Pentagon Suspends CMMC Phase Two for Program Review

by Chief Editor

The U.S. Department of Defense (DoD) has suspended the rollout of third-party assessment requirements for the Cybersecurity Maturity Model Certification (CMMC) program, halting all pending milestones until further notice. According to a July 13 memo from DoD Chief Information Officer Kirsten Davies, the agency is launching a 60-day review to replace the current, costly compliance model with more scalable security measures for the defense industrial base.

Pentagon Reverses Course on CMMC Third-Party Audits

The Pentagon’s decision to pause phase two of its CMMC implementation marks a significant retreat from the requirement that contractors undergo third-party cybersecurity assessments. Under the original timeline, these audits were scheduled to become mandatory for all contracts involving sensitive but unclassified information starting November 10, 2026. While self-assessments remain in force for applicable contracts, the DoD has put a stop to all future milestones to address concerns regarding the program’s impact on small and non-traditional businesses.

Pentagon Reverses Course on CMMC Third-Party Audits

This suspension follows internal feedback that the current CMMC structure is “incompatible” with the need to expand the defense industrial base, according to the memo signed by Davies. The Pentagon’s move aligns with Defense Secretary Pete Hegseth’s broader Acquisition Transformation System initiative, which aims to strip away bureaucratic hurdles that prevent innovation.

Did you know?
The DoD previously estimated that approximately 80,000 companies would eventually be subject to third-party CMMC assessments before the program’s requirements were subjected to this latest round of scrutiny.

Small Business Advocacy and the Cost of Compliance

The Small Business Administration (SBA) has been a vocal critic of the CMMC program’s cost structure. SBA Administrator Kelly Loeffler stated that the agency heard directly from mission-critical small firms that the compliance burden was becoming an “untenable barrier,” effectively pushing essential suppliers out of the defense market. According to the DoD, these costs—combined with a shortage of third-party assessment organizations—have discouraged new, innovative entrants from pursuing government contracts.

Small Business Advocacy and the Cost of Compliance

The newly formed “CMMC Reform Task Force” is now tasked with drafting a framework that prioritizes “speed to capability” over the rigid, high-cost red tape of the previous model. The goal is to shift toward tangible cyber hygiene, ensuring that small and medium-sized enterprises (SMEs) can maintain security without sacrificing their ability to compete for defense work.

A Decade of Shifting Cyber Standards

The CMMC saga began nearly ten years ago as a response to inspector general reports indicating that contractors were frequently failing to meet cybersecurity standards despite self-attesting to them. The program was originally developed during the first Trump administration, but has faced multiple pauses and reboots, including a significant restructuring during the Biden administration that resulted in “CMMC 2.0.”

Kirsten Davies at BHMEA24, November 26-28 – Malham, Riyadh, Saudi Arabia

Despite these past efforts, the fundamental tension remains: how to secure the defense supply chain without creating an exclusionary environment. With the retirement of primary program architects like Stacey Bostjanick and the departure of Katie Arrington, the Pentagon is now under new leadership. CIO Kirsten Davies, who assumed her role in December 2025, has signaled that the current review is the final attempt to align cybersecurity with the urgent need for a more agile, accessible defense industrial base.

Pro Tip:
Contractors should continue to focus on existing self-assessment requirements, as the DoD has confirmed these remain in force throughout the current 60-day review period.

Frequently Asked Questions

  • Is CMMC being canceled entirely? No. The DoD is suspending the phase two rollout and third-party assessment milestones to conduct a 60-day review aimed at reforming the program’s structure.
  • Do I still need to perform CMMC self-assessments? Yes. According to the DoD, requirements for self-assessments currently in effect remain mandatory for applicable contracts.
  • Why did the DoD pause the program? The Pentagon cited concerns over prohibitive compliance costs, a lack of assessment capacity, and the risk of forcing innovative small businesses out of the defense sector.
  • What is the goal of the new task force? The CMMC Reform Task Force is charged with finding a more scalable, lower-cost approach to cyber security that focuses on tangible outcomes rather than bureaucratic checklists.

Are you a defense contractor currently navigating these changes? Share your thoughts on how these reforms might impact your business operations in the comments below.

Frequently Asked Questions

You may also like

Leave a Comment