GAO flags CMMC assessor risk
The Government Accountability Office reported that the Defense Department hasn’t documented mitigation plans if certified CMMC assessors fall short—creating a potential audit bottleneck. That gap sharpens the need for automated, continuous compliance monitoring across contractor Kubernetes and cloud pipelines.
[GAO recommended]gao.gov that the Department of Defense document the key external factors that could affect CMMC rollout and develop specific approaches to address them, and the [agency concurred]gao.gov with that recommendation. The report notes DOD plans to implement the CMMC program over the next three years (as of GAO’s March 2026 review)gao.gov, while DoD’s CIO office lists CMMC Phase 1 running from Nov. 10, 2025 to Nov. 9, 2026 on its public guidance page.dodcio.defense.gov DoD estimates that roughly 80,000 Defense Industrial Base firms will need CMMC Level 2 certification,elevateconsult.com and GAO warned that frequent use of waivers to address assessment shortfalls “could undermine the long‑term viability” of the program.gao.gov A January 2025 DOD Inspector General audit found gaps in the process for authorizing C3PAOs after reviewing 11 applications,insidedefense.com and GAO’s March 2026 report lists Joseph W. Kirschbaum, Vijay A. D’Souza, and W. William Russell as points of contact for the published report (GAO‑26‑107955).gao.gov
