DoD to evaluate ‘external’ CMMC risks - Federal News Network
Federal News Network
Archived Jun 14, 2026
✓ Full text saved
DoD to evaluate ‘external’ CMMC risks Federal News Network
Full text archived locally
CYBERSECURITY
DoD to evaluate ‘external’ CMMC risks
A new GAO report found the Pentagon hasn't fully fleshed out the risks of relying on the private sector to implement the CMMC program.
Justin Doubleday@jdoubledayWFED
March 12, 2026 6:23 pm
The Government Accountability Office is recommending the Defense Department do a better job managing a range of “external factors” that could trip up the Cybersecurity Maturity Model Certification, or CMMC, program.
GAO’s latest report is a reminder of how DoD has outsourced a large chunk of the contractor cybersecurity verification program. The CMMC program is intended to ensure defense contractors are following requirements for protecting sensitive DoD data on their networks. DoD just began including CMMC requirements in contracts late last year.
GAO’s report on defense contractor cybersecurity found DoD has largely met the elements of having a “comprehensive strategy” for the CMMC program. But the auditor says DoD “has not systematically assessed and documented the external factors that could affect the department meeting its goals.”
DoD relies on a no-cost contract with the nonprofit Cyber Accreditation Body to oversee an “ecosystem” of private sector assessment teams that will evaluate whether defense contractors are meeting the cybersecurity requirements. Companies that conduct the assessments are known as CMMC Third-Party Assessment Organizations (C3PAOs).
Earn CPE credit: The latest webinar from the Billington CyberSecurity Cyber and AI Outlook Series will focus on the real-world risks facing AI deployments across the federal landscape. Register now!
GAO identified “CMMC ecosystem capacity” and “program demand” as key external risk factors that DoD should evaluate and document. DoD is relying on the Cyber AB and industry to ensure there are enough C3PAOs and assessors to meet CMMC program requirements.
“CMMC program costs and requirements may affect the extent to which existing [defense industrial base] companies decide to continue doing business with D0D,” GAO’s report continues. “For example, small businesses may decide not to participate in the program due to the cost associated with assessment and certification.”
Officials within DoD’s CMMC Program Management Office told GAO they believe they can manage those risks by waiving CMMC assessment requirements when needed. But GAO counters that the requirements shouldn’t be waived in many cases, such as when the work is led by a cleared defense contractor. And furthermore, GAO points out relying on the waiver process could undermine the goal of ensuring defense contractor cybersecurity.
“Depending on the frequency and number of waivers DOD uses, the process could also undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements,” GAO states.
GAO found another major challenge for DoD is ensuring the program’s cybersecurity requirements stay-up-to-date. The CMMC requirements are currently based on a 2021 version of the National Institute of Standards and Technology publication for protecting controlled unclassified information in non-government systems.
NIST later updated those requirements in 2024. DoD program officials have said they’re sticking with the earlier version of the standards for now, because updating to the latest version would require another lengthy rulemaking period.
But GAO found DoD needs to at least better document the risks associated with the cybersecurity requirements, including how updating them will require associated revisions to training and exam materials for the CMMC assessors.
Sign up for our daily newsletter so you never miss a beat on all things federal
In response to GAO’s report, DoD agreed to “assess and document significant external factors affecting” CMMC program implementation, including ecosystem capacity, program demand, and evolving cybersecurity requirements.
“The department will also assess the fulsomeness of CMMC requirements to address the National Defense Strategy and secretary priorities,” DoD added.
GAO’s report comes as the Pentagon rolls out the CMMC requirements in phases. Starting last fall, DoD began including self-assessment requirements in applicable contracts. Later this year, DoD plans to begin introducing the third-party assessment requirements.
In the meantime, roughly 1,000 companies have voluntarily obtained a third-party CMMC certification or are in the process of getting assessed, according to numbers shared by the Cyber AB at its February meeting.
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Justin Doubleday
Justin Doubleday covers cybersecurity, homeland security and the intelligence community for Federal News Network.
Follow @jdoubledayWFED
Sign up for breaking news.
Related Stories
CISA revives push toward long-awaited cyber incident reporting rules
CYBERSECURITY
Read more
The execution gap: Why people matter more than ever in government technology
COMMENTARY
Read more
A lot of health AI isn’t where you think it is, and it’s not overseen the way you might expect
ARTIFICIAL INTELLIGENCE
Read more
Related Topics
ACQUISITION ACQUISITION POLICY ALL NEWS CONTRACTING CYBER ACCREDITATION BODY CYBERSECURITY CYBERSECURITY MATURITY MODEL CERTIFICATION DEFENSE DEFENSE NEWS GOVERNMENT ACCOUNTABILITY OFFICE TECHNOLOGY
Around the Web
UPCOMING EVENTS
Federal capital projects: Strategies for next-generation infrastructure and accountability
Billington CyberSecurity Cyber and AI Outlook Series Episode 6: Securing AI for National Security: Defending Federal and Military AI Systems from Emerging Cyber Threats
Accelerating mission success with strategic AI adoption
Federal Executive Forum Healthcare IT Strategies in Government Progress and Best Practices 2026
Modernizing federal cyber defense in the AI era
More
TOP STORIES
Federal workforce losses had steeper impact on probationary employees
WORKFORCE
5 NDAA proposals that could impact DoD employees
CONGRESS
SBA kicks off new audit of economically disadvantaged contractors
ACQUISITION POLICY
Commerce aims to cut nearly half its websites amid governmentwide consolidation
IT MODERNIZATION
CISA revives push toward long-awaited cyber incident reporting rules
CYBERSECURITY
House NDAA provision could derail Army data center projects
ARMY