GAO Gave CMMC a 95%... Then Called It a Problem

Sum IT Up: CMMC News Roundup
Episode: GAO Gave CMMC a 95%... Then Called It a Problem
Date: March 19, 2026
Host: Summit 7

Episode Overview

This episode dives into the recent Government Accountability Office (GAO) report that evaluates the Department of Defense's (DoD) implementation of the Cybersecurity Maturity Model Certification (CMMC) program. Despite the GAO giving the DoD nearly perfect marks (95%, or 20 out of 21 points), much of the media coverage and industry chatter paints the report as negative. The hosts unpack why this perception exists, break down the actual findings of the GAO report, discuss what really constitutes a "problem," and reflect on how far the CMMC program has come over the past five years.

Key Discussion Points & Insights

1. Why the GAO Report Matters

Background: Congress directed the GAO to review CMMC implementation as part of the 2025 National Defense Authorization Act (NDAA).
Context: This is not GAO's first CMMC evaluation—the 2021 review was effectively overridden by the release of CMMC 2.0 and accompanying rulemaking ([00:00]).
Main Question: If DoD scored so highly, why is the report being spun as negative news?

2. Media Spin vs. Report Reality

Host Frustration: The hosts highlight how negative headlines may stem from misreading, AI-generated articles, or deliberate clickbait tactics.
Quote:

"If your kid was taking four classes and got a hundred percent in three of them and a 95% in the fourth... that's pretty good. They're a straight A student." — A ([02:44])
Advice: Always read the original report; secondary sources may distort or miss the nuance.

3. GAO's Four Focus Areas

The GAO evaluated CMMC implementation across four categories:

Assistance for Small Businesses
Training for the Acquisition Workforce
Cyber AB's Preparedness
DoD's Strategic Planning

1. Efforts to Assist Small Businesses

Findings: DoD offers a wide array of resources to small businesses (e.g., scoping guides, Project Spectrum, NSA Cybersecurity Collaboration).
Adoption Gap: Few businesses are using these resources; most only seek help when compliance becomes mandatory ([09:51]).
Industry Feedback: Resources are indeed helpful, meeting the GAO's criteria for assistance.
Quote:

"When GAO shows up and says, do you offer things to small business to help? The answer is yes. The question was not, do they help you satisfy every single requirement..." — A ([07:41])

2. Acquisition Workforce Training

Findings: DoD has developed voluntary CMMC-focused training through Defense Acquisition University; it's up to Acquisition and Sustainment (ANS) to mandate completion.
Context: CMMC’s purpose includes enabling the acquisition workforce to verify contractor compliance.
Quote:

"CMMC owns the program. ANS owns the workforce that executes the program. So even though CMMC creates the training, ANS says it's voluntary, it's mandatory..." — A ([13:39])

3. Cyber AB's Readiness

Findings: Cyber AB, which oversees the CMMC ecosystem, is fully prepared—no issues cited.
Quote:

"GAO found no issues here with the AB's actions to prepare for the rollout of the program. That's good. That's good. There were no issues. 100%, yes question." — A ([15:45])

4. DoD’s Comprehensive Strategy

Findings: The DoD's strategy met 6/7 GAO criteria (18 of 21 points) and partially addressed the 7th, earning a total of 20/21.
GAO's Criteria: Mission statement, problem definition, scope, goals, activities/milestones, resources, roles/responsibilities, and key external factors ([18:46]).
Issue: The only "problem" was not fully accounting for all possible key external factors.
Quote:

"Those first six elements fully addressed... The seventh one is partially addressed. It's not missing. It's not not addressed. It's partially addressed. So they get two out of three points. That's 20 out of 21 points. Quick maths, everybody. That's a 95%." — A ([19:46])

In-Depth Analysis: The "Problem" Area

What Did GAO Want?

