A report from the U.S. Government Accountability Office has found that the U.S. Department of Defense should do more to ensure that its contractors meet cybersecurity certification requirements.
The GAO said it had reviewed the DOD’s implementation of its Cybersecurity Maturity Model Certification program established in 2020 to ensure companies that work with the DOD meet requirements to keep sensitive information safe. Its review found that the DID had developed planning documents for the program but that it had not identified all of the key external factors or approaches to addressing them. One flaw, the GAO said, was not having a plan for the private sector, not having enough certified assessors to meet the needs of the department.
“The Department of Defense (DOD) established the Cybersecurity Maturity Model Certification (CMMC) program in 2020 to ensure that defense industrial base (DIB) companies comply with cybersecurity requirements. In response to concerns about the complexity of the program’s initial framework, in 2024 DOD streamlined requirements and revised program implementation plans,” the GAO wrote in its report. “DOD plans to implement this program over the next 3 years. Although DOD does not have a strategic plan for the CMMC program recorded in a single document, it has developed several planning documents to guide implementation. GAO found that DOD’s implementation plans addressed six of seven key elements of a comprehensive strategy.”
The GAO’s report said that the department had only partially addressed elements related to identifying key external factors that could affect the program’s ability to meet its goals. The GAO gave the example of the DOD relying on private sector stakeholders to assess defense industrial base companies to determine if they comply with the program’s requirements. However, the DOD did not assess or document how it intends to mitigate the private sector not having the capacity to meet its needs for assessments.
While DOD officials told the agency that they could issue waivers if external factors cause significant challenges, the waivers will not address underlying challenges, and the process could undermine long-term viability of the CMMC program and its intent.
“By assessing and documenting key external factors and developing approaches to address them, DOD would better understand program implementation risks and be better positioned to take action to mitigate those risks,” the GAO said.
The agency recommends that the DOD document key external factors that could affect the program and develop approaches to address them. Officials said the DOD concurred with the recommendations.