GAO flags gaps in Pentagon planning for CMMC adoption

The U.S. Department of Defense was noted by the Government Accountability Office as not yet having fully accounted for outside factors that could influence the success of the Cybersecurity Maturity Model Certification program compliance within the defense industry, reports DefenseScoop.

Despite progress in developing a strategy to roll out the CMMC 2.0 cybersecurity framework, the Defense Department has not fully assessed external factors that could affect the program's success, according to the GAO report. The Pentagon has also not yet incorporated revised program standards released by the National Institute of Standards and Technology in May 2024. The GAO has also recommended that the Pentagon develop methods to mitigate identified hurdles to the CMMC program. Such recommendations have been agreed upon by DOD Chief Information Officer Kirsten Davies.

"The Department will also assess the fulsomeness of CMMC requirements to address the National Defense Strategy and Secretary priorities," said Davies in a letter to the GAO.