Skip to main content
Analysis

GAO Warns DOD Has Not Fully Planned for CMMC Assessor Capacity

GAO says DOD has not fully documented external risks that could affect CMMC rollout, including assessor capacity.

Brandon Hancock, J.D., CMMC-RPPublished March 12, 2026Updated July 2, 20267 min read

TL;DR: GAO says the Department of Defense has not fully assessed and documented external factors that could affect the Cybersecurity Maturity Model Certification rollout, including whether the private assessment ecosystem will have enough capacity. For contractors watching CMMC Phase 2 and future solicitations, the practical message is simple: do not treat assessor availability as someone else’s planning problem.

Why this GAO report matters

On March 12, 2026, the U.S. Government Accountability Office released GAO-26-107955, Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation. The report does not say the Cybersecurity Maturity Model Certification program is going away. It says DOD has implementation planning documents, but has not fully documented key external risks that could affect whether the program works as intended.

That distinction matters for government contractors.

CMMC is not just an internal DOD policy. It depends on an external ecosystem: The Cyber AB, CMMC Third-Party Assessment Organizations, certified assessors, certified professionals, training providers, and defense industrial base companies that must prepare, schedule assessments, remediate gaps, and maintain current status. GAO found that DOD’s implementation plans addressed six of seven key elements of a comprehensive strategy, but only partially addressed the element involving external factors.

The most important external factor for many contractors is assessment capacity. DOD relies on private-sector CMMC Third-Party Assessment Organizations and assessors to perform assessments for companies that need certification. GAO reported that DOD had not assessed and documented how it intends to mitigate the risk that private-sector capacity could be insufficient to meet assessment demand.

That is directly relevant to contractors watching the CMMC timeline. DOD states that phased implementation has begun, with Phase 1 running from November 10, 2025 through November 9, 2026 and focused primarily on CMMC Level 1 and CMMC Level 2 self-assessments. GovConCyber’s CMMC Phase 2 coverage should be cross-linked here because assessor-capacity risk bears directly on the point at which more contracts begin requiring C3PAO assessments as a condition of award or performance.

What GAO actually found

GAO’s finding is narrower and more useful than a headline about “CMMC delays” would suggest.

GAO reviewed DOD CMMC policies and planning documentation, interviewed DOD officials, and spoke with industry representatives. It found that DOD has developed several planning documents to guide CMMC implementation. But GAO also found that DOD had not systematically assessed and documented key external factors outside the Department’s control.

GAO identified several external factors, including the capacity of the CMMC assessment ecosystem, the cost and burden on defense industrial base companies, and the fact that cybersecurity requirements continue to evolve while CMMC is being implemented.

The assessor-capacity issue is especially important. GAO explained that DOD relies on private-sector stakeholders to conduct assessments of defense industrial base companies. DOD officials told GAO that DOD had not assessed and documented how it intends to mitigate the risk that private-sector capacity could be insufficient to meet assessment needs.

GAO also discussed waivers. DOD officials pointed to the ability of Department leaders to issue waivers if external factors cause significant challenges. GAO was not persuaded that waivers solve the underlying problem. A waiver may address a specific acquisition need, but it does not create more assessors, lower small-business compliance costs, or eliminate the timing problem created when many companies need assessment capacity around the same period.

For contractors, that means the risk is not only regulatory. It is logistical. A company can spend months preparing for CMMC and still face award or performance risk if it cannot obtain the required assessment at the right time.

Why assessor capacity is a contracting issue, not just a compliance issue

Contractors often treat CMMC as a cybersecurity project. That is incomplete. CMMC is also a business-readiness and contract-eligibility issue.

If a solicitation requires a specific CMMC level, the contractor must be able to show the required status in the required system at the required time. For CMMC Level 2 contracts requiring a third-party assessment, internal readiness is necessary but not sufficient. A contractor also needs assessment scheduling, assessment execution, findings management, any permitted Plan of Action and Milestones treatment, affirmation, and recordkeeping.

Assessor capacity affects at least five contracting decisions.

First, it affects bid/no-bid decisions. A contractor that cannot complete an assessment in time may need to avoid a pursuit, pursue as a subcontractor instead of a prime, or change its target opportunity strategy.