External Factors Not Fully Addressed: GAO knocked DoD for not systemically identifying all external factors that could impact program success.
Examples from GAO:
- Ecosystem capacity: Having enough assessors, theoretical but not a current issue.
- Program demand: Costs could deter companies from staying in the DIB—an appropriations issue for Congress, not DoD.
- Evolving requirements: Need to update the program from NIST SP 800-171 Rev. 2 to Rev. 3.
Host Critique: The hosts argue GAO overlooked real external challenges (like DFARS 7012 implementation and correct CUI marking) while focusing on less impactful issues.

Memorable Moments & Quotes

"If you're going to take... over a year to write an analysis of the program's implementation, like just try harder next time." — A ([35:31])
"You want them to try harder. On the other hand, if they took over a year to write a report and this is what they came up with." — B ([35:39])

On Appropriations and Accountability

The report doesn't address that Congress, not DoD, controls appropriations for helping industry—one of the real external bottlenecks.
Dynamics between prime and sub-contractors are ignored as a key external factor.

Important Timestamps

00:00–02:44 — Introduction to the GAO report, historical background, and initial impressions.
06:53–09:51 — Breakdown of DoD’s assistance to small businesses and why more companies aren’t using available resources.
11:57–14:43 — Deep dive into acquisition training and DoD's relationship to the acquisition workforce.
15:45–16:27 — Cyber AB's preparation and GAO's findings on assessment ecosystem readiness.
18:46–21:22 — Detailed review of DoD’s comprehensive strategy and the GAO’s scoring methodology.
24:54–30:25 — Realistic discussion of "external factors" and what the GAO missed about the program’s challenges.
33:15–35:39 — Critique of GAO’s point about evolving standards, timeline issues, and broader congressional context.
38:59–39:13 — Final wrap-up, reframing the significance of the 95% "problem," and encouraging listeners to read the report themselves.

Tone & Style Highlights

The hosts balance deep regulatory knowledge with conversational banter and analogies (e.g., "rye bread’s too stale," "it's like saying a fly landed on your shoulder during inspection and we're going to gig you" [30:07]).
There’s frustration with superficial industry headlines and a call for more nuanced analysis.
The tone is pragmatic, slightly irreverent, and aimed at demystifying regulatory jargon.

Takeaways

CMMC has improved dramatically—from a highly criticized 1.0 to a near-perfect score by independent auditors.
Media and industry peers may be overemphasizing minor critiques, missing the big picture of successful government program implementation.
Most cited weaknesses are either outside DoD’s control or already mitigated (e.g., via waivers).
The real challenge is not the program’s design but the external context: congressional appropriations, contracting dynamics, and broader ecosystem readiness.

Notable Quotes (with Timestamps & Attribution)

“[GAO] knocked it out of the park... The fourth one, they have one partially implemented finding that they need to take care of and that's basically the summary of the report. And yet people are like, ‘they're missing stuff here.’ I'm like, that's not what the report says.” — A ([05:57])
“If you expect the world to be given to you... that's where it is. But the accountability for the things that they must perform is now being reported upon.” — B ([07:16])
"CMMC was designed to kill two birds with one stone. It allows the contract workforce to easily see, did you or did you not meet these requirements?... The acquisition workforce needs to be pretty familiar with what this program is because they're half of the reason why the program exists in the first place." — A ([11:44])
“Assessment capacity is not the constraint on the ecosystem as an external factor. Implementation capacity is the constraint." — A ([22:40])
"GAO, are you listening? Leave a comment below, GAO, if you could explain this one to me because I don't get it." — A ([23:39])
"Where's our 100? That's kind of what I'm screaming now, right?" — B ([29:59])

Final Reflection

If CMMC were a student, it would be graduating near the top of the class—a far cry from concerns about the program’s viability just five years ago. The main message: Don’t believe the hype. Read the GAO report yourself, recognize CMMC’s major progress, and focus energy on real, actionable concerns.

For listeners new to CMMC or DoD cybersecurity:
This episode provides both a thorough news roundup and an invaluable primer on how government cybersecurity regulation evolves—and how to read between the lines of industry headlines.

