GAO Gave CMMC a 95%... Then Called It a Problem

A

All right, folks, it is March of 2026, and in 2025, Congress asked the Government Accountability Office to evaluate the Department of Defense's implementation of the Cybersecurity Maturity Model certification program. According to gao, the Department has done exceptionally well at implementing cmmc. Assisting small businesses. Check prepared to train the acquisition workforce. Check the Cyber AB's actions to prepare for the implementation of the program. Check the Department's strategy to guide implementation of the program. The department scores a 95% 20 out of 21 points. So why is everyone acting like this report is bad news? That's what we're going to talk about today. Jason, this is not the first time that GAO has evaluated the CMMC program. Way back in the day in 2021, GAO found that CMMC 1.0 had a ton of room for improvement. We'll say, however, that report was overshadowed because CMMC 2.0 rulemaking kicked off basically at the same time that that report came out. So all of their recommendations were basically neutralized by the fact that they were undergoing new rulemaking. By March of 2023, the D. The DOD had already closed the three recommendations from that 2021 GAO report. So nobody ever really talked about it. Anyways. Between two GAO reports, a DoD inspector general report on the cyber ABS processes, and literally thousands of public comments across an interim final rule. Two proposed rules, two final rules. CMMC is easily one of the most analyzed cyber regulatory programs in history. And people seem to be losing the bigger picture of how far this program has come in the last five to six years. What do you think?

B

I think that Reynolds aluminum foil wrap stock is going to go through the roof for the next couple weeks just because every single time one of these reports comes out, it gives enough ability for the clickbait seekers right to go. It's ending. This is over. You know, it's just a continuous process. When you said in the beginning that GAO is doing a report, I said again, right? Why? Like, you know what I mean? Like, is there, there's got to be problem, like, what's going on here? And then I read the report and I'm like, where are the problems?

A

Yeah, I think, you know, what we were talking about earlier is, you know, we'll talk about it, But Gao evaluates DoD's implementation of the program in four things. And if, if your, if your kid was taking four classes and got a hundred percent in three of them and a 95% in the fourth one, I don't know, call me crazy, that's pretty good. They're a straight A student, they're doing pretty great for some reason. The title of the report and some of the headlines around the report, I don't know if this is just AI slop from the various articles that have been written, generated from the report. They're a little negative and I feel like they are not really capturing the picture of what the report says. Like always, everybody read the report for yourselves because that's the best thing you could possibly do. But we're going to step through what the report says in the outline and I think it'll kind of become clear that that's not really the case of what's going on.

B

Accountability is one of those terrifying words in this entire ecosystem right now. As soon as you start throwing accountability out, everybody loses their fricking mind. And so I think that when the Government Accountability Office releases a report on a program, and especially if it's a program that you want to go away, you're going to hang on every single word to see what you can draw from it to get to there.

A

You know, like, this is, yeah, GAO works for Congress, they don't work for DoD is not DoD's self evaluation of their own program. This is not even the IG that is separate from the CMMC program, but still works for the Department. This is completely outside, completely external. So if anybody's going to find some problems, it's going to be these guys.

B

All right, so they, I mean, they found problems, but then we found a new program, right? Like, so does that make sense?

A

It does, yeah. Well, let's, let's dive into it.

B

This is the first one of 2.0. There we go.

A

Yes. Yeah, exactly. Yes. First reporter 2.0. But let's dive into what they found and people can decide for their own if they think that it's a significant issue or not. So very quickly, why did GAO do this study? Senate Report 118,188 accompanied the FY25 NDAA and it included a provision for GAO to review DoD's implementation of the revised CMMC program. Perfectly, perfectly normal. Totally and totally a good thing that Congress should be asking GAO to do. So GAO conducted an audit of the implementation of the program from December of 2024 to March of 2026. This is peak time where rules were getting published. If everybody remembers back in the day, that's when GAO went in and they're like, we're going to double check to make sure that you got a plan, you got a strategy. Things are looking right now that we're actually publishing these rules after this years long rulemaking process. So the report describes four things about the CMMC program. First, DoD's efforts to assist small companies in meeting cyber requirements. Very important. Something that gets brought up every time there's a call or a discussion about the program. Two, the extent to which DoD is prepared to train the acquisition workforce on their responsibilities. Also very important. It's not just about industry and just about what contractors have to do. Three, cyber ABS actions to prepare for implementation of the program's requirements. We, we've already done episodes in the past. We did a four part episode in the past about the DoD Inspector General's evaluation of the cyber ABS processes for accrediting C3PA is go check that out if you're interested. And then four, assessing the extent to which DoD has a comprehensive strategy to guide implementation of the program. That's the shell of the report. That's what they're going to take a look at. Like we said, those first three knocked it out of the park. The fourth one, they have one partially implemented finding that they need to take care of and that, that's basically the summary of the report. And yet people are like this is, they're, they're missing stuff here. I'm like, that's not what the report says.

