The Department of War’s Cybersecurity Maturity Model Certification 2.0 program is officially underway, but a new federal watchdog report warns that its long-term success is threatened by a critical lack of planning for external market pressures.
A Government Accountability Office report published Thursday reveals that the Pentagon has failed to systematically account for external factors that could stall implementation. Chief among these concerns is whether the private sector has enough certified assessors to handle the approximately 80,000 defense contractors now requiring Level 2 certification.
The Potomac Officers Club’s 2026 Cyber Summit on May 21 will bring together government and industry leaders to discuss evolving cyberthreats, federal cybersecurity policy and initiatives affecting the defense and civilian sectors. Register now.
Table of Contents
What Is the CMMC Program?
CMMC is DOW’s framework for verifying that contractors follow required cybersecurity practices when handling government data. The model was introduced in 2020 and later revised as CMMC 2.0 to simplify compliance and reduce the number of certification tiers.
Under the updated structure, the program includes three levels of cybersecurity maturity aligned with the sensitivity of data handled by contractors:
- Level 1: Basic safeguards for federal contract information
- Level 2: Implementation of all 110 controls from the National Institute of Standards and Technology Special Publication 800-171 to protect controlled unclassified information
- Level 3: Additional protections from NIST SP 800-172 to defend against advanced threats
The Pentagon began the phased rollout of CMMC in November 2025, marking the end of the program’s voluntary phase and requiring contractors seeking certain defense contracts to begin meeting certification requirements.
What Risks Could Affect the CMMC Assessment Ecosystem?
DOW currently relies on third-party assessor organizations to verify that companies are protecting sensitive government data. The Cyber AB, an external nonprofit organization, administers the certification program and accredits organizations that conduct contractor assessments. As of December 2025, The Cyber AB had authorized 92 CMMC third-party assessment organizations to conduct Level 2 certification assessments. However, GAO investigators found that the DOW has not documented how it will mitigate the risk if these private sector assessors cannot meet the demand.
“By assessing and documenting key external factors and developing approaches to address them, DOD would better understand program implementation risks,” the GAO noted, warning that relying on waivers to bypass requirements could undermine the entire program’s intent to verify security.
GAO: DOW Still Evaluating Training Needs
The government watchdog also noted that DOW is still determining how extensively the acquisition workforce must be trained to administer and enforce the CMMC program.
Officials within the Office of the Under Secretary of Defense for Acquisition and Sustainment must evaluate existing training materials and determine whether new courses or expanded training requirements are needed, the report said.
The Defense Acquisition University has already developed several training offerings to support implementation, including:
- Cybersecurity 1010, an introductory course covering CMMC program requirements and regulatory clauses tied to defense contracts
- Cybersecurity 1020, which explains how cybersecurity requirements flow through the acquisition process and apply to subcontractors
- Cybersecurity 1030, a course for senior acquisition personnel focused on selecting appropriate certification requirements for procurements
DAU also provides webinars and online resources describing CMMC regulatory requirements and implementation guidance.
However, GAO said officials have not yet determined the full scope of workforce training required to ensure acquisition personnel can effectively implement the program.
How Prepared Is the Defense Industrial Base for CMMC Compliance?
The urgency of the GAO’s warning is underscored by industry data showing a massive readiness gap. An October 2025 CyberSheath report indicated that only 1 percent of the defense industrial base was fully prepared for the CMMC final rule. The State of the DIB Report 2025 also noted that while 69 percent of contractors claim compliance through self-assessments, only 30 percent have undergone validated third-party checks.
As the Pentagon continues its phased rollout of CMMC requirements, GAO is calling on the DOW secretary to have the department’s chief information officer assess and document key external factors that may impede CMMC implementation, ensuring the Pentagon has a clear road map for addressing those challenges. DOW concurred with the recommendation.
Related Articles
Charles Worthington announced he will step down from his role as chief technology officer and chief artificial intelligence officer at the Department of Veterans Affairs after several years overseeing digital modernization and AI initiatives at VA. As federal leaders highlight the growing role of AI in transforming public-sector systems and workforce productivity, the conversation around AI adoption and innovation continues across government and industry. Join the 2026 Artificial Intelligence Summit on March 18 to connect with leaders shaping the future of AI in the federal landscape. Register now! In a LinkedIn post published Thursday, Worthington said serving at VA has
The U.S. Army is advancing efforts to modernize its unmanned aircraft capabilities to support multidomain operations through the Group 4+ Short/Vertical Takeoff and Landing, or S/VTOL, Challenge, DVIDS reported Monday. The Army’s latest challenge highlights the service’s push to modernize unmanned aviation and strengthen collaboration with industry. Join defense leaders and technology innovators at the 2026 Army Summit on June 18 to hear firsthand how the service is advancing future capabilities. Book your spot now! The challenge will involve collaboration with industry partners to inform acquisition, development and procurement strategies for future unmanned aircraft platforms. The Portfolio Acquisition Executive, or
The Federal Aviation Administration has issued a request for information seeking industry partners capable of supporting the transition of the National Airspace System to post-quantum cryptography, or PQC. The FAA’s modernization efforts reflect the broader government push to upgrade legacy systems, a topic that will take center stage at Potomac Officers Club’s 2026 Digital Transformation Summit on April 22. Register now. According to the sources sought notice posted on SAM.gov Tuesday, the FAA is seeking potential vendors to move its air traffic control infrastructure, as well as its IT and business systems to PQC as part of the agency’s modernization effort.