GAO report finds defense industrial sector behind in communication, performance goals
A report released by the U.S. Government Accountability Office (GAO) addresses what steps the Department of Defense (DOD) has taken to develop the Cybersecurity Maturity Model Certification (CMMC) model, the extent to which DOD has made progress in implementing CMMC, including communication with industry, and the extent to which DOD has developed plans to assess the effectiveness of CMMC.
The GAO report released on Wednesday said that the defense industrial base must focus more energy on improving stakeholder communication and performance goals, in order to improve the certification framework at the DOD.
The defense agency released CMMC 2.0 last month, which further builds upon the initial CMMC framework to enhance defense industrial cybersecurity against evolving threats.
The GAO report recognized that the DoD’s CMMC model is a significant undertaking expected to have broad, lasting effects on companies that are awarded contracts from the DOD to provide critical goods and services. During the course of this review, government and industry representatives raised several critical issues that are important to the future course of CMMC. They include defining categories of sensitive unclassified information, such as controlled unclassified information (CUI), and correctly marking such information to ensure appropriate handling and safeguarding, it added.
The model also helps ensure acquisition program offices and other DOD entities do not incorrectly mark information that is not sensitive as CUI, which would limit the companies that are eligible to compete for associated contracts, and determine the extent to which international companies may experience challenges competing under solicitations and performing contracts that include CMMC as a requirement. In addition, the congressional watchdog’s report also flagged the issue of monitoring efforts that other federal agencies are considering or taking to adopt CMMC or similar requirements for their supply chains.
The CMMC framework is intended to provide the department with increased assurance that the defense industrial base can adequately protect sensitive unclassified information. According to DOD estimates, there consist over 200,000 companies in the defense industrial base. Depending on the sensitivity of the information to be protected, the defense industrial base companies will be required to adopt various cybersecurity requirements at one of five levels, and submit to and pass a third-party assessment, in order to receive the certification at the appropriate level.
The review was conducted by GAO since the DOD relies on thousands of defense contractors for goods and services ranging from weapon systems to analysis to maintenance. In doing business with DOD, these companies access and use sensitive unclassified data.
Accordingly, the department has taken steps intended to improve the cybersecurity of the defense industrial base. GAO reviewed DOD documents related to the design and implementation of CMMC and interviewed DOD officials involved in designing and managing it. GAO also interviewed representatives from defense contractors, industry trade groups, and research centers. GAO also met with representatives from the defense industrial base companies, who have gone through a Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment, and trade groups.
DOD began developing CMMC in 2019 and issued the initial version of the CMMC standard in January 2020. Though the defense agency began CMMC implementation with an interim rule that took effect in November 2020, the rollout of the five-year pilot phase is delayed, GAO said. For example, DOD planned to pilot the CMMC requirement on up to 15 acquisitions in the fiscal year 2021 but has not yet included the requirement in any acquisitions, in part due to delays in certifying assessors.
Industry—in particular, small businesses—has expressed a range of concerns about CMMC implementation, such as costs and assessment consistency, GAO said in its report.
“DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation. Until DOD improves this communication, industry will be challenged to implement protections for DOD’s sensitive data. DOD has identified plans to assess aspects of its CMMC pilot, including high-level objectives and data collection activities, but these plans do not fully reflect GAO’s leading practices for effective pilot design,” it added.
Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC. Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base.
GAO said that CMMC 2.0 program includes a number of significant changes, including eliminating some certification levels, DOD-specific cybersecurity practices, and assessment requirements. DOD also announced that it intended to suspend the current CMMC pilot and initiate a new rulemaking period to implement the revised framework.
GAO made three recommendations for executive action, in which it advised that the Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment provides sufficient and timely communication to industry on the CMMC program, including when additional information will be forthcoming.
It also put forward that the Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment develops a plan to evaluate the effectiveness of CMMC’s pilot, including establishing measurable objectives, collecting relevant data, and identifying lessons and plans to use that information to inform future decisions about the model.
The GAO also proposed that the secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment develop outcome-oriented performance measures to evaluate the effectiveness of CMMC, as a component of the department’s efforts to enhance cybersecurity for the defense industrial base.
The DOD has concurred with the recommendations and outlined plans to address them in CMMC 2.0. The defense agency also said in the GAO report that it has begun initial engagement with congressional staff and industry on the transition to CMMC 2.0, which is a positive development. Going forward, in addition to the formal public comment period as part of the rulemaking, the department should continue to provide consistent updates to the industry throughout the rulemaking process.
On the second and three recommendations made by GAO, the defense agency said that the CMMC program office has initiated activities to identify metrics to evaluate implementation and measure performance. These are important steps that will better enable DOD to improve CMMC as it works toward full implementation.
DOD also stated that it has not yet determined the specific structure and scope of any pilot under the CMMC 2.0 framework, but that it supports this recommendation and agrees to develop a plan to evaluate the effectiveness of CMMC implementation, including any piloting when conducted, GAO said in its report. “As DOD implements CMMC 2.0, to the extent it follows up on efforts to plan for and execute ways to measure the effectiveness of its implementation efforts, overall performance, and the effectiveness of the effort, it will be better positioned to determine if CMMC is accomplishing its original intent,” it added.
Related