B

Did I hear you said they knocked the first three out of the park? According to the report, yeah. Then how come everybody's like we need to do more for small business. Where is the funding? When is DoD going to build an enclave? So I could just throw all their data in there because this is their data. Where's all that?

A

I mean, you know, all those things are true, but you know, all those things, multiple things can be true, you know.

B

But yeah, I think it's because you, you have to level set expectations. Like if you expect the world to be given to you or you expect everything to be handed to you, that's where it is. Right. But the expect and what's required of them, the accountability for the things that they must perform is now being reported upon. I think that that was the key point to get at there is that yeah, I can expect for a Lamborghini every time I buy a new car, but reality is that I got to drive a Jeep.

A

Yeah, well, let's look, let's look at each one of these one by one. The first three are pretty quick. So first, DoD's efforts to assist small companies in meeting related cybersecurity requirements. Do they do that or not? Right, that's the question. And GAO found that they do. DoD offers resources for small companies in meeting cyber requirements. Now, this might not be an answer that people want to hear, this might not be the DoD doing it for you, but it is true that DoD does offer assistance and resources for meeting the requirements. They list everything in Appendix 2 of the report, if you're curious. We definitely don't have time to go through the whole list, but a short version of that list is literally everything on the DoD CIO CMMC page. The PowerPoints, the explanations, all of the ancillary documents that aren't actually required to exist in the regulation, Scoping guides, implementation guides, explanations, things like that, the Mentor Protege Program, Project Spectrum, the NSA Cyber Security Collaboration center, and all the tools and services that they offer. Like I said, you can check out the appendix. Those things do exist. Which means that whenever GAO shows up and says, do you offer things to small businesses to help? The answer is yes. The question was not, do they help you satisfy every single requirement that's in your contract? That's not the question. It's probably not realistic that they'd be able to do that. The question was not, should they offer more? It was, do they offer anything at all? And they have a pretty long list of things that they do actually offer.

B

So when the first GAO report came out, this, the, these resources that were offered for free were offered to a select few. Right, Right. And so now, since this first report, one of the growths that's happened for the entirety of the program is the availability of the resources. Right now, it's an open program. Anybody that's within the DIP can go in there and can benefit from it as long as they set expectations as to what it is. And you're not expecting, when it comes time for you to get assessed, that maybe those people that are in the Cyber Collaboration center are going to show up to your assessment and talk about the shared responsibility between your services. Yeah, that's one of the big things.

A

They talk about this in the report, which we might get into in a future episode. Not very many people use these resources. Right. They include some stats in there. There's not a lot of people in industry that are taking advantage of, what,

B

the 2100 or something.

A

It's very low. It's very low. And so, you know, there's a whole subtext there around the fact that these things are made available and, and it wasn't required that anybody use them while everyone was waiting for cmmc. Now all of a sudden CMMC shows up and everybody goes, where are the resources? Where are the resources? Like, well, looks like people are only interested in the resources when they're forced to have to meet the requirements. So there's a whole other story that could be told there. Anyways, within this section, GAO says that they interviewed other DoD organizations, the army, the Navy, the Air Force, DLA, Office of Small Business Programs. All those people said, we tell our suppliers, we tell our contractors that these resources are available. Adoption is still very low. Everybody. Then GAO went and asked industry and they said, industry representatives that we met with stated that these resources are generally helpful to DIB companies. They meet the requirement. DoD does assist small companies in meeting the requirement. Box checked. Next question. So Gao moves on. And they say, number two, the extent to which DoD is prepared to train its acquisition workforce on their related responsibilities. Gao had two things to say. DoD has developed training resources for the defense acquisition workforce and DoD is assessing that training, their resources, their requirements, and the extent to which that training will be required. Couple things. The original DoD inspector general report from 2019 that kicked this whole CMMC saga off didn't just find that contractors weren't meeting their requirements. It also found that the contracting workforce wasn't asking about whether or not industry was meeting their cyber requirements. So CMMC was designed to kill two birds with one stone. It allows the contract workforce to easily see, did you or did you not meet these requirements?

