CMMC 2.0 and the External Factors Problem – What Defense Contractors Need to Know

BLUF

• A Government Accountability Office report found that while Department of Defense has built out CMMC 2.0, it hasn’t fully identified external risks that could impact success.
• Key risks include assessor backlogs, unprepared vendors, evolving NIST requirements, and high compliance costs (especially for small businesses).
• The DoD may issue waivers when external factors cause issues, but overuse could undermine the program’s credibility and effectiveness.
• Bottom line: Contractors should plan for delays, monitor compliance continuously, and engage their supply chain early to stay ahead of shifting requirements.

Skip to bottom for a list of external factors >

In response to findings from the Government Accountability Office (GAO), a senior Pentagon official said the department plans to evaluate and define outside variables that could hinder the defense industry’s ability to comply with new standards set by the Cybersecurity Maturity Model Certification (CMMC) 2.0 model.

According to a study published by the GAO on March 12, 2026, the Defense Department has done significant work to build a comprehensive strategy for implementing CMMC2.0 cybersecurity standards. However, the report found that the department has yet to completely identify factors beyond its control that risk the program’s overall success.

“CMMC planning documentation identifies processes that can help address external factors, including a program waiver process,” the report stated. “However, CMMC planning documentation does not systematically identify the external factors that could affect reaching each goal.”

After six years of development, the department began officially enforcing the CMMC program in November. The framework requires defense contractors to confirm their networks have adequate cybersecurity controls to prevent adversaries from accessing sensitive data. It goes a step further, too: Anyone in a defense contractor’s supply chain must also have adequate controls over their cyber environment.

CMMC was met with criticism when it was introduced years ago. Members of the Defense Industrial Base (DIB) claimed the program was overcomplicated and created undue regulatory burdens on companies. However, over time the Pentagon has worked closely with industry professionals to simplify the framework and provide resources to the DIB to help with compliance.

While the department has developed multiple planning documents to guide CMMC’s three-year implementation plan, there are issues that haven’t been addressed, the GAO suggested.

“DOD officials stated that they have not assessed and documented key external factors that could significantly affect the implementation of the CMMC program and developed a set of approaches to address them because these factors are outside the control of the department,” per the watchdog’s report.

The department relies on a CMMC ecosystem comprising private sector stakeholders to carry out the program’s goals. The Cyber AB serves as the official CMMC accreditation body, while technology firm ISACA is responsible for training and certification as Cybersecurity Assessor and Instructor Certification Organization.

Furthermore, contractors handling more sensitive Pentagon data must have their cybersecurity posture validated by a certified third-party assessor organization staffed by authorized professionals.

The Pentagon has not analyzed how it will address the capacity of these outside stakeholders if it proves insufficient to meet the CMMC program’s demands, the GAO study found. At the same time, the cybersecurity standards may prove too difficult and costly for some small businesses to meet. According to the report, it could cause them to stop working with the Defense Department.

Changing cybersecurity requirements are another external factor affecting the CMMC rollout. The standards defined by the program are based on those set by the National Institute of Standards and Technology, which were revised as recently as May 2024.

The government watchdog noted that “DOD has yet to update the CMMC program to incorporate this revision. Additionally, updating the training, procedures and associated guidance for the program will take time.”

In response to the GAO’s study, the Pentagon indicated that leaders could give waivers when any external variable causes challenges for industry in reaching CMMC compliance. But the watchdog warned that these waivers would not fix the underlying issues related to these external factors.

“Additionally, depending on the frequency and number of waivers DOD uses, the process could undermine the long-term viability of the CMMC program and its intent to verify that companies are implementing federal cybersecurity requirements,” the report found.

The GAO recommended that the Pentagon conduct a comprehensive analysis of the key external factors that pose negative impacts to the CMMC program and develop mechanisms to address them. A letter from DOD Chief Information Officer Kirsten Davies indicated that the department concurred with the watchdog’s recommendations.

“The Department will assess and document significant external factors affecting CMMC Program implementation, such as CMMC ecosystem capacity, program demand, and evolving cybersecurity requirements and effectiveness of CMMC requirements to address and reduce risk,” Davies wrote. The Department will also evaluate how comprehensively CMMC requirements support the National Defense Strategy and the Secretary’s priorities.

What External Factors Could Affect CMMC Certifications in 2026

• Assessor bottlenecks: With a relatively small number of C3PAO assessors, a backlog may take time to get on the calendar. SecureStrux is a C3PAO >
• Supply chain weak links: Your compliance may depend on partners and vendors who aren’t ready for rigorous cybersecurity assessments. DFARS 252.204-7021 requires flow-down of CMMC requirements to subcontractors handling CUI. This is a genuine and often-overlooked risk.
• Evolving NIST requirements: CMMC currently assesses against NIST SP 800-171 Rev 2, but Rev 3 has already been published. When DoD incorporates it, contractors will face updated requirements. Stay ahead of this transition.
• Cost pressure on small/medium-sized businesses: Staying compliant through CMMC can be cost prohibitive for small organizations running small budgets.
• Cloud/External Service Provider Readiness: If your cloud platforms or managed service providers handle CUI, they must meet FedRAMP Moderate equivalency. Many providers haven’t yet achieved this, creating a compliance dependency outside your direct control.

What Contractors Should Do Now

• Plan for possible delays: Most assessors are running a small backlog. If you need an assessment immediately or in the near future, it may be tough. Plan on building buffer time for assessor availability.
• Continuously monitor compliance: Don’t rely on point-in-time readiness. Ensure you’re regularly monitoring your compliance readiness. Under 32 CFR Part 170, contractors with a Level 2 or 3 certification must submit an annual affirmation in SPRS confirming their continued compliance.
• Engage your supply chain early: Your compliance depends on your partner and vendor supply chains. Ensure your network is also prepared.
• Understand your POA&M options: Not all gaps are disqualifying at the time of assessment, but critical controls cannot be deferred.

The challenge isn’t just achieving compliance. It’s maintaining it in an environment where dependencies, requirements, and risks are often shifting.

Want to start your CMMC project or learn more about the process? SecureStrux is an authorized C3PAO. Schedule a meeting today >

Part of this article was written by Mikayla Easley and can be found on Defense Scoop.

FAQ’s and Questions this Article Answers

• What is CMMC 2.0 and why does it matter to defense contractors?
• What are “external factors,” and why do they pose a risk to CMMC compliance?
• How does supply chain readiness affect a contractor’s ability to achieve CMMC compliance?
• What role do evolving National Institute of Standards and Technology standards (e.g., Rev. 2 → Rev. 3) play in CMMC requirements?
• What practical steps should contractors take now to prepare for CMMC assessments and ongoing compliance?