DOD needs stronger way to gauge effectiveness of cyber program, GAO says

The Department of Defense lacks a framework for properly evaluating its contractor cybersecurity program, a Government Accountability Office study found.

In a report released Friday, the GAO said the CMMC program still needs metrics and other means to measure successes and failures in its core mission of assessing how well DOD contractors protect important data. The congressional watchdog pointed in particular to a lack of communications with industry — a perennial compliant that has been aired before Congress and highlighted by trade groups.

“Until DOD improves this communication, industry will be challenged to implement protections for DOD’s sensitive data,” GAO said.

CMMC is the DOD’s response to a rash of breaches in the defense industrial base that stole sensitive data at the controlled but unclassified level. The program tries to verify the cyber compliance of contractor to three tiers of standards by requiring some contractors to pay for a third-party assessor to inspect their networks.

The program has gone through two major iterations, with an initial requirement for all contractors to get an assessment. In November the DOD dramatically reduced the number of contractors that would need to get an inspection, opting to let the majority of contractor’s to self-certify the security of their networks.

The lack of measurable oversight in the program threatens its rollout, the study found.

“GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC,” The report states. “Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base.”