Changeflow GovPing Government Accountability GAO Report on DOD Cybersecurity Maturity Model ...
Priority review Notice Amended Final

GAO Report on DOD Cybersecurity Maturity Model Certification Program

Favicon for www.gao.gov GAO Reports & Testimonies
Published March 12th, 2026
Detected March 13th, 2026
Email

Summary

The GAO released a report on the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program, finding that DOD has not fully identified or planned for key external factors affecting implementation. The report highlights potential risks, such as a lack of certified assessors, which could undermine the program's goals.

View original document View source feed page

What changed

The Government Accountability Office (GAO) has released a report (GAO-26-107955) evaluating the Department of Defense's (DOD) implementation of the Cybersecurity Maturity Model Certification (CMMC) program. While DOD has developed planning documents and updated the program in 2024, the GAO found that DOD has not systematically assessed and documented critical external factors that could impact the program's success. Specifically, the report points to a lack of planning for potential shortages of certified assessors in the private sector, which is crucial for the program's reliance on third-party assessments.

This report indicates that regulated entities, particularly defense industrial base (DIB) companies, should be aware of potential implementation challenges within the CMMC program. While the GAO's findings do not impose new direct obligations, they suggest that DOD may face hurdles in achieving its CMMC goals over the next three years. Companies should continue to monitor DOD's progress and potential adjustments to the program, especially concerning the availability of assessment resources. The report implies that waivers may be used, but this could also signal program instability.

What to do next

  1. Review GAO report GAO-26-107955 for detailed findings on CMMC implementation challenges.
  2. Assess internal readiness for CMMC certification in light of potential external capacity constraints.
  3. Monitor DOD communications regarding CMMC program updates and risk mitigation strategies.

Source document (simplified)

GAO-26-107955 Published: Mar 12, 2026. Publicly Released: Mar 12, 2026.

Fast Facts

DOD relies on 200,000 private companies for goods and services. Companies often store sensitive information in their computer systems that could be hacked. DOD established the Cybersecurity Maturity Model Certification program in 2020, and updated it in 2024, to ensure that companies meet requirements to keep sensitive information safe.

We reviewed DOD's implementation of this program. DOD has developed planning documents but hasn't identified all key external factors or approaches to address them. For example, it doesn't have a plan for the private sector not having enough certified assessors to meet needs. Our recommendation addresses this.

In a data center, two military men work with an open server rack cabinet. One holds a military edition laptop.

Highlights

What GAO Found

The Department of Defense (DOD) established the Cybersecurity Maturity Model Certification (CMMC) program in 2020 to ensure that defense industrial base (DIB) companies comply with cybersecurity requirements. In response to concerns about the complexity of the program’s initial framework, in 2024 DOD streamlined requirements and revised program implementation plans.

DOD plans to implement this program over the next 3 years. Although DOD does not have a strategic plan for the CMMC program recorded in a single document, it has developed several planning documents to guide implementation. GAO found that DOD’s implementation plans addressed six of seven key elements of a comprehensive strategy, as shown in the figure below.

Extent That DOD’s Plans for the CMMC Program Rollout Addressed Key Elements of a Comprehensive Strategy, as of September 2025

DOD partially addressed the element related to identifying key external factors that could affect the program’s ability to meet its goals. While DOD has taken steps to develop strategies to address program risks, it has not systematically assessed and documented the external factors that could affect the department meeting its goals. For example, the department relies on private sector stakeholders to conduct assessments of DIB companies to determine if they comply with the program’s requirements. However, DOD did not assess and document how it intends to mitigate the risk of private sector capacity being insufficient to meet its needs for assessments, according to DOD officials.

Although DOD officials told GAO that department leaders can issue waivers if external factors cause significant challenges, such waivers would not address underlying challenges. Additionally, depending on the frequency and number of waivers DOD uses, the process could undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements. By assessing and documenting key external factors and developing approaches to address them, DOD would better understand program implementation risks and be better positioned to take action to mitigate those risks.

Why GAO Did This Study

DOD relies on hundreds of thousands of private companies for goods and services, ranging from weapon systems to maintenance. In doing business with DOD, these companies often use and store sensitive information in their computer systems. Malicious cyber actors have targeted defense contractors’ networks and systems to access sensitive DOD data.

Senate Report 118-188, accompanying a bill for the National Defense Authorization Act for Fiscal Year 2025, includes a provision for GAO to review DOD’s implementation of the revised CMMC program. GAO’s report evaluates, among other things, the extent to which DOD has a comprehensive strategy to guide implementation.

GAO reviewed DOD’s CMMC policies and planning documentation and interviewed DOD officials involved in implementing and managing this program. GAO also interviewed DOD officials and industry representatives who support DIB companies to implement CMMC requirements.

Recommendations

GAO recommends that DOD document key external factors that could significantly affect the CMMC program and develop approaches to address these factors. DOD concurred with the recommendation.

Recommendations for Executive Action

| Agency Affected | Recommendation | Status |
| --- | --- | --- |
| Department of Defense | The Secretary of Defense should ensure the DOD Chief Information Officer assesses and documents key external factors that could significantly affect the implementation of the CMMC program and develops approaches it will take to address those factors. (Recommendation 1) | Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |

Full Report

View Full Report Online

Highlights Page (1 page)

Full Report (43 pages)

GAO Contacts

Joe Kirschbaum Director Defense Capabilities and Management kirschbaumj@gao.gov

Vijay A. D'Souza Director Information Technology and Cybersecurity dsouzav@gao.gov

William Russell Director Contracting and National Security Acquisitions russellw@gao.gov

Media Inquiries

Sarah Kaczmarek Managing Director Office of Public Affairs media@gao.gov

Public Inquiries

Contact Us

Topics

Information Security Cybersecurity Small business Acquisition workforce Defense industrial base Program management Government contracts Federal acquisition regulations Military forces Ecosystems Sensitive data

Related changes

Favicon for sam.gov SAM.gov Entity Exclusions Unavailable Due to Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Registration and Exclusions Unavailable
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for sam.gov SAM.gov Entity Exclusions Unavailable During Maintenance
Routine Mar 14, 2026 SAM.gov Entity Exclusions (Debarments & Suspensions) Trade Procurement
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.gao.gov
GAO Reports & Testimonies gao.gov/reports-testimonies
Government Accountability
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various Federal Agencies
Published
March 12th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Manufacturers Technology companies
Geographic scope
National (US)

Taxonomy

Primary area
Cybersecurity
Operational domain
Compliance
Topics
Government Contracting Information Security

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Government Accountability alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when GAO Reports & Testimonies publishes new changes.

Free. Unsubscribe anytime.