Inspector General Robert P. Storch announced today that the Department of Defense Office of Inspector General (DoD OIG) released the “Audit of the DoD’s Process for Authorizing Third-Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments.”
The DoD OIG found that the DoD failed to effectively implement the process that authorizes third-party organizations to conduct Level 2 Cybersecurity Maturity Model Certification (CMMC) 2.0 assessments. CMMC third-party organizations (C3PAO) must successfully complete a series of 12 requirements before they can be authorized to perform the Level 2 assessments. The Cyber Accreditation Body (AB) manages the third-party organization authorization process to ensure 10 of the 12 requirements are met, while the CMMC Program Management Office and Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) are responsible for ensuring that C3PAO successfully complete the two remaining requirements. Under the CMMC framework, authorized third-party organizations perform these required assessments of DoD contractors that will maintain controlled unclassified information critical to national security on their systems. The assessments help verify contractors’ compliance with federal cybersecurity requirements.
“Protecting controlled unclassified information is critical to safeguarding some of the nation’s most advanced defense technologies from malicious actors,” said IG Storch. “Without an effective third-party organization authorization process, there is a ripple effect of risks. If third-party organizations are unqualified to perform assessments, then there is also an increased risk that the DoD will award contracts to those that do not have the controls in place to protect sensitive information.”
In conjunction with the audit, the DoD OIG also substantiated two of three allegations from the DoD Hotline related to the C3PAO authorization process and Cyber AB accreditation requirements.
The DoD OIG made 10 recommendations to the DoD Chief Information Officer, the Director of the CMMC Program Management Office, and the Director of the Defense Industrial Base Cybersecurity Assessment Center, including that the DoD CIO coordinate with the DIBCAC Director to develop and implement a quality assurance process that will ensure that all requirements in the C3PAO authorization process are successfully met before authorizing C3PAO to perform CMMC Level 2 assessments.
The DoD OIG will continue to monitor the DoD’s progress toward fully implementing all recommendations.