DoD to evaluate ‘external’ CMMC risks
DoD to evaluate ‘external’ CMMC risks
https://federalnewsnetwork.com/cybersecurity/2026/03/dod-to-evaluate-external-cmmc-risks/
Publish Date: 2026-03-12 18:26:00
Source Domain: federalnewsnetwork.com
A new GAO report found the Pentagon hasn’t fully fleshed out the risks of relying on the private sector to implement the CMMC program.
Justin Doubleday
March 12, 2026 6:23 pm
3 min read
The Government Accountability Office is recommending the Defense Department do a better job managing a range of “external factors” that could trip up the Cybersecurity Maturity Model Certification, or CMMC, program.
GAO’s latest report is a reminder of how DoD has outsourced a large chunk of the contractor cybersecurity verification program. The CMMC program is intended to ensure defense contractors are following requirements for protecting sensitive DoD data on their networks. DoD just began including CMMC requirements in contracts late last year.
GAO’s report on defense contractor cybersecurity found DoD has largely met the elements of having a “comprehensive strategy” for the CMMC program. But the auditor says DoD “has not systematically assessed and documented the external factors that could affect the department meeting its goals.”
DoD relies on a no-cost contract with…
