GAO Evaluation of CMMC Program and Important Information for Defense Contractors

Posted on March 20, 2026 by John Holtz

Back in October and November 2025, with the Department of Defense putting some finishing touches on the Cybersecurity Maturity Model Certification (“CMMC”) Program, we explored the contours of that program and what it means for contractors like you. During this same timeframe, we were not the only ones reviewing the CMMC Program. The GAO also has been in the process of conducting a review of the CMMC Program and recently released its findings. In a report titled, “Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation,” GAO’s position on the CMMC Program is pretty clear: Good but needs tweaking. Today, we’ll take a look at those findings and how they might affect the CMMC Program going forward.

Continue reading →

Overview of Recent Updates to Cybersecurity Requirements Under the CMMC Program (Part 2)

Posted on November 19, 2025 by John Holtz

Not long ago, we discussed the basics of the Cybersecurity Maturity Model Certification (CMMC) Program at DFARS subpart 204.75. Of course, with such a large new system as the CMMC Program, there is more to it than what we reviewed there. In this second set of posts, we will dive deeper into the requirements and procedures of the CMMC Program implemented by DoD back in September 2025, among other items. We will explore what the general rules on what systems are covered by the CMMC Program, when the contractor must be in compliance with the CMMC Program, and what levels will apply for contracts.

Continue reading →