More CMMC Concerns Highlighted In The New GAO Report

Last week, the US Government Accountability Office (GAO) issued a Report, evaluating the Department of Defense's (DoD) rollout of the Cybersecurity Maturity Model Certification (CMMC) program, and highlighting DoD's failure to systematically assess certain external factors that could impact the program's underlying information security goals. The identified gaps, such as the potential reliance on private sector assessors, could significantly impact DoD contractors, who nevertheless bear responsibility to meet DoD's CMMC compliance obligations.

As highlighted in a prior Alert, the CMMC program is designed to verify that defense contractors implement required cybersecurity controls when handling sensitive government information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC framework establishes three levels of certification tied to the sensitivity of data handled by contractors:

• Level 1 – basic safeguards for FCI through annual self-assessments;
• Level 2 – protection of CUI through either self-assessments or third-party assessments every three years; and
• Level 3 – enhanced requirements for contractors handling critical CUI, assessed directly by DoD.

Generally, certification must be obtained before contract award when specified in solicitations. DoD finalized the revised CMMC rule in 2024 and began incorporating certification requirements into defense contract regulations in November 2025. The program will be implemented through a phased rollout over approximately 36 months, gradually applying certification requirements to defense solicitations and awards.

In its Report, GAO found that DoD has addressed most elements of a comprehensive implementation strategy, including defining program goals, responsibilities, milestones, and resources. However, GAO has not fully evaluated external factors that could affect the program's success. GAO did identify several potential risks, including insufficient capacity among third-party assessors, the possibility that smaller contractors may leave the defense market due to compliance costs, and evolving cybersecurity standards that may require updates to the program's framework.

Regarding the required cybersecurity assessments, CMMC Level 2 requires a CMMC Third-Party Assessment Organization (C3PAO) every three years. To that end, DoD relies on an ecosystem of third-party assessor organizations to certify that companies are capable of meeting the underlying cybersecurity requirements needed to protect sensitive government information. Accordingly, DoD contracted with the Cyber AB, a non-profit accreditation body, to license and authorize third-party assessors, which, as of December 2025, has authorized 92 C3PAOs. However, according to GAO, DoD has not documented how it will address the risk if these private-sector assessors are insufficient to satisfy the volume of assessments needed to satisfy program demand.

For industry, this potential gap highlights the need for companies to move quicky to position themselves to be compliant as quickly as possible. Indeed, while contractors are not to blame for any programmatic shortcomings in the rollout of CMMC, they must continue to carefully monitor trends and the regulatory landscape as they will continue to bear the risk (both from a business and enforcement standpoint) of any non-compliances with the new cybersecurity rules impacting DoD procurement. Specifically, companies should assess their current cybersecurity posture against National Institute of Standards and Technology (NIST) standards, prepare for potential third-party assessments and monitor regulatory developments affecting CMMC requirements.

Regarding the substance of its report, and key takeaways, GAO has recommended that DoD formally assess and document external risks to CMMC implementation and develop strategies to mitigate them. As such, we will continue to monitor developments in this area.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.