The Department of Defense (DoD) has failed to effectively implement the process for authorizing third-party organizations to conduct Level 2 assessments under the Cybersecurity Maturity Model Certification (CMMC) 2.0, according to a Jan.14 audit report by the DoD Office of Inspector General (OIG).
CMMC 2.0 – set to take effect in fiscal year 2025 – is the DoD’s cybersecurity compliance framework requiring contractors to undergo assessments based on the sensitivity of the DoD information they handle.
Contractors managing critical controlled unclassified information must pass a Level 2 assessment, verifying compliance with 110 cybersecurity requirements. These assessments, conducted by third-party organizations (C3PAOs), are required before contract awards.
In order to be authorized to perform the Level 2 assessments, C3PAOs must first meet a series of 12 requirements. However, the IG report, which reviewed 11 of 48 C3PAOs, identified three key flaws in the authorization process.
First, the audit found that two of the 11 C3PAOs were authorized despite lacking a signed C3PAO Agreement and Code of Professional Conduct, which outlines key terms and expectations, including professionalism, objectivity, confidentiality, and integrity.
Second, OIG found that authorizing officials did not verify whether the quality control leads (QCLs) at four of the 11 C3PAOs had the necessary certification. To be designated as QCL, individuals must first become CMMC certified professionals and assessors through training and exams.
Lastly, the audit found that all 11 C3PAOs were authorized despite insufficient verification of CMMC certified assessors (CCAs) and QCLs on staff or under contract. Specifically, DoD authorized seven C3PAOs without confirming a CCA was on staff, and 10 without verifying a certified QCL.
The Pentagon watchdog chalked up these issues to the lack of a quality assurance process – leaving C3PAOs’ compliance checks as a bit of a “trust but don’t verify” situation. The report repeatedly noted that authorizing officials told OIG they had received verbal confirmation of the requirements, but the crucial details were never formalized in writing.
“If the C3PAO authorization process is not effectively implemented, then the DoD does not have assurance that all C3PAOs that perform the CMMC Level 2 assessments are qualified to perform those assessments,” the report reads. “If the C3PAOs are not qualified, then the DoD increases its risk that contractors will be awarded DoD contracts without the requirements in place to protect controlled unclassified information.”
The IG made 10 recommendations, including the development of a quality assurance process to ensure all C3PAO authorization requirements are met before granting them the authority to perform CMMC Level 2 assessments.
DoD CMMC officials partially agreed with the recommendations.
