Updated
Updated · Federal News Network · Jul 13
Pentagon Suspends CMMC Phase 2 Before Nov. 10, Launches 60-Day Review
Updated
Updated · Federal News Network · Jul 13

Pentagon Suspends CMMC Phase 2 Before Nov. 10, Launches 60-Day Review

3 articles · Updated · Federal News Network · Jul 13

Summary

  • A July 13 memo halted CMMC phase two and froze all pending and future program milestones, while leaving phase one self-assessment requirements in force for applicable contracts.
  • The 60-day review will examine whether the current certification model should be replaced because DoD says third-party audits, high compliance costs and limited assessor capacity are pushing small and nontraditional firms out of defense work.
  • Nov. 10, 2026 had been the date for mandatory third-party assessments on contracts involving sensitive but unclassified information; during the suspension, DoD will rely on self-assessments and select government-led reviews.
  • Kirsten Davies tied the move to Defense Secretary Pete Hegseth's acquisition overhaul, arguing the current CMMC structure adds bureaucracy that conflicts with efforts to expand the defense industrial base and speed capability delivery.
  • The pause reopens a yearslong fight over contractor cyber rules: CMMC was already scaled back after a 2021 review, even as DoD had expected roughly 80,000 companies to face third-party assessments.

Insights

With costly audits scrapped, what is the Pentagon's new, faster model for securing the defense supply chain?
Does this pivot from security audits to 'reducing red tape' create new vulnerabilities for America's enemies to exploit?

Pentagon Suspends CMMC: 60-Day Review Aims to Lower Barriers and Reform Defense Cybersecurity Certification

Overview

On July 13, 2026, the Pentagon announced an immediate suspension and comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program due to growing concerns over high compliance costs and bureaucratic burdens. Reports showed these challenges were forcing innovative companies out of the defense industrial base, risking delays in delivering critical capabilities to warfighters. In response, the Department of Defense launched a 60-day, top-to-bottom review led by the newly established CMMC Reform Task Force. The goal is to recommend realistic security measures that lower barriers for small and non-traditional businesses while ensuring strong cybersecurity across the defense sector.

...