GAO Evaluation of CMMC Program and Important Information for Defense Contractors

Posted on by

Back in October and November 2025, with the Department of Defense putting some finishing touches on the Cybersecurity Maturity Model Certification (“CMMC”) Program, we explored the contours of that program and what it means for contractors like you. During this same timeframe, we were not the only ones reviewing the CMMC Program. The GAO also has been in the process of conducting a review of the CMMC Program and recently released its findings. In a report titled, “Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation,” GAO’s position on the CMMC Program is pretty clear: Good but needs tweaking. Today, we’ll take a look at those findings and how they might affect the CMMC Program going forward.

Not every part of the report requires a particular deep dive, but there are multiple components that warrant further discussion. First, something very relevant to federal contractors is the discussion of resources for small businesses seeking to meet CMMC requirements. GAO observed that the DoD Mentor-Protégé Program is a good resource for CMMC mentorship, but this one is something already well established. What is more interesting is the apparent establishment of a “Project Spectrum” to increase cybersecurity awareness and capabilities for small businesses. This program provides cybersecurity information, resources, tools, and training at no cost to companies. Details on this program can be found here.

After discussing acquisition workforce training, the report then turns to discuss the entity that will administer the CMMC Program under DoD. In 2020, a non-profit named “The Cyber AB” entered an agreement with DoD to serve as “an external accreditation body that is responsible for administering and facilitating, on behalf of DOD, an ecosystem of private sector organizations and individuals who conduct assessments, issue certifications, and train personnel.” This entity will in essence administer the CMMC Program, even adjudicating appeals of CMMC compliance assessments by private assessors.

As for the program itself, GAO noted that the program basically met every required element for a successful comprehensive strategy, ranging from “mission statement” to “organizational roles, responsibilities, and coordination.” However, one element remained incomplete: “key external factors that could affect goals.”

To be certain, GAO noted that DoD had taken steps to address the matter. It just still has work to do. For example, GAO observed that the CMMC Program plans to rely on private sector stakeholders to conduct assessments of contractors to determine whether they comply with the program. However, DoD did not consider whether there are sufficient private sector suppliers of such assessment services to meet the need for assessments. This was a similar trend for several possible external considerations. GAO noted the following as well:

  • Program demand: Compliance with the CMMC Program will cost contractors time and money. This, in turn, may affect the extent to which those contractors even want to work with DoD. If the cost and effort is too great, the program could have an unintended effect of pushing substantial numbers of contractors out, affecting the DoD negatively overall.
  • Evolving cybersecurity requirements: The CMMC Program’s various requirements come from documents published by the National Institute of Standards and Technology (NIST) in 2020 and 2021. While the NIST has updated these documents in 2024, DoD has yet to update the CMMC Program to reflect the same. In a field that is as constantly changing as cybersecurity, this represents a problem. Also, even when revisions are made, then all the training, procedures, and associated guidance will require updating too, something that could take up to a year to get resolved.

In response, the DoD noted that it would be able to waive compliance with certain aspects of the CMMC Program. But GAO, while acknowledging this to be true, noted such waiver does not necessarily resolve the issues in a satisfactory manner. After all, CMMC requirements are meant to ensure cybersecurity. Waiver could mean greater risk of cyberattack and compromise, the very thing to be prevented by the CMMC Program. Waiver is a reasonable tool to use sparingly, but not in wholesale. Indeed, DoD’s own memorandum on the matter acknowledged that there are times where waiver is simply inappropriate regardless of circumstances.

Thus, GAO is recommending that DoD take a closer look at these external considerations and document a plan to approach the same. This, GAO states, will allow DoD to be better prepare for the potential risks to the CMMC Program.

It seems reasonable, in our estimation, to believe that DoD will take this recommendation seriously. This is why it matters to you, the federal contractor. We would expect DoD to tweak the program a bit in the near future. The exact degree to which it adjusts the program is difficult to discern, but some amount of change should be expected. We do think that any changes should not be gargantuan in nature, to be sure. But some changes could greatly affect the calculations and determinations contractors will need to make about performing DoD work in the future as the CMMC Program is implemented to apply to all DoD contracts. Keep an eye out for future updates.

Questions about this post or other federal contracting matters? Email us. Need legal assistance? Call us at 785-200-8919.Looking for the latest government contracting legal news? Sign up for our free monthly newsletter, and follow us on LinkedInTwitter and Facebook.