Watchdog urges DOD to address external factors affecting CMMC implementation

Staff Editor 2026-03-12

Watchdog urges DOD to address external factors affecting CMMC implementation

https://defensescoop.com/2026/03/12/cmmc-implementation-gao-report-kirsten-davies-dod-cio/

Publish Date: 2026-03-12 15:16:00

Source Domain: defensescoop.com

In response to findings from the Government Accountability Office, a senior Pentagon official said the department plans to evaluate and define outside variables that could hinder the defense industry’s ability to comply with new standards set by the Cybersecurity Maturity Model Certification 2.0 model.

According to a study published by the GAO on Thursday, the Defense Department has done significant work to build a comprehensive strategy for implementing CMMC 2.0 cybersecurity standards. However, the report found that the department has yet to completely identify factors beyond its control that risk the program’s overall success.

“CMMC planning documentation identifies processes that can help address external factors, including a program waiver process,” the report stated. “However, CMMC planning documentation does not systematically identify the external factors that could affect reaching each goal.”

After six years of development, the department began officially enforcing the CMMC program in November. The framework requires defense contractors to confirm their networks — as well as those of their entire supply chain — have adequate cybersecurity controls to prevent adversaries from accessing sensitive Pentagon data.

CMMC was met with harsh criticism when it was introduced by the first Trump administration, with members of the industrial base claiming the program was overcomplicated and created undue regulatory burdens on companies. A major argument has been that implementing CMMC controls would be cost- and time-prohibitive, especially for small and medium-sized vendors. 

The Pentagon has worked closely with industry to simplify the framework and provide resources to the industrial base to help with compliance.

However, while the department has developed multiple planning documents to guide CMMC’s three-year implementation plan, there are issues that haven’t been addressed, the GAO suggested.

“DOD…

Source

More Stories

NSA taps three officials for top cybersecurity positions

NSA taps three officials for top cybersecurity positions

Staff Editor 2026-06-01
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

Staff Editor 2026-06-01
Cybersecurity for SMEs: a danger that is all too often overlooked

Cybersecurity for SMEs: a danger that is all too often overlooked

Staff Editor 2026-06-01

Terms and Conditions - Privacy Policy