Watchdog Notes DOD’s Failure to Evaluate CMMC Pilot, Communicate Program Details
The Government Accountability Office said in a new report that the Department of Defense failed to develop plans for an effective pilot phase of the Cybersecurity Maturity Model Certification program and that it left out industry on key implementation details.
According to the report, the DOD’s plans to assess portions of the five-year CMMC implementation plan, which includes data collection activities and high-level objectives, fell short of GAO standards for effective pilot design.
The watchdog called out the department’s failure to define when and how it plans to analyze data to measure performance and its lack of outcome-oriented measures to gauge the effectiveness of the cybersecurity program, Nextgov reported Thursday.
Additionally, the DOD was flagged for not communicating CMMC changes concerning the industry.
GAO said the department only engaged with industry during the early stages of CMMC when the program was still being refined. Afterward, the watchdog noted that the DOD did not provide sufficient and timely communication to industry on implementation details.
It was during the program’s internal review, which led to the introduction of CMMC 2.0, when requests for more transparency and better communication with defense contractors surfaced. Trade associations sent a letter then to the DOD about concerns regarding the CMMC’s timeline, scope and manner of implementation.
To address these issues, GAO advised the DOD to communicate better with industry, develop a plan to evaluate a pilot and draft outcome-oriented performance measures.
Tags: CMMC cybersecurity Cybersecurity Maturity Model Certification Defense Department Government Accountability Office Nextgov watchdog report