Audit of the DoD’s Process for Authorizing Third Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments

View Report

Date Issued

Friday, January 10, 2025

Submitting OIG

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Report Number

DODIG-2025-056

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2025-0056-D000CR-0001-0001	No	$0	$0
Rec. 1: The DoD OIG recommended that the DoD Chief Information Officer, in coordination with the Defense Industrial Base Cybersecurity Assessment Center Director, develop and implement a quality assurance process that will ensure that all requirements in the Cybersecurity Maturity Model Certification Third?Party Assessment Organization (C3PAO) authorization process are successfully met before a candidate C3PAO is authorized to perform Cybersecurity Maturity Model Certification Level 2 assessments.
D-2025-0056-D000CR-0001-0002.a	No	$0	$0
Rec. 2.a: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director direct the contracting officer to modify the contract with the Cyber Accreditation Body to require the Cyber Accreditation Body (Cyber AB) to: Verify that the Cyber AB has signed Cybersecurity Maturity Model Certification Third?Party Assessment Organization (C3PAO) Agreements and Codes of Professional Conduct for every authorized C3PAO within 30 days of the date of this report or revoke the C3PAO's authorization to perform CMMC Level 2 assessments until the documents are received.
D-2025-0056-D000CR-0001-0002.c	No	$0	$0
Rec. 2.c: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director direct the contracting officer to modify the contract with the Cyber Accreditation Body to require the Cyber Accreditation Body (Cyber AB) to: Verify that the quality control leads (QCL) for every authorized Cybersecurity Maturity Model Certification Third?Party Assessment Organization (C3PAO) meet the certification requirement within 30 days of the date of this report, and, for any of the C3PAO's QCLs who are not certified, revoke the authorization for those C3PAOs to perform CMMC Level 2 assessments until the C3PAOs provide support the QCLs are certified
D-2025-0056-D000CR-0001-0002.d	No	$0	$0
Rec. 2.d: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director direct the contracting officer to modify the contract with the Cyber Accreditation Body to require the Cyber Accreditation Body (Cyber AB) to: Verify the employment status of the on?staff CMMC certified assessors and certified quality control leads (QCL) by requesting and reviewing employment records to confirm that CMMC certified assessors and certified QCLs are part of the candidate Cybersecurity Maturity Model Certification Third?Party Assessment Organization's staff and are assigned those specific roles and responsibilities.
D-2025-0056-D000CR-0001-0002.e	No	$0	$0
Rec. 2.e: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director direct the contracting officer to modify the contract with the Cyber Accreditation Body to require the Cyber Accreditation Body (Cyber AB) to: Verify the employment status of the CMMC certified assessors and certified quality control leads of all previously authorized Cybersecurity Maturity Model Certification Third?Party Assessment Organizations (C3PAOs) using the methodology defined in Recommendation 2 .d within 30 days of the date of this report and revoke the C3PAO's authorization to perform CMMC Level 2 assessments if the employment status cannot be verified.
D-2025-0056-D000CR-0001-0003.a	No	$0	$0
Rec. 3.a: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director: Develop and implement a formal reauthorization process for the Cybersecurity Maturity Model Certification Third?Party Assessment Organizations (C3PAO) that includes a review and verification for all requirements in the C3PAO authorization process.
D-2025-0056-D000CR-0001-0003.b	No	$0	$0
Rec. 5.b: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director: Develop and implement a process to ensure Cybersecurity Maturity Model Certification Third?Party Assessment Organizations (C3PAO) immediately notify both the CMMC Program Management Office and Cyber Accreditation Body of any changes associated with any of the requirements in the C3PAO authorization process.
D-2025-0056-D000CR-0001-0003.c	No	$0	$0
Rec. 3.c: The DoD OIG recommended that the Cybersecurity Maturity Model Certification (CMMC) Program Management Office Director: Revise the CMMC assessment guides to further define the requirement for disabling inactive accounts to include group accounts.