Despite the Department of Defense’s (DoD) efforts to add its Cybersecurity Maturity Model Certificate (CMMC) program to its acquisition process beginning in 2021 and up until full implementation in fiscal year (FY) 2026, a new report from the Government Accountability Office (GAO) found that DoD has not met its implementation goals, nor properly communicated key decisions with industry.
After DoD announced that it was planning on rolling out CMMC as a pilot requirement for up to 15 contracts for FY2021, a lengthy internal review of the program ultimately led to the postponement of those pilots. The review concluded in early November, leading to the announcement of CMMC 2.0 with simplified requirements for Defense Industrial Base (DIB) contractors.
“DoD began implementing CMMC in September 2020 through an interim rule (effective November 30, 2020) and is currently in the 5-year pilot phase leading to full CMMC implementation,” the report says. “However, implementation of the pilot has been delayed and the program has not met its fiscal year 2021 goals. DIB companies have also expressed a broad range of concerns about CMMC implementation, such as costs to support assessments, reciprocity with other cybersecurity certifications, and assessment consistency.”
DoD currently plans to roll out the CMMC requirement to DIB contracts and contractors over a five-year pilot phase, set to run from FY2021 up until full implementation in FY2026. The pilots were expected to begin in earnest in FY2021, but a lack of certified third-party assessors has held up some of the progress.
GAO says that currently just five organizations have been certified as third-party assessors by the CMMC-Accreditation Body (CMMC-AB), while more than 190 organizations are currently awaiting a DIB Cybersecurity Assessment Center assessment. This has led to only assessment organization being examined, it said.
With the delay, program officials told GAO that the under secretary of Defense will release a memo towards the beginning of each fiscal year that defines the target number of pilots contracts for that year. DoD currently said it “has not yet determined the structure and scope of any pilot under CMMC 2.0,” according to GAO.
“This approach, according to program officials, is intended to help ensure that supporting elements of CMMC, such as certified assessment organizations and trained assessors, are in place to support the acquisitions that will include CMMC as a requirement at contract award,” the report says.
GAO also brought up concerns from the DIB that its contractors are not being adequately looped in on key program decisions. Before the release of CMMC 2.0, trade groups were calling on the DoD to publicly reaffirm its commitment to the CMMC program due to radio silence from the DoD on the status of the then-ongoing internal review and program changes.
“While DoD initially engaged with DIB companies and trade groups in refining early versions of the CMMC model, it has since not provided sufficient and timely communication to industry on implementation details due to several factors cited by the department, such as communication limitations imposed by the rulemaking process,” GAO wrote.
The DIB is also concerned about the implementation of CMMC rules, and GAO said it received 189 public comments between September and November 2020 that expressed worries about how different aspects of the program would work. GAO also found that DoD hasn’t provided “sufficient or timely” communications on these issues.
“DoD also has not yet developed outcome-oriented performance measures to determine the extent to which CMMC is meeting DoD’s overall goals to increase the security and resiliency of the DIB,” GAO added.
GAO recommends DoD develop a plan to evaluate the implementation of the program and outcome-oriented performance measures for the CMMC program. DoD responded and said the program office is currently working to identify metrics to evaluate implementation and measure performance.