GAO: Pentagon Needs Goals to Improve CMMC Framework


The watchdog made several recommendations in an audit of the Cybersecurity Maturity Model Certification effort.

The Defense Department needs to improve communication with industry and develop performance measures regarding its Cybersecurity Maturity Model Certification framework, according to an audit released by the Government Accountability Office Dec. 8.

The audit, which took place over the past calendar year, found the Defense Department is inadequately reviewing CMMC, which was created in 2019 as a means for defense contractors to improve cybersecurity and information security practices through third-party assessments.

The program’s goal was to improve the cyber posture of a Defense Industrial Base that—while supplying hundreds of billions of dollars’ worth of goods and services to DOD—has access to some of the department’s most sensitive unclassified data. But in November, the Defense Department suspended CMMC while signaling major changes for the program. However, GAO’s audit suggests the Pentagon is doing a poor job communicating with industry regarding industry’s concerns about the program or coming changes to it.

“DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation,” the audit states. “Until DOD improves this communication, industry will be challenged to implement protections for DOD’s sensitive data.”

The auditors indicate that while the Defense Department has identified plans to assess portions of the five-year CMMC implementation plan, including data collection activities and high-level objectives, “these plans do not fully reflect GAO’s leading practices for effective pilot design.” Auditors called out the Pentagon for failing to define “when and how it will analyze its data to measure performance.”

“Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC,” the audit states. “Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base.

GAO issued three recommendations to DOD: to improve communication with industry; to develop a plan to evaluate a pilot, and to develop outcome-oriented performance measures. The Defense Department concurred with those recommendations and outlined plans to address them in the CMMC 2.0.