A new GAO report is raising important questions about how the Department of Defense is overseeing its own Cybersecurity Maturity Model Certification (CMMC) program, and the findings matter for every defense contractor in the GovCon space.
DoD hasn’t fully assessed external risks, including whether there are enough certified third-party assessors (C3PAOs) to meet program demand, and whether small businesses can even afford the certification process.
Waivers are being used as a risk management tool, but GAO warns this approach could undermine the long-term credibility and intent of the entire CMMC program.
The cybersecurity standards are already outdated. CMMC requirements are still based on NIST’s 2021 publication despite a 2024 update because revising them would require a new rulemaking period.
Why does this matter for the Defense Industrial Base?
The CMMC program was built to protect sensitive DoD data on contractor networks. But if the ecosystem of assessors is too thin, the costs are too high for small businesses, and the underlying standards aren’t current, the program’s effectiveness is at risk before it even reaches full implementation.
DoD has agreed to assess and document these gaps. Third-party assessment requirements are still rolling out later in 2026.
CMMC compliance isn’t optional, but the framework around it still needs work. Now is the time for GovCon leaders to stay ahead of the curve, not wait for mandates to catch up.