B

And.

A

And it allows industry to say, we did or we did not meet these requirements. Right. That means that the acquisition workforce needs to be pretty familiar with what this program is because they're half of the reason why the program exists in the first place. So DoD has created, specifically Defense Acquisition University has created three voluntary CMMC focused training courses for the acquisition workforce. And here's a little line in the report. The office of the Undersecretary for Acquisition and sustainment, not the DoD CIO, not the CMMC program office, who works for the DoD CIO. The undersecretary for Acquisition and Sustainment. Totally different office. They are evaluating the extent to which the courses need to be updated and expanded and whether or not the courses need to be mandatory for the acquisition workforce. Right. The acquisition workforce doesn't work for cmmc. The acquisition workforce works for ans. So even though CMMC is being evaluated for whether they created the material to train those people, it is not part of their authority to make people take the training. So it is true that CMMC has these resources available. They're on the DAU website right now. A lot of people in industry can go take them right now. If they want to. Yet ANS is deciding whether they're going to make the courses mandatory or not. So CMMC gets the points, they meet the requirement. A s what are you doing? What are you doing?

B

And who updates the courses, who's responsible for maintaining them and expanding them and things of that nature?

A

Well, theoretically it's the CMC pmo, which they have a plan for updating all the training and things like that. But it ultimately has to go through the ANS bureaucracy machine before it becomes mandatory and does all that thing. It's a weird relationship. CMMC owns the program ANS owns the workforce that executes the program. So even though CMMC creates the training, ANS says it's voluntary, it's mandatory. It's mandatory for some of you, but not all of you, blah, blah, blah. So CMMC has created the resource that the acquisition workforce needs. I don't know what you're doing ans but if you remember back in the day, I know I do. CMMC was originally your problem. CMMC originally existed in acquisition and sustainment. You know exactly why this program exists. I've been to your meetings where you don't let the press into and it's all Chatham House rules and we're not allowed to talk about what was said. I know you know this is a problem. Make the requirements mandatory for the acquisition workforce. According to gao, CMMC gets the point.

B

Points. What the man said.

A

There you go. All right, halfway there everybody. The third point, the cyber AB's actions to prepare for the implementation of the CMOC program's requirements. GAO says the Cyber AB administers and facilitates the development of the CMC ecosystem. This is mostly just an explanation of roles and responsibilities in the ecosystem. Very helpful information to read and review for everybody that's out there. If you're curious about the details of how the Cyber AB is handling this process, go see our four part video series that dissected every single page of the DoD Inspector General's evaluation of the Cyber ABS process for accrediting C3 PAOs, the actual assessment organizations inside of the CMMC ecosystem. You'll probably find it very insightful. You, Gao found no issues here with the AB's actions to prepare for the roll out of the program. That's good. That's good. There were no issues. 100%, yes question.

B

But every time I hear a complaint it's that there aren't enough assessors or assessment organizations.

A

Oh boy, oh boy. So yes, that is, that is a thing that happens. But people say that there's not enough assessment capacity. That's actually related to the fourth finding. That or the fourth.

B

Oh, I thought of this facilitates the development of the ecosystem. The development of the ecosystem is creation of the roles, making sure that they're there.

A

Oh, I mean, that was not an issue that GAO found under the cyber AB's preparation.

B

So just the Office for Accountability said that the people are accountable for this, are doing a good job.

A

Yeah.

B

Okay. Just double checking.

