20548
B-336776
October 30, 2024
The Honorable Jack Reed
Chairman
The Honorable Roger F. Wicker
Ranking Member
Committee on Armed Services
United States Senate
The Honorable Mike Rogers
Chairman
The Honorable Adam Smith
Ranking Member
Committee on Armed Services
House of Representatives
Subject: Department of Defense: Cybersecurity Maturity Model Certification (CMMC) Program
Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule
promulgated by the Department of Defense (DoD) entitled “Cybersecurity Maturity Model
Certification (CMMC) Program” (RIN: 0790-AL49). We received the rule on October 10, 2024.
It was published in the Federal Register on October 15, 2024. 89 Fed. Reg. 83092. The
effective date of the rule is December 16, 2024.
According to DoD, this rule establishes the Cybersecurity Maturity Model Certification (CMMC)
Program in order to verify contractors have implemented required security measures necessary
to safeguard Federal Contract Information and Controlled Unclassified Information. DoD stated
that the mechanisms discussed in the rule will allow it to confirm a defense contractor or
subcontractor has implemented the security requirements for a specified CMMC level and is
maintaining that status across the contract period of performance. DoD further stated the rule
will be updated as needed, using the appropriate rulemaking process, to address evolving
cybersecurity standards, requirements, threats, and other relevant changes.
Enclosed is our assessment of DoD’s compliance with the procedural steps required by
section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions
about this report or wish to contact GAO officials responsible for the evaluation work relating to
the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at
(202) 512-5992.
Shirley A. Jones
Managing Associate General Counsel