Second, it affects teaming decisions. Primes may ask subcontractors earlier for CMMC status, anticipated status, assessment dates, system boundaries, or evidence that the subcontractor is on a credible path to the required level.

Third, it affects pricing. Assessment cost, remediation cost, delay risk, and the cost of maintaining readiness may need to be included in indirect cost planning, proposal strategy, or subcontract pricing.

Fourth, it affects schedule risk. A delayed certification can affect award eligibility, transition performance, option exercise risk, subcontract onboarding, and the ability to accept certain types of Controlled Unclassified Information.

Fifth, it affects representations. A company must avoid overstating readiness, especially where cybersecurity status could affect award, payment, customer reliance, or subcontractor approval.

GAO’s report is therefore not an academic program-management critique. It is a warning that contractors should treat CMMC timing as a supply-constrained market problem.

The waiver issue should not become a business plan

GAO’s discussion of waivers deserves careful reading. DOD may have waiver authority in some circumstances, and waivers can be useful where mission needs require flexibility. But a contractor should not plan around a waiver unless the solicitation, contracting officer, and applicable CMMC rules clearly support that path.

A waiver is not the same thing as compliance. It also may not solve flowdown issues. A prime contractor may face customer pressure, subcontractor risk, and performance concerns even if a waiver is theoretically available. GAO also noted that frequent or widespread waiver use could undermine the long-term viability of the CMMC program and its purpose of verifying that companies are implementing federal cybersecurity requirements.

For contractors, the responsible assumption is that waiver availability will be limited, fact-specific, and controlled by the Government, not by the contractor.

That matters for executives. “Maybe DOD will waive it” is not a readiness strategy. A better strategy is to know which contracts are likely to require which CMMC level, which systems are in scope, what evidence exists, what remediation remains, and when an assessment slot can realistically be obtained.

What this means for government contractors

The core lesson is that CMMC readiness now has an external dependency. A contractor may control its policies, systems, training, evidence, and remediation. It does not control the number of available C3PAOs or certified assessors.

Contractors should therefore build CMMC planning around both internal readiness and external capacity.

For executives and owners, the immediate question is not “Are we generally working on CMMC?” The question is: What contract opportunity would we lose if we could not obtain the required CMMC status by the required date?

For government contracting teams, the next question is whether solicitations, recompetes, and subcontract opportunities have been mapped to likely CMMC levels and timelines.

For compliance teams, the question is whether the company has assessment-grade evidence, not just a control spreadsheet.

For procurement attorneys, the question is whether statements about CMMC status, NIST SP 800-171 implementation, Supplier Performance Risk System scores, or assessment plans are accurate, current, and properly qualified.

A practical next step

Contractors should create a CMMC assessment capacity plan now, not when a solicitation drops.

Use this checklist:

  • Identify contracts, recompetes, and target opportunities likely to involve Federal Contract Information or Controlled Unclassified Information.
  • Map each opportunity to likely CMMC Level 1, CMMC Level 2 self-assessment, or CMMC Level 2 certification assessment requirements.
  • Confirm which systems process, store, or transmit FCI or CUI.
  • Update the System Security Plan and evidence repository for the actual assessment scope.
  • Ask potential C3PAOs about timing, prerequisites, pricing structure, assessment readiness expectations, and whether they anticipate capacity constraints.
  • Build an internal deadline several months earlier than the expected solicitation, award, option, or subcontract milestone.
  • Review all proposal, marketing, and subcontractor-facing statements about CMMC status for accuracy.

The takeaway is not panic. It is sequencing. If assessor capacity becomes tight, the contractors that treated assessment scheduling as part of capture planning will be in a better position than those that waited until CMMC appeared in a solicitation.

Sources

  • Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation, U.S. Government Accountability Office, March 12, 2026, https://www.gao.gov/products/gao-26-107955.
  • Cybersecurity Maturity Model Certification, Department of Defense Chief Information Officer, accessed July 2, 2026, https://dodcio.defense.gov/CMMC/.
  • CMMC Resources & Documentation, Department of Defense Chief Information Officer, accessed July 2, 2026, https://dodcio.defense.gov/cmmc/Resources-Documentation/.
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?