A

Yeah, no, we're, we're, we're three quarters of the way through the report now. And if you want to just do a quick review. Duties assisting small businesses. Industry says it's helpful. DoD is prepared to train the acquisition workforce, but the people who don't work for CMMC are sitting on their hands, not making it voluntary, but they have created everything that's needed for that to be prepared to its fullest extent. And the Cyber AB is fully prepared for the rollout of the program. There are no issues according to what gao found. Current score 30333, 100% scores so far. Right. Okay, so let's get into the part that's a little more complicated. Of course, you got to read all the way to the end of the report to get to their explanation of the title of the report. So, hey, editors of industry publications and things like that, if you just plug the title page into Chat GPT to create your headlines, you're not going to get the full story. Your headlines are going to be a little misleading. Not going to name any names anyways. The fourth tenant of the report, assess the extent to which DoD has a comprehensive strategy to guide implementation of the program. So the report says Gao assessed DoD's CMMC planning documents using a scorecard methodology against seven key elements of a comprehensive strategic planning idea that they have been using for a long, long time. This is gao's idea of if you're going to have a strategy, it's got to have these seven things in order for it to be considered a comprehensive Strategy. They interviewed DoD officials, they interviewed industry officials about their plans for implementation in order to come up with what's going on. So GAO's key elements for comprehensive strategic planning has to meet seven criteria. A mission statement, problem definition, scope and methodology, goals and objectives, activities, milestones and performance measures, resources and investments, organizational roles, responsibilities and coordination, and key external factors that could affect achievement of those goals. If you remember from the report back in 2021, they didn't have a lot of that. They didn't have a lot of that. They were going quick and fast. And they were missing a bunch of stuff anyways. GAO says they use a three point scale to assess each of those seven criteria. They're using this three point scale to assess DoD's plans. For each of those seven elements, you can have fully addressed if the planning documentation includes evidence that you satisfy that criteria. Partially addressed if the planning documentation satisfies some, but not all of one of those seven elements or more, and then not addressed if you're planning documentation, if your strategy has no evidence that it satisfies those things that GAO is talking about anyways, those first six elements fully addressed mission, statement, problem, scope, methodology, goals, objectives, activities, milestones, resources, investments, roles, responsibilities, coordination across the strategy and across the program, fully implemented.

B

How does that work on the scoring? So it's full credit, right? Full credit for six? Yeah.

A

Out of those six, that's 18 out of 21 possible points. Now we have the last three points

B

playing with house money at this point

A

in the seventh one. Yeah. So that's already pretty good. The seventh one is partially addressed. It's not missing. It's not not addressed. It's not blank. It's partially addressed. So they get two out of three points. That's 20 out of 21 points. Quick maths, everybody. That's a 95%. So they're only missing part of this idea of key external factors. So even though this is Gao's idea of what a strategy needs to have, not DoD's idea of what a strategy needs to have, not what was required of them in the first place, which says nothing of the fact that they need to have a strategy like this, they still met 20 out of 21 points for how GAO would externally evaluate a strategy. That's very good. GAO always dings people on this where they're like, well, our idea of what a strategy are the following things, and you didn't meet them. So here's a bunch of recommendations so that you can do things how we would have done them. See you in a couple years. GAO shows up and they were like, oh, you actually did all the things that we would have done.

B

And the goal of this is to make sure that the program is set up to be effective, Right? It is designed and set up to be effective. That's the goal of this report.

A

The goal. That's the goal of the report. The goal of this section specifically is do you have a strategy? Is it comprehensive? They have a strategy and it's comprehensive. If you think 20 out of 21 points is comprehensive, Gao says if you don't have 21 out of 21. It's not comprehensive, apparently.

B

Apparently, yeah. I want to know where the one point went.

