The Government Accountability Office (GAO) has recommended that the Department of Defense improve communication with industry on the Cybersecurity Maturity Model Certification (CMMC) program and come up with outcome-oriented performance measures to assess CMMC’s effectiveness as a component of DOD’s efforts to improve cybersecurity for the defense industrial base.
GAO made the recommendation after it found that DOD has not supplied sufficient details and communication on CMMC implementation, according to a report published Wednesday.
“Until DOD improves this communication, industry will be challenged to implement protections for DOD’s sensitive data,” the report reads.
DOD should create a plan to evaluate the CMMC pilot’s effectiveness and GAO said such a plan should state how the department plans to collect relevant data and establish measurable objectives, among others.
In November, the Pentagon unveiled the CMMC 2.0 program to simplify the program standard and further clarify cybersecurity regulatory, policy and contracting requirements.
According to the congressional watchdog, DOD announced plans to suspend the CMMC pilot and launch a new rulemaking period to implement the updated CMMC framework.