Pentagon suspends CMMC phase two requirements, launches review of program

DoD CIO Kirsten Davies is suspending plans to ramp up CMMC third-party assessments, as part of a review that casts doubt on the future of the current program.

The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.

In a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.

DoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.

But the Pentagon is now launching a 60-day, “top-to-bottom” review of the certification program, according to a July 13 memo signed out by DoD Chief Information Officer Kirsten Davies.

The memo suggests that the CMMC program, as currently planned, conflicts with Defense Secretary Pete Hegseth’s Acquisition Transformation System initiative’s focus on eliminating bureaucracy and enabling innovation.

“The current iteration of the Cybersecurity Maturity Model Certification (CMMC) program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation,” Davies wrote. “While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.”

Davies’ memo points to “recent data and feedback” that suggest “the current CMMC program is structurally incompatible with our need to rapidly expand the DIB.” The memo specifically references reports from the Small Business Administration, which has raised previously concerns about CMMC compliance costs.

“The combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [DoD] contracts and freezing critical suppliers out of the market,” Davies wrote.

Davies has tasked the 60-day “CMMC Reform Task Force” with providing recommendations on a framework that “prioritizes speed to capability, lowers barriers for small, medium, and non-traditional businesses, and replaces prohibitive, third-party compliance models with scalable, realistic security measures.”

In addition to the previous November deadline for third-party assessments to ramp up, the memo suspends all pending and future CMMC milestones “until further notice.” DoD programs can continue including CMMC self-assessment requirements in contracts.

In advance of the November deadline, some DoD program offices had already begun requiring audits by CMMC third-party assessment organizations (C3PAOs).

During the suspension, DoD will continue using the self-assessments and select government-led assessments. Davies wrote that DoD will focus on “tangible cyber hygiene rather than third-party certifications and bureaucratic, high cost-imposing red tape.”

In a statement, SBA Administrator Kelly Loeffler applauded DoD’s decision.

“Working closely with the Department of War, the Trump SBA has heard directly from mission‑critical small businesses that CMMC compliance was becoming an untenable barrier pushing them out of the Defense Industrial Base, even though these firms are the backbone of national security,” Loeffler said.

CMMC saga continues

The CMMC suspension and review are yet another unexpected twist in DoD’s yearslong effort to enforce contractor cyber standards.

Those efforts began nearly a decade ago, as inspector general audits and other reports revealed many defense contractors were not following the required standards, despite self-attesting to meting them. The Pentagon began developing the CMMC program during the first Trump administration under former acquisition official Katie Arrington.

The primary thrust behind CMMC is to use third-party auditors to check whether contractors are meeting cyber standards, rather than relying on self-attestation. Through a no-cost contract, the Pentagon established a “Cyber Accreditation Body” that oversees a network of independent, third-party assessors who would be tasked with carrying out the CMMC assessments.

But following concerns about compliance costs and burdens on small businesses, the Biden administration in 2021 paused the program to conduct its own sweeping review. The Pentagon’s response to those concerns at that time was to strip down the program requirements, so that less contractors would be subject to the third-party assessment requirements.

The Pentagon then went through a painstaking, yearslong rulemaking process to make the “CMMC 2.0” program a reality. The final contracting rules for the program went into effect in November 2024, but the Pentagon was using a phased implementation plan to give industry further time to prepare for the requirements. 

DoD officials estimated roughly 80,000 companies would eventually be subject to the third-party assessment requirements. The SBA’s Office of Advocacy had publicly raised concerns in 2024 that the rules would force small businesses out of the defense industrial base. And officials there said they would continue pressing the Pentagon to address small business concerns.

Pentagon officials said they would develop guidance and other resources to help small businesses comply. The Army, for instance, established a “low-cost” marketplace of digital services for small businesses to meet the CMMC standards.

Meanwhile, Arrington, one of the primary architects of the CMMC program, left government service in 2025. Another longtime program official, Stacey Bostjanick, retired earlier this year. 

Davies was sworn in as DoD CIO in December 2025 after being confirmed by the Senate. She had previously served in senior technology and cyber roles in the private sector. She had committed during her confirmation hearing to reviewing the CMMC program and potential impacts on the defense industrial base.

During a late March hearing before the House Armed Services Committee, Davies said that while the CMMC review was underway, she was following directives from Hegseth “to reduce the regulatory burden and offer new entrants a shot at getting in and doing business with us.”

“I can commit to you that is the lens through which I’m looking at CMMC,” Davies told lawmakers then.

In her July 13 memo, Davies referred to CMMC as a “compliance checklist.” She points to Hegseth’s acquisition reforms and goals to make it easier for commercial and nontraditional companies to work with DoD.

“Continuing to enforce CMMC deadlines under the current construct directly contradicts these directives, jeopardizing our ability to field capabilities to our warfighters,” Davies wrote this week. “Our approach must be centered on achieving tangible supply chain and cybersecurity resilience, not one at the expense of the other.”

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories