Defense Contractor Cybersecurity: Stakeholder Communication and Performance Goals Could Improve Certification Framework
Fast Facts
Defense contractors are targets for hackers who are trying to access sensitive data. The Department of Defense is working on a framework to certify that contractors have proper cybersecurity practices in place to protect data.
DOD worked with industry and experts on the framework. However, its plans to start certifying contractors are delayed, and DOD hasn't communicated key details for defense contractors, such as reciprocity between its certification and others. In addition, DOD won't know how effective the certification is until it sets performance goals.
We recommended that DOD develop outcome-oriented performance measures, and more.
Highlights
What GAO Found
For years, malicious cyber actors have targeted defense contractors to access sensitive unclassified data. In response, since 2019, the Department of Defense (DOD) has engaged with a range of stakeholders to develop and refine a set of cybersecurity practices and processes for contractors to use to help assure security of the data. For relevant contracts, this Cybersecurity Maturity Model Certification (CMMC) requires that defense contractors implement these practices and processes on their information systems and networks.
Key Steps in CMMC Verification Process
DOD began CMMC implementation with an interim rule that took effect in November 2020, but the rollout of the 5-year pilot phase is delayed. For example, DOD planned to pilot the CMMC requirement on up to 15 acquisitions in fiscal year 2021 but has not yet included the requirement in any acquisitions, in part due to delays in certifying assessors. Industry—in particular, small businesses—has expressed a range of concerns about CMMC implementation, such as costs and assessment consistency. DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation. Until DOD improves this communication, industry will be challenged to implement protections for DOD's sensitive data. DOD has identified plans to assess aspects of its CMMC pilot, including high-level objectives and data collection activities, but these plans do not fully reflect GAO's leading practices for effective pilot design. For example, DOD has not defined when and how it will analyze its data to measure performance. Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC. Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base. In November 2021, DOD announced CMMC 2.0, which includes a number of significant changes, including eliminating some certification levels, DOD-specific cybersecurity practices, and assessment requirements. DOD also announced that it intended to suspend the current CMMC pilot and initiate a new rulemaking period to implement the revised framework.
Why GAO Did This Study
DOD relies on thousands of defense contractors for goods and services ranging from weapon systems to analysis to maintenance. In doing business with DOD, these companies access and use sensitive unclassified data. Accordingly, the department has taken steps intended to improve the cybersecurity of this defense industrial base.
A Senate report included a provision for GAO to review DOD's implementation of CMMC. This report addresses (1) what steps DOD took to develop CMMC, (2) the extent to which DOD made progress in implementing CMMC, including communication with industry, and (3) the extent to which DOD has developed plans to assess the effectiveness of CMMC.
GAO reviewed DOD documents related to the design and implementation of CMMC and interviewed DOD officials involved in designing and managing it. GAO also interviewed representatives from defense contractors, industry trade groups, and research centers.
Recommendations
GAO is making three recommendations to DOD to improve communication to industry, develop a plan to evaluate the pilot, and develop outcome-oriented performance measures. DOD concurred with the recommendations and outlined plans to address them in CMMC 2.0.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Department of Defense | The Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment provides sufficient and timely communication to industry on Cybersecurity Maturity Model Certification, including when additional information will be forthcoming. (Recommendation 1) |
Closed – Implemented
DOD agreed with our recommendation. In September 2022, DOD's Chief Information Office (CIO) updated the Cybersecurity Maturity Model Certification (CMMC) website with information about the new program and updated Frequently Asked Questions (FAQs) section of the website. Specifically, the FAQs were updated to include the updated proposed CMMC model and an estimated timeframe for the rulemaking process, after which additional program information will be available. Additionally, an advanced notice for proposed CMMC rulemaking was posted to the Federal Register on November 17, 2022. The CIO also reports additional engagement with industry stakeholders to spread awareness and gather input.
|
| Department of Defense | The Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment develops a plan to evaluate the effectiveness of Cybersecurity Maturity Model Certification's pilot, including establishing measurable objectives, collecting relevant data, and identifying lessons and plans to use that information to inform future decisions about the Cybersecurity Maturity Model Certification. (Recommendation 2) |
Closed – Implemented
DOD agreed with our recommendation. In March 2023, DOD's Chief Information Office (CIO) Cybersecurity Maturity Model Certification (CMMC) Program Office developed a set of process implementation metrics to track the implementation of CMMC once the rulemaking process is complete, including metrics addressing adoption, quality, capacity, and cost. Specifically, the plan identifies the method and inputs used to develop the metrics and required data sources.
|
| Department of Defense | The Secretary of Defense should ensure the Under Secretary of Defense for Acquisition and Sustainment develop outcome-oriented performance measures to evaluate the effectiveness of Cybersecurity Maturity Model Certification as a component of the department's efforts to enhance cybersecurity for the defense industrial base. (Recommendation 3) |
Closed – Implemented
DOD agreed with our recommendation. In March 2023, DOD's Chief Information Office (CIO) Cybersecurity Maturity Model Certification (CMMC) Program Office developed a plan to use suitable metrics to evaluate progress of CMMC implementation and identify relevant outcomes to inform future decisions about the CMMC program. Specifically, the plan proposes to use specific data to map anonymized assessment data to the NIST standards that comprise the CMMC model to help assess the effectiveness of specific standards. This process will help inform the overall effectiveness of the CMMC program, and CMMC Program Office officials said that these metrics will be used to identify trend data.
|