DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn't math’
Key Points:
- The Pentagon has immediately suspended the Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, originally set to take effect on November 10, due to concerns that the policy would drive many businesses, especially small and medium-sized ones, out of the defense industrial base.
- A new CMMC Reform Task Force, comprising representatives from various Defense Department offices, will review the entire program and provide recommendations within 60 days, while the department enforces cybersecurity compliance through self-assessments and selective government-led assessments based on NIST standards.
- The freeze responds to industry feedback and a Government Accountability Office report highlighting that the cost and complexity of CMMC compliance could force many contractors out of the defense market, threatening military innovation and readiness.
- The Pentagon plans to issue a request for information to gather stakeholder input on compliance challenges, with the possibility that the CMMC program could be significantly revised or even canceled following the review.
- Current challenges include a severe shortage of certified third-party assessors relative to the number of contractors needing certification, and concerns that the $7 billion annual cost of compliance for small businesses is unsustainable, prompting calls for a more effective and less burdensome cybersecurity approach.