Pentagon Suspends CMMC Program

The Department of Defense suspended the rollout of Phase 2 of its Cybersecurity Maturity Model Certification program July 13.
The move halts a requirement that was set to force tens of thousands of defense contractors into costly third-party cybersecurity audits beginning this November.
Announced jointly by DoD chief information officer Kirsten Davies and Under Secretary Michael Duffey, the decision represents the most significant shift in the program since it began rolling out last year.
CMMC was designed as a tiered framework requiring companies that handle federal contract information or controlled unclassified information to prove they meet specific cybersecurity controls before winning defense contracts.
Phase 1, which took effect in November 2025, required contractors to complete self-assessments. Phase 2 was scheduled to begin Nov. 10, 2026, and required many contractors to pass an independent audit conducted by a certified third-party assessor organization, or C3PAO, as a condition of contract award.
Phase 3, planned for 2027, added an even higher tier of government-led assessments for the most sensitive work.
Why the Pentagon Pulled Back
The announcement immediately suspends the Phase 2 transition and puts all future CMMC milestones on hold.
Going forward, procuring agencies may only require contractors to hold a self-attested Level 1 or Level 2 status; any solicitation or contract that currently demands third-party or government-led certification must be amended to remove that requirement.
Davies also launched a 60-day “top-to-bottom” review of the entire program through a newly formed CMMC Reform Task Force, with a formal request for industry feedback due Aug. 14.
SBA data suggested future CMMC phases could cost small and mid-sized businesses more than $7 billion annually.
Officials framed the decision around cost and capacity, not a retreat from cybersecurity standards.
Davies pointed to Small Business Administration data suggesting future CMMC phases could cost small and mid-sized businesses more than $7 billion annually, with individual compliance bills approaching $600,000.
More than 100,000 companies in the defense industrial base would have needed assessments from only around 100 approved assessment organizations.
Duffey said the pause keeps more companies in the defense industrial base who would otherwise have been forced out of the market at a time when the Pentagon says it needs them most.
What Manufacturers Still Have to Do
Davies said the move does not reduce cybersecurity standards, describing CMMC as having become a “compliance checklist.”
She said continuing to enforce its deadlines under the current structure worked against Pentagon leadership’s broader push to make it easier for commercial and nontraditional companies to do business with the department.
Despite the suspension, defense manufacturers and other contractors are not off the hook for cybersecurity obligations.
The underlying legal requirement to protect covered defense information—rooted in DFARS clause 252.204-7012 and the NIST SP 800-171 standard—predates CMMC and remains fully in force.
The underlying legal requirement to protect covered defense information remains fully in force.
Contractors must still implement all 110 required security controls, maintain a system security plan and plan of action, and post current scores to the Supplier Performance Risk System.
Phase 1 self-assessment obligations are untouched by the announcement.
Legal and compliance advisers are cautioning manufacturers against treating the pause as a green light to stand down.
Existing CMMC contract clauses and prime-contractor flowdown requirements remain enforceable unless formally modified, and the Justice Department’s Civil Cyber-Fraud Initiative continues to pursue companies that submit false cybersecurity attestations—meaning inaccurate self-assessments now carry real legal exposure even without third-party verification.
Firms that already booked assessments with C3PAOs are being advised to consider converting them into internal “mock” audits rather than canceling outright, since remediation work completed so far will likely still count under whatever framework emerges from the review.
Consequences for the Industrial Base
The pause offers immediate relief to small and mid-sized manufacturers who feared losing eligibility for defense contracts due to the cost and scarcity of certified assessors.
But it also injects uncertainty into a compliance ecosystem that had spent more than a year and significant money preparing for the November deadline.
Cyber AB, the nonprofit accreditation body overseeing CMMC assessors, was not notified in advance of the suspension, underscoring how abruptly the policy shifted.
Officials have not ruled out further restructuring—or even eventual cancellation—of CMMC once the review concludes.
Officials have not ruled out further restructuring—or even eventual cancellation—of CMMC.
“Small and mid-sized manufacturers are critical to Connecticut’s defense supply chain, and many are navigating increasingly complex cybersecurity requirements,” said Beatriz Gutierrez, president and CEO of CBIA affiliate CONNSTEP, which provides CMMC and other cybersecurity and compliance solutions.
“Reducing compliance barriers like prohibitive costs can help ensure that our state’s manufacturers remain part of the defense supply chain.”
For now, the Pentagon says the reform task force will use industry input gathered through the Aug. 14 comment deadline to determine whether alternatives, such as recognizing commercial cybersecurity tools and managed services as evidence of compliance, could replace the standalone third-party assessment model altogether.
Manufacturers, in the meantime, face a familiar posture: continue investing in cybersecurity fundamentals while the certification mechanism itself remains very much up for debate.
RELATED
EXPLORE BY CATEGORY
Stay Connected with CBIA News Digests
The latest news and information delivered directly to your inbox.



