Executive Gov
  • Home
  • Acquisition & Procurement
  • Agencies
    • DoD
    • Intelligence
    • DHS
    • Civilian
    • Space
  • Cybersecurity
  • Technology
  • Awards
  • News
  • About
  • Wash100
  • Contact Us
    • Advertising
    • Submit your news
No Result
View All Result
Executive Gov
  • Home
  • Acquisition & Procurement
  • Agencies
    • DoD
    • Intelligence
    • DHS
    • Civilian
    • Space
  • Cybersecurity
  • Technology
  • Awards
  • News
  • About
  • Wash100
  • Contact Us
    • Advertising
    • Submit your news
No Result
View All Result
Executive Gov
No Result
View All Result
Home Cybersecurity

GAO Raises Concerns Over CMMC Assessor Capacity Amid Phased Rollout

by Kristen Smith
March 13, 2026
in Cybersecurity, News
GAO Raises Concerns Over CMMC Assessor Capacity Amid Phased Rollout

GAO Raises Concerns Over CMMC Assessor Capacity Amid Phased Rollout

The Department of War's Cybersecurity Maturity Model Certification 2.0 program is officially underway, but a new federal watchdog report warns that its long-term success is threatened by a critical lack of planning for external market pressures. 

Table of Contents

    • You might also like
    • CISA Forms ANCHOR-CI Framework to Strengthen Critical Infrastructure Security
    • PNNL, OpenAI Partner on DraftNEPABench to Advance Environmental Review Drafting
    • Navy Designates Orion DevSecOps Platform, C-SCRM Capability as Enterprise IT Services
  • What Is the CMMC Program?
  • What Risks Could Affect the CMMC Assessment Ecosystem?
    • GAO: DOW Still Evaluating Training Needs
  • How Prepared Is the Defense Industrial Base for CMMC Compliance?

You might also like

CISA Forms ANCHOR-CI Framework to Strengthen Critical Infrastructure Security

PNNL, OpenAI Partner on DraftNEPABench to Advance Environmental Review Drafting

Navy Designates Orion DevSecOps Platform, C-SCRM Capability as Enterprise IT Services

A Government Accountability Office report published Thursday reveals that the Pentagon has failed to systematically account for external factors that could stall implementation. Chief among these concerns is whether the private sector has enough certified assessors to handle the approximately 80,000 defense contractors now requiring Level 2 certification. 

GAO Raises Concerns Over CMMC Assessor Capacity Amid Phased Rollout

The Potomac Officers Club's 2026 Cyber Summit on May 21 will bring together government and industry leaders to discuss evolving cyberthreats, federal cybersecurity policy and initiatives affecting the defense and civilian sectors. Register now.

What Is the CMMC Program?

CMMC is DOW’s framework for verifying that contractors follow required cybersecurity practices when handling government data. The model was introduced in 2020 and later revised as CMMC 2.0 to simplify compliance and reduce the number of certification tiers.

Under the updated structure, the program includes three levels of cybersecurity maturity aligned with the sensitivity of data handled by contractors:

  • Level 1: Basic safeguards for federal contract information
  • Level 2: Implementation of all 110 controls from the National Institute of Standards and Technology Special Publication 800-171 to protect controlled unclassified information
  • Level 3: Additional protections from NIST SP 800-172 to defend against advanced threats

The Pentagon began the phased rollout of CMMC in November 2025, marking the end of the program’s voluntary phase and requiring contractors seeking certain defense contracts to begin meeting certification requirements.

What Risks Could Affect the CMMC Assessment Ecosystem?

DOW currently relies on third-party assessor organizations to verify that companies are protecting sensitive government data. The Cyber AB, an external nonprofit organization, administers the certification program and accredits organizations that conduct contractor assessments. As of December 2025, The Cyber AB had authorized 92 CMMC third-party assessment organizations to conduct Level 2 certification assessments. However, GAO investigators found that the DOW has not documented how it will mitigate the risk if these private sector assessors cannot meet the demand. 

“By assessing and documenting key external factors and developing approaches to address them, DOD would better understand program implementation risks,” the GAO noted, warning that relying on waivers to bypass requirements could undermine the entire program's intent to verify security.

GAO: DOW Still Evaluating Training Needs

The government watchdog also noted that DOW is still determining how extensively the acquisition workforce must be trained to administer and enforce the CMMC program.

Officials within the Office of the Under Secretary of Defense for Acquisition and Sustainment must evaluate existing training materials and determine whether new courses or expanded training requirements are needed, the report said.

The Defense Acquisition University has already developed several training offerings to support implementation, including:

  • Cybersecurity 1010, an introductory course covering CMMC program requirements and regulatory clauses tied to defense contracts
  • Cybersecurity 1020, which explains how cybersecurity requirements flow through the acquisition process and apply to subcontractors
  • Cybersecurity 1030, a course for senior acquisition personnel focused on selecting appropriate certification requirements for procurements

DAU also provides webinars and online resources describing CMMC regulatory requirements and implementation guidance.

However, GAO said officials have not yet determined the full scope of workforce training required to ensure acquisition personnel can effectively implement the program.

How Prepared Is the Defense Industrial Base for CMMC Compliance?

