Department of Defense Cybersecurity Program Faces Potential Roadblocks, Report Warns

A recent report from the U.S. Government Accountability Office (GAO) has highlighted potential challenges in the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program, initially established in 2020 and updated in 2024, aims to ensure that the approximately 200,000 private companies providing goods and services to the DOD maintain robust cybersecurity practices to protect sensitive information stored within their systems. While the DOD has developed planning documents for the program’s implementation over the next three years, the GAO found that the department has not fully identified or addressed critical external factors that could hinder its success.

The GAO’s review indicates that the DOD’s implementation plans cover six of the seven key elements required for a comprehensive strategy. However, the report specifically points to the department’s insufficient attention to external factors that could impact the program’s ability to achieve its objectives. A significant concern raised by the GAO is the potential for a shortage of certified private sector assessors, which is crucial for the DOD to verify that defense industrial base (DIB) companies are adhering to the CMMC program’s requirements. The DOD has not systematically assessed or documented how it plans to mitigate the risk of insufficient private sector capacity to meet the demand for these assessments.

While DOD officials have indicated that waivers can be issued by department leaders in instances where external factors present significant challenges, the GAO cautions that such waivers would not resolve the underlying issues. Furthermore, frequent or numerous waivers could potentially undermine the long-term effectiveness and purpose of the CMMC program, which is intended to confirm that companies are implementing essential federal cybersecurity standards. By more thoroughly assessing and documenting key external factors and developing proactive strategies to address them, the DOD could gain a clearer understanding of program implementation risks and be better positioned to take necessary mitigation actions. The GAO’s recommendation, which the DOD has concurred with, calls for the Secretary of Defense to ensure that the DOD Chief Information Officer assesses and documents these critical external factors and develops corresponding approaches to manage them. This recommendation is currently marked as open, with the GAO awaiting confirmation of the actions taken by the agency.

Article by Mel Anara, based upon information from U.S. Government Accountability Office

---