GAO Warns DOD’s CMMC Fix Could Become the Program’s Biggest Threat

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) was launched to secure the defense industrial base by enforcing NIST SP 800‑171 controls on contractors handling controlled unclassified information. As the program matures, the Government Accountability Office (GAO) has become a critical watchdog, flagging systemic gaps that could undermine the initiative’s original intent. By focusing on external risk factors—such as assessor capacity, evolving NIST revisions, and the proliferation of overlapping security mandates—GAO’s latest report underscores the need for a more resilient governance structure.

Central to GAO’s critique is DOD’s default reliance on waivers to sidestep assessment bottlenecks. While waivers can be a legitimate risk‑mitigation tool, overusing them threatens the program’s core premise: verifiable, independent certification. A shortage of qualified assessors further compounds this issue, risking delayed or inconsistent certifications across the supply chain. Additionally, the transition from NIST SP 800‑171 Revision 2 to the newly released Revision 3 remains undefined, leaving contractors uncertain about future compliance requirements. The coexistence of CMMC with the National Industrial Security Program and other physical‑security standards creates redundant compliance layers that strain resources and dilute accountability.

For defense contractors, the stakes are high. Companies that invest in full CMMC certification could find themselves at a competitive disadvantage against peers granted waivers, potentially skewing contract awards. GAO’s recommendations call for DOD to develop a comprehensive risk‑management plan, align CMMC with upcoming NIST revisions, and pursue a harmonized framework that consolidates overlapping requirements. Implementing these changes would not only preserve the integrity of the CMMC ecosystem but also reinforce the United States’ broader cyber‑defense posture. The industry’s ability to adapt quickly to evolving threats hinges on DOD’s willingness to address these structural weaknesses now.