Back in October and November 2025, with the Department of Defense putting some finishing touches on the Cybersecurity Maturity Model Certification (“CMMC”) Program, we explored the contours of that program and what it means for contractors like you. During this same timeframe, we were not the only ones reviewing the CMMC Program. The GAO also has been in the process of conducting a review of the CMMC Program and recently released its findings. In a report titled, “Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation,” GAO’s position on the CMMC Program is pretty clear: Good but needs tweaking. Today, we’ll take a look at those findings and how they might affect the CMMC Program going forward.