A

Let's talk about this one point and why GAO would say, nice strategy, it ain't comprehensive, even though you scored a 95. Okay, so the part that they are partially missing. Gao says DoD has not systemically identified key factors outside of the department and beyond its control that could affect achievement of the program's goals. The DoD, the Cyber AB, the CAICO, and industry officials all say that the success of the program relies on external factors. That's true. And they say based on conversations they identified, GAO identified several factors that could affect success of the CMMC program. Here's where I got an issue. You said you interviewed industry officials. Well, you didn't ask us. And so now we're going to absolutely tear up your supposed external factors that DoD didn't consider. There are three of them. Ecosystem capacity, program demand, evolving security requirements. I hope you're listening, gao, because there are external factors that are affecting the ability of CMMC to be successful, and these ain't it. So, CMMC, ecosystem capacity. They say, Gao, DoD relies on the private sector ecosystem of stakeholders for achieving the program's goals. DoD relies on industry to develop the capacity for assessments and having enough assessors to conduct enough assessments to meet DoD's projections for program requirements. First of all, has assessment capacity been a problem yet? Gao? No, it hasn't. You didn't mention that. So this is a theoretical issue that could happen in the future. You don't talk about at all how DoD's strategy and implementation of the program has dramatically overperformed the estimates in the planning documents that you said that you reviewed so closely. We are about. We're less than 150 days into the phased rollout, and we have doubled the number of estimated assessments at level two that DoD thought they were going to get in the first 12 months of phase one. Where's that note about ecosystem capacity? To me, sounds like the program strategy has been executed quite well to handle ecosystem capacity. The part you don't talk about in terms of ecosystem capacity is what we have said a gajillion times on this show. Assessment capacity is not the constraint on the ecosystem as an external factor. Implementation capacity is the constraint on the ecosystem because assessment capacity is only a constraint if everyone in the ecosystem is ready for an assessment. And that's not true because not everybody in the ecosystem has fully implemented their requirements pursuant to DFARS 7012. Where's that little footnote, Gao? That's an external factor that is outside of the program's control. Valley, that's the main constraint. What's the strategy for dealing with implementation capacity? What's the strategy for dealing with people not meeting DFARS7012? Do you have any recommendations to, I don't know, your bosses in Congress who asked you to write this report about the fact that they said create a program to make sure that everyone is implementing everything. And the number one external factor affecting that thing is that people aren't implementing their requirements. Why is this CMMC's problem when it's a DFAR 7012 problem? Anybody? Gao, are you listening? Leave a comment below. Gao, if you could explain this one to me because I don't get it.

B

Well, because these reports are generated off of comments and the comments are generated off of complaints, right? A comments box for something especially a program like this turns into the complaints where the rye bread's too stale and things like that. And that's exactly what we're getting into, is the rye bread's too stale. And then you look into it and you're like, this rye bread's just fine. The sandwich tastes perfect. Right? I do want to point out something that you point out that assessment capacity has yet to be a problem. And you're correct. We said that the acquisition workforce is fully trained and that meets requirements, except for isn't that acquisition workforce inclusive of the group that is over marking and grossly under marking? Cui.

A

Hey, you want to talk about another external factor that doesn't belong to the CMMC program? CUI marking. They don't talk about that in terms of the fact that the number one way to reduce external factors would be to correctly mark the data. They didn't mention the DoD IG report that we just did an episode about. They didn't mention the original DoD IG report about that issue. They didn't talk about how the CMMC program depends on that executing, and it belongs to yet another office, the Undersecretary for Intelligence and Security, ins. So I don't know, man, it feels like you guys kind of were looking for something in order to have a finding. And you said that this would be an issue. And it's not your best work, gao, because if you were to talk to somebody for a little bit longer, it's not that simple.

B

I think that I, I tried to do the long brain math and I'm terrible at math. But I think since the program, since assessments were able to be done for record, if you took all the C3PA organizations. I think it's like 0.98 assessments per month per assessment organization. And again, there's no failures. Right. Everything that fails that starts doesn't turn into a failure. It's just in progress. So you only have over 1200 assessments of record that have started. But assessors are saying that we're crazy, crazy busy. I know a couple assessors that say they're crazy, crazy busy. I know one supplier letter that says assessors are crazy, crazy busy. I just don't know if industry agrees.

A

Right. Yeah. So I don't really think that they did a very good job of explaining this external factor. And since we're talking about things that are completely outside of the Department's control, there's really no limit in terms of what they could say here. Let's talk about this third issue. They talk about program demand. They say CMMC program costs and requirements may affect the extent to which existing DIB companies decide to continue doing business with DoD. Yeah, yeah. You got to pass the assessment in order to prove that you can protect the control data that you have to have in order to get the contract. That's what the program was for. That's what Congress asked DoD to do. The same people who you're writing this report for said that's what we want the program to do. We're talking about things outside of the department's control. So you're saying that the program costs might affect the degree to which contractors want to do business. So where's the money? Right. You're. You're admitting to the thing that we talk about all the time. DOD doesn't have the right color of money. They don't have an appropriation from Congress. Who told them to create this program? Who then asked you to write the report about the implementation of the program? They're the ones that pull the lever for the money machine. Right. So where's the money? They don't talk about that in terms of this external factor. They don't say, hey, this costs money. Dud doesn't have an appropriation. Since I'm writing this report to you, Congress, maybe you should think about, since this isn't a thing the DOD can do anything about, but you can, maybe you should think about in appropriation. So either it's not actually an issue and they were just looking to fill out the last few pages, or they missed the boat or something. But, yeah, it costs money. DoD doesn't have the money, which is crazy because they have a huge budget, but it has to be approved, appropriated for this use, it isn't appropriated, so there's nothing the department can do. I would have loved to have seen a note from GAO being like, hello, you wanted the program, it costs money. Do you want to pay for it or not? But you know, that wasn't included.