The urgency of the GAO’s warning is underscored by industry data showing a massive readiness gap. An October 2025 CyberSheath report indicated that only 1 percent of the defense industrial base was fully prepared for the CMMC final rule. The State of the DIB Report 2025 also noted that while 69 percent of contractors claim compliance through self-assessments, only 30 percent have undergone validated third-party checks.

As the Pentagon continues its phased rollout of CMMC requirements, GAO is calling on the DOW secretary to have the department's chief information officer assess and document key external factors that may impede CMMC implementation, ensuring the Pentagon has a clear road map for addressing those challenges. DOW concurred with the recommendation.

Stay connected via Google News
Follow us for the latest travel updates and guides.
Add as preferred source on Google
Share5Tweet19

Recommended For You

CISA Forms ANCHOR-CI Framework to Strengthen Critical Infrastructure Security

by Jane Edwards
July 2, 2026
Cybersecurity and Infrastructure Security Agency seal. CISA has formed the ANCHOR-CI advisory body framework.

CISA has created ANCHOR-CI to expand information sharing and coordination across critical infrastructure stakeholdersANCHOR-CI includes the establishment of four types of councilsThe 2026 Homeland Security Summit will highlight...

Read moreDetails

PNNL, OpenAI Partner on DraftNEPABench to Advance Environmental Review Drafting

by Jane Edwards
July 2, 2026
Pacific Northwest National Laboratory logo. PNNL and OpenAI have partnered on the DraftNEPABench project.

OpenAI and PNNL have teamed up to assess AI coding agents for environmental review drafting tasksDraftNEPABench supports federal efforts to speed up environmental impact statement development and permitting...

Read moreDetails

Navy Designates Orion DevSecOps Platform, C-SCRM Capability as Enterprise IT Services

by Kristen Smith
July 2, 2026
Department of the Navy logo. DON designated Orion and the Naval C-SCRM capability as enterprise IT services.

The Navy has designated two mandatory enterprise IT services: the Orion DevSecOps platform for software development and the Naval C-SCRM capability for supply chain risk monitoringOrion is now...

Read moreDetails

NASA Seeks Comments on Draft Solicitation for Lunar Infrastructure Technologies

by Kristen Smith
July 2, 2026
Moon. NASA is gathering industry comments on its draft Lunar Enabling Infrastructure Accelerator solicitation.

NASA is seeking industry feedback on a draft solicitation to fund prototypes in five technology areas key to sustained lunar operationsThe Lunar Enabling Infrastructure Accelerator covers vertical solar...

Read moreDetails

CIA Director John Ratcliffe Reports on Milestones in Tech Procurement Reform

by Jamie Bennet
July 2, 2026
John Ratcliffe. The CIA Director explained the changes in the agency's structure to speed up technological procurement.

CIA Director John Ratcliffe highlighted some milestones in the agency's commitment to accelerating the acquisition of AI and other technologiesHe mentioned the new Office of Corporate Partnerships and...

Read moreDetails
Sign Up For Our Newsletter
Subscribe to our mailing list to receives daily updates direct to your inbox!
Invalid email address
Your privacy is guranteed.
Thanks for subscribing!

Sponsors

About ExecutiveGov

ExecutiveGov, published by Executive Mosaic, is a site dedicated to the news and headlines in the federal government. ExecutiveGov serves as a news source for the hot topics and issues facing federal government departments and agencies such as Gov 2.0, cybersecurity policy, health IT, green IT and national security. We also aim to spotlight various federal government employees and interview key government executives whose impact resonates beyond their agency.

CATEGORIES

  • Acquisition & Procurement
  • Announcements
  • Articles
  • Artificial Intelligence
  • Awards
  • Big Data & Analytics News
  • C4ISR
  • Civilian
  • Cloud
  • Contract Awards
  • Cybersecurity
  • Defense And Intelligence
  • Defense Security Cooperation
  • DHS
  • Digital Assets
  • Digital Modernization
  • DoD
  • Events
  • Executive Moves
  • Executive Spotlights
  • Federal Civilian
  • Financial Reports
  • Foreign Military Sales
  • General News
  • GovCon Expert
  • Government Cloud
  • Government Technology
  • GSA
  • Healthcare IT
  • Industry News
  • Intelligence
  • Legislation
  • M&A Activity
  • National Security
  • News
  • Policy Updates
  • Press Releases
  • Profiles
  • Space
  • Videos
  • Wash100
Sign Up For Our Newsletter
Subscribe to our mailing list to receives daily updates direct to your inbox!
Invalid email address
Your privacy is guranteed.
Thanks for subscribing!

Copyright 2026 Executive Mosaic. All Rights Reserved.

No Result
View All Result
  • Home
  • Acquisition & Procurement
  • Agencies
    • DoD
    • Intelligence
    • DHS
    • Civilian
    • Space
  • Cybersecurity
  • Technology
  • Awards
  • News
  • About
  • Wash100
  • Contact Us
    • Advertising
    • Submit your news

Copyright 2026 Executive Mosaic. All Rights Reserved.

Get your free GovCon news!

Get your latest GovCon news and insights. Become a VIP and subscribe to the GovConWire Daily News.

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Thanks for subscribing!