Pentagon suspends CMMC phase two requirements, launches review of program
Key Points:
- The Pentagon is suspending the planned expansion of third-party Cybersecurity Maturity Model Certification (CMMC) assessments, delaying phase two requirements initially set for November 2026, while maintaining current self-assessment mandates.
- A 60-day comprehensive review of the CMMC program has been initiated, citing concerns that the current model imposes excessive burdens on small and non-traditional defense contractors, potentially hindering innovation and industrial base growth.
- The review and suspension respond to feedback, including from the Small Business Administration, highlighting prohibitive compliance costs, limited third-party assessor availability, and complex timelines that discourage small businesses from participating in DoD contracts.
- The Pentagon aims to develop a revised cybersecurity framework that prioritizes rapid capability deployment, reduces barriers for smaller businesses, and replaces costly third-party certification with scalable, practical security measures.
- This move marks a continuation of the evolving CMMC saga, reflecting ongoing challenges in balancing cybersecurity enforcement with supporting a diverse and innovative defense industrial base.