The Pentagon has launched a top-to-bottom review of its Cybersecurity Maturity Model Certification program and paused third-party assessment requirements that were due to spread across many contracts from Nov. 10.
Kirsten Davies said SBA data showed the planned compliance ramp-up was imposing prohibitive costs and barriers on small defense suppliers, prompting DoD to seek feedback through an RFI and nationwide listening sessions.
The review team has 60 days to gather input and 15 more to deliver recommendations by late September, while Michael Duffey ordered contracting officers to strip third-party certification requirements from active solicitations.
DoD is still requiring CMMC self-assessments and NIST-based data protections, and officials say DIBCAC reviews plus NSA and DC3 support remain available during the pause.
The move reopens a long-running debate over whether self-attestation is enough: Cyber AB says nearly 2,000 contractors and more than 1,000 assessors are already in the system, while critics warn heavier reliance on self-assessments raises False Claims Act risk.
With CMMC audits paused, how can small firms prove cybersecurity without going broke or facing massive fines?
By pausing CMMC audits, has the Pentagon made the defense supply chain more vulnerable to cyberattacks?
As the DoD rethinks CMMC, what new model can secure the supply chain without crushing small innovators?
DoD Halts CMMC Phase II Rollout: Key Drivers, Immediate Effects, and the Future of Defense Cybersecurity
Overview
On July 13, 2026, the Department of War immediately suspended the CMMC Phase II rollout to reduce bureaucracy and costs, aligning with broader acquisition reforms. This pause reflects concerns that continuing with the current CMMC structure could hinder innovation, competition, and the ability to deliver essential capabilities to warfighters. Despite the suspension, defense contractors must maintain all existing cybersecurity efforts and compliance obligations. The Department’s goal is to achieve both supply chain resilience and strong cybersecurity without compromise, signaling a shift toward more practical and less burdensome security requirements for the defense industrial base.