Sum IT Up: CMMC News Roundup
Episode: GAO Gave CMMC a 95%... Then Called It a Problem
Date: March 19, 2026
Host: Summit 7

Episode Overview

Key Discussion Points & Insights

1. Why the GAO Report Matters

Background: Congress directed the GAO to review CMMC implementation as part of the 2025 National Defense Authorization Act (NDAA).
Context: This is not GAO's first CMMC evaluation—the 2021 review was effectively overridden by the release of CMMC 2.0 and accompanying rulemaking ([00:00]).
Main Question: If DoD scored so highly, why is the report being spun as negative news?

2. Media Spin vs. Report Reality

Host Frustration: The hosts highlight how negative headlines may stem from misreading, AI-generated articles, or deliberate clickbait tactics.
Quote:

"If your kid was taking four classes and got a hundred percent in three of them and a 95% in the fourth... that's pretty good. They're a straight A student." — A ([02:44])
Advice: Always read the original report; secondary sources may distort or miss the nuance.

3. GAO's Four Focus Areas

The GAO evaluated CMMC implementation across four categories:

Assistance for Small Businesses
Training for the Acquisition Workforce
Cyber AB's Preparedness
DoD's Strategic Planning

1. Efforts to Assist Small Businesses

Findings: DoD offers a wide array of resources to small businesses (e.g., scoping guides, Project Spectrum, NSA Cybersecurity Collaboration).
Adoption Gap: Few businesses are using these resources; most only seek help when compliance becomes mandatory ([09:51]).
Industry Feedback: Resources are indeed helpful, meeting the GAO's criteria for assistance.
Quote:

"When GAO shows up and says, do you offer things to small business to help? The answer is yes. The question was not, do they help you satisfy every single requirement..." — A ([07:41])

2. Acquisition Workforce Training

Findings: DoD has developed voluntary CMMC-focused training through Defense Acquisition University; it's up to Acquisition and Sustainment (ANS) to mandate completion.
Context: CMMC’s purpose includes enabling the acquisition workforce to verify contractor compliance.
Quote:

"CMMC owns the program. ANS owns the workforce that executes the program. So even though CMMC creates the training, ANS says it's voluntary, it's mandatory..." — A ([13:39])

3. Cyber AB's Readiness

Findings: Cyber AB, which oversees the CMMC ecosystem, is fully prepared—no issues cited.
Quote:

"GAO found no issues here with the AB's actions to prepare for the rollout of the program. That's good. That's good. There were no issues. 100%, yes question." — A ([15:45])

4. DoD’s Comprehensive Strategy

Findings: The DoD's strategy met 6/7 GAO criteria (18 of 21 points) and partially addressed the 7th, earning a total of 20/21.
GAO's Criteria: Mission statement, problem definition, scope, goals, activities/milestones, resources, roles/responsibilities, and key external factors ([18:46]).
Issue: The only "problem" was not fully accounting for all possible key external factors.
Quote:

"Those first six elements fully addressed... The seventh one is partially addressed. It's not missing. It's not not addressed. It's partially addressed. So they get two out of three points. That's 20 out of 21 points. Quick maths, everybody. That's a 95%." — A ([19:46])

In-Depth Analysis: The "Problem" Area

What Did GAO Want?

External Factors Not Fully Addressed: GAO knocked DoD for not systemically identifying all external factors that could impact program success.
Examples from GAO:
- Ecosystem capacity: Having enough assessors, theoretical but not a current issue.
- Program demand: Costs could deter companies from staying in the DIB—an appropriations issue for Congress, not DoD.
- Evolving requirements: Need to update the program from NIST SP 800-171 Rev. 2 to Rev. 3.
Host Critique: The hosts argue GAO overlooked real external challenges (like DFARS 7012 implementation and correct CUI marking) while focusing on less impactful issues.

Memorable Moments & Quotes

"If you're going to take... over a year to write an analysis of the program's implementation, like just try harder next time." — A ([35:31])
"You want them to try harder. On the other hand, if they took over a year to write a report and this is what they came up with." — B ([35:39])

On Appropriations and Accountability

The report doesn't address that Congress, not DoD, controls appropriations for helping industry—one of the real external bottlenecks.
Dynamics between prime and sub-contractors are ignored as a key external factor.