B

Small little wrinkle in the statistic. In the past five conversations that I've had that have to do with costs associated with CMMC. The cost wasn't directly linked to the DoD itself, but linked to the big box prime contractor the organization was doing business with and competitive advantage to get contracts. Nothing to do with anything that currently exists or the fact that they exist or the fact that the big box prime contractor sees an area of opportunity for business and they want you to be a part of the journey to make more money.

A

You know what external factor completely outside the department's control didn't get mentioned in this report at all? The dynamic between the primes and their subs, between what the primes decide to do. The lack of privity of contract between the primes and their subs. From the DoD's perspective, they didn't even

B

mention it because there's no account. The DO has no accountability for that. They just have accountability.

A

They don't have accountability for the money. They don't have accountability for any of these other issues. And they mentioned that they also don't

B

have where's our 100? That's kind of what I'm screaming now, right?

A

Like, they don't have accountability for what I had for breakfast. They don't have accountability for the freaking weather. Why didn't you list those off?

B

Gee, it's like saying a fly landed on your shoulder during inspection and we're going to gig you. You like, like what's happening here.

A

But there are things that are like, you know, real constraints, like the implementation capacity that they point them out in your report. I don't. I just. I just quit wasting my time with

B

Hufflepuff about that they can't even deal with.

A

Yeah, so there's all kinds of stuff that are outside of the deity's control that get mentioned in the report that I just. If you're going to make it the title of the report, I just expected more GAO around your analysis. All right, wrapping up this section. Evolving Cyber Security requirements. Oh my goodness. Okay, so they say that the CMC program requirements are based off 171 Rev2, but NIST issued 171 Rev3 and the DoD has yet to update the CMMC program to incorporate Rev3. First of all. First of all, that's not outside of the deity's ability. That is not an external factor. They have addressed this issue. They put a class deviation. We did a whole episode about it. They did a class deviation that pinned the program to 171 revision 2 instead of 171 revision 3. Hey Gao, you remember that Senate report that asked you to go do this analysis of the CMC program implementation? You remember the part of that report that said they're worried about impact on small businesses? That's what the class deviation was for. That's why they pinned it to Rev 2 instead of Rev 3 was to keep the burden on small businesses down and to give them time to implement the requirements that Congress wanted to make sure that contractors are implementing. They have a plan for it. That's what CMMC 3.0 rulemaking is for. That CMMC 3.0 rulemaking Is already underway. So what were you doing from December of 2024 to March of 2025 evaluating the program? You didn't ask about CMC 3.0 rulemaking. You didn't ask about the class deviation. Do you understand what I'm talking about? Do you watch the podcast? Because you would know that they have a plan for this. It's in the strategy. It's not an external factor, and it's not that big of a deal. It's actually a rare win in terms of the deity proactively looking out for small businesses and keeping the burden down on that point. They say additionally, updating the training procedures and associated guidance for the program to 171 Rev3 will take time. And according to the cyber AB and Keiko officials, it could take them up to a year to complete the updates once those materials are available. First of all, that's ridiculous. It should not take a year. I would be very upset with the AB if it took them a year. We might actually put out some content in the future about why that shouldn't take a year. First of all, we already know what 171 Rev 3 says and we already know what the organizationally defined parameters for 171 Rev3 are going to be in the final rule. Contractors are already preparing for 171 Rev 3. You don't need to take a year once the final rule is out to then start changing the material. That's ridiculous. So GAO has a point there. That should not take that long.

B

I. I do think that they have a point, but I don't think it's going to take that long. Anymore, didn't we? We are just a little less than two weeks away from Isaca taking over that entire program. Yeah, the training program and the updating of the materials. I don't think Isaca is going to take that long. There's boards, there's stuff like that. It's not three people that are volunteered as a part of sub zero of an organization that has to run the program now. It is an entire organization, worldwide organization, with training instructors and things of that nature. And they're naming people to boards, update this stuff. I don't think it's going to be a year. I do think that that is the biggest thing that's going to hold up this rulemaking, you know, like this change over to 3.0 or whatever we want to call it.

