreement with the overall content of the draft audit report” and will “assess and document significant external factors affecting Cybersecurity Maturity Model Certification (CMMC) Program implementation.”
GAO gave the Pentagon better grades in the rest of its report, saying the agency’s CMMC implementation plans addressed the other six key elements of a comprehensive strategy.
The report was the latest development in the lengthy saga of CMMC, which was developed during the first Trump administration, introduced in 2020, and revised as CMMC 2.0 in 2021.
Its path has been marked by criticism from industry groups, which argued the program was too complex and placed excessive regulatory burdens on companies, along with multiple revisions and ongoing concerns over cost and compliance.
These concerns prompted the creation of CMMC 2.0, which simplified the certification levels from five to three and introduced more flexible assessment requirements. Despite these changes, some industry stakeholders have continued to voice concerns, especially over the impact of CMMC on small businesses.
Yet, CMMC is now official, with DOD contracting officers applying cybersecurity tiers in all solicitations and contracts.
And GAO emphasized the program’s high stakes, since DOD relies on 200,000 private companies for goods and services, and “companies often store sensitive information in their computer systems that could be hacked.”
“Safeguarding federal computer systems—including those contractors operate or maintain—has been a long-standing concern,” the report said.
The Office of the Director of National Intelligence and the Defense Intelligence Agency reported last year, GAO noted, “that nation-state actors were targeting DIB (Defense Industrial Base) companies to obtain sensitive information.”