Important Timestamps

00:00–02:44 — Introduction to the GAO report, historical background, and initial impressions.
06:53–09:51 — Breakdown of DoD’s assistance to small businesses and why more companies aren’t using available resources.
11:57–14:43 — Deep dive into acquisition training and DoD's relationship to the acquisition workforce.
15:45–16:27 — Cyber AB's preparation and GAO's findings on assessment ecosystem readiness.
18:46–21:22 — Detailed review of DoD’s comprehensive strategy and the GAO’s scoring methodology.
24:54–30:25 — Realistic discussion of "external factors" and what the GAO missed about the program’s challenges.
33:15–35:39 — Critique of GAO’s point about evolving standards, timeline issues, and broader congressional context.
38:59–39:13 — Final wrap-up, reframing the significance of the 95% "problem," and encouraging listeners to read the report themselves.

Tone & Style Highlights

The hosts balance deep regulatory knowledge with conversational banter and analogies (e.g., "rye bread’s too stale," "it's like saying a fly landed on your shoulder during inspection and we're going to gig you" [30:07]).
There’s frustration with superficial industry headlines and a call for more nuanced analysis.
The tone is pragmatic, slightly irreverent, and aimed at demystifying regulatory jargon.

Takeaways

CMMC has improved dramatically—from a highly criticized 1.0 to a near-perfect score by independent auditors.
Media and industry peers may be overemphasizing minor critiques, missing the big picture of successful government program implementation.
Most cited weaknesses are either outside DoD’s control or already mitigated (e.g., via waivers).
The real challenge is not the program’s design but the external context: congressional appropriations, contracting dynamics, and broader ecosystem readiness.

Notable Quotes (with Timestamps & Attribution)

“[GAO] knocked it out of the park... The fourth one, they have one partially implemented finding that they need to take care of and that's basically the summary of the report. And yet people are like, ‘they're missing stuff here.’ I'm like, that's not what the report says.” — A ([05:57])
“If you expect the world to be given to you... that's where it is. But the accountability for the things that they must perform is now being reported upon.” — B ([07:16])
"CMMC was designed to kill two birds with one stone. It allows the contract workforce to easily see, did you or did you not meet these requirements?... The acquisition workforce needs to be pretty familiar with what this program is because they're half of the reason why the program exists in the first place." — A ([11:44])
“Assessment capacity is not the constraint on the ecosystem as an external factor. Implementation capacity is the constraint." — A ([22:40])
"GAO, are you listening? Leave a comment below, GAO, if you could explain this one to me because I don't get it." — A ([23:39])
"Where's our 100? That's kind of what I'm screaming now, right?" — B ([29:59])

wavePod

Summary

Episode Overview

Key Discussion Points & Insights

1. Why the GAO Report Matters

2. Media Spin vs. Report Reality

3. GAO's Four Focus Areas

1. Efforts to Assist Small Businesses

2. Acquisition Workforce Training

3. Cyber AB's Readiness

4. DoD’s Comprehensive Strategy

In-Depth Analysis: The "Problem" Area

What Did GAO Want?

Memorable Moments & Quotes

On Appropriations and Accountability

Important Timestamps

Tone & Style Highlights

Takeaways

Notable Quotes (with Timestamps & Attribution)

Final Reflection

Summary

Episode Overview

Key Discussion Points & Insights

1. Why the GAO Report Matters

2. Media Spin vs. Report Reality

3. GAO's Four Focus Areas

1. Efforts to Assist Small Businesses

2. Acquisition Workforce Training

3. Cyber AB's Readiness

4. DoD’s Comprehensive Strategy

In-Depth Analysis: The "Problem" Area

What Did GAO Want?

Memorable Moments & Quotes

On Appropriations and Accountability

Important Timestamps

Tone & Style Highlights

Takeaways

Notable Quotes (with Timestamps & Attribution)

Final Reflection