A

We'll probably have to do a different episode on the actual congressional reports that trigger the GAO reports that have come out. I know, very nerdy, everybody. But it is very interesting because they're the ones that asked for cmc.

B

You love it.

A

And they're the ones that ask for the reports. So it's a window into what Congress is thinking. Part of that report says, we want the DIB to take care of advanced threats. We want OT requirements, we want IoT requirements, we want this, we want that. So they want to dramatically expand the baseline of requirements and the technologies that are in scope and the nature of the security requirements for the dib. And then they say, we're worried about small businesses. Right. And so you're like, where's the money, Congress? Where's the money? CMMC has a plan for this issue of Rev 2 to Rev 3. Just very disappointed in the fact that this is basically gao's only wrinkle that they found in Deity's strategy. And then the examples of what they found as external factors that the strategy doesn't really think about aren't very good.

B

No, this is when you. I, I can't give you a perfect score. It's going to look suspicious. So let me find something. You know, here, here's where it is.

A

Like, don't get me wrong, like I said, assessment capacity is a real external factor that the deity doesn't control. CUI marking real external factor that the CMMC office doesn't control that should be mentioned. Right. As real issues that there should be a plan for from somebody money appropriated to help with implementation. Real factor outside of the DoD's control. But they don't mention that. They mentioned Rev 2 and Rev 3. Like they, come on, guys. Like I just, I Expected more. If you're going to take, what is that, over a year to write an analysis of the program's implementation, like just try harder next time anyways.

B

But you want them to try harder. On the other hand, if they took over a year to write a report and this is what they came up with.

A

Yeah.

B

Now, about the program.

A

Well, I mean, as far as the program evaluated under gao, the program's doing amazing. And, and to the point, this is not number seven on the list of, of the strategy elements is not on unimplemented. It's not, not addressed. It's partially addressed because the DoD responded and said that's what waivers are for. That's why waivers exist. If people, if there aren't enough people who have implemented in order to meet the requirements in the contract for CMMC, we put out a memo in January of 2025, which they reference in this report that says you can waive the program requirements as long as you have a plan for having those requirements met eventually. Right. That should take care of any external factors like not enough implementation, not enough assessment capacity, not enough this, not enough that. If the program is in the way, then you can waive the program requirements. GAO says, yeah, these factors aren't really in your control and you have a waiver process, but we don't think that's enough. And so we're going to leave this as a partially implemented factor in your strategy. We're going to leave it as an open recommendation. So you should update your planning documents to factor in these external factors. Even though you just told us that you do that and then we'll consider it to be closed. And then you would have gone from a 95% on item four to a 100%. That's it. That's the degree to which DoD was missing things under GAO's 12 plus month audit of their implementation and strategy of the CMC program was that meanwhile, it's like you read the headlines and stuff and people are like, deity's got work to do and deity's missing stuff, and deity's got that. I'm like, are we reading the same report, everybody? Because that's not what I read. This is why I encourage everybody to read it for themselves. I mean, do you guys think out there in chat, did you read the report? Do you think that this is actually as big of a finding as the headlines might lead you to believe? I don't, I don't really know. Just to wrap up here, we don't cover a bunch of the sections in the report that are very valuable to read for yourself. Everybody should definitely check it out. The background information on the program, the background on federal cyber security requirements and their evolution over time, the history of the CMMC program, its development, the structure of the program and of the model, and the details of the roles and responsibilities inside of the DOD and CMMC related organizations, things like that. So you should check those things out. GAO does a great job of summarizing those things, laying it out, coming up with timelines, infographics, all that stuff. So if you need a refresher or if you're new here, definitely check those things out. Read the report for yourself, come up with your own conclusions. If you like we said at the beginning, if your kid had four classes in school and they got 100% in three of them and a 95% in four, four of them and the part they were missing was kind of an opinion rather than anything objective, I think that's probably pretty good, especially compared to what they were doing four or five years ago. Most Most improved student award goes to the CMC program.

B

Yeah, five years ago we thought they were going to drop out. Now they're graduating the salutary salutarian or whatever.

A

Nailed it. Nailed it with that folks like and subscribe. Let us know what you think about the report, what you want to hear about next, and we'll see you next week.

B

See you next week.