The Government Accountability Office is cautioning that DoD’s fixes to CMMC 2.0 could become the program’s biggest threat if execution gaps aren’t addressed.
The issue isn’t intent. It’s capacity and follow‑through.
Key realities the GAO called out:
-
DoD hasn’t fully planned for a shortage of certified assessors (C3PAOs) as CMMC requirements hit contracts.
-
Overuse of waivers to manage delays could weaken the entire purpose of CMMC.
-
Small and mid‑sized contractors may walk away from DoD work due to cost, timing, and uncertainty.
-
External risks, things DoD doesn’t directly control, aren’t being systematically managed.
CMMC isn’t at risk because it’s too strict.
It’s at risk if enforcement becomes uneven or symbolic.
What GovCon & Cleared Contractors Should Do Now
If you’re handling CUI or operating in the cleared ecosystem:
- Stop waiting for “final clarity.” CMMC is moving from theory to contract language.
- Assume assessor delays and plan your timeline accordingly, especially for Level 2.
- Get your NIST 800‑171 house in order now; gaps won’t be forgiven later.
- Prepare documentation early. Assessment readiness will matter as much as technical compliance.
- Educate leadership. This is a business risk issue, not just IT or compliance.
CMMC will separate contractors who prepared early from those forced to scramble.
The window to get ahead is still open, but it’s closing fast.