War Department Changes Cybersecurity Maturity Model Certification Requirements > U.S. Department of War > Defense Department News

War Department Changes Cybersecurity Maturity Model Certification Requirements > U.S. Department of War > Defense Department News

War Department Changes Cybersecurity Maturity Model Certification Requirements > U.S. Department of War > Defense Department News

https://www.war.gov/News/News-Stories/Article/Article/4542849/war-department-changes-cybersecurity-maturity-model-certification-requirements/

Publish Date: 2026-07-13 18:41:00

Source Domain: www.war.gov

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
The War Department today announced the suspension of the Cybersecurity Maturity Model Certification phase two requirements, initially scheduled to take effect in November, and launched a comprehensive review of the entire CMMC program.

While the change eliminates costly and time-consuming bureaucracy, said Kirsten Davies, War Department chief information officer, it doesn’t weaken the focus on cybersecurity.

“The Department of War is taking decisive action to clear bureaucratic roadblocks and revitalize our defense industrial base in support of Secretary of War Pete Hegseth’s directive to aggressively scale warfighter readiness,” Davies said. “[But] I want to be clear, across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical, nonnegotiable priority.”

Companies interested in doing business with the department, Davies said, will still need to comply with cybersecurity requirements and safeguard government information according to regulations. Companies will also need to continue to meet requirements under CMMC phase one.

“We’re taking this step today because reindustrializing America is a key and critical component of Secretary Pete Hegseth’s vision for the arsenal of freedom across the department,” Davies said.

Ensuring America’s warfighters have the tools they need means ensuring the defense industrial base is agile and able to accelerate production when needed, she said, adding that for many small businesses, the bureaucratic requirements of CMMC keep them from being agile and drive them away from doing business with the department.

“The data we are seeing, including recent reports from the Small Business Administration, makes one thing clear: the current CMMC requirements, including the future planned requirements, are creating prohibitive compliance costs and unacceptable bureaucratic burdens, especially to small businesses,” Davies said.

The War Department also announced the creation of a CMMC review and reform task force, which has 60 days to conduct a top-to-bottom review of the CMMC program.

“This task force will serve as the central hub for synthesizing industry feedback from our public request for information — which will be released today,” Davies said. “Using these insights, the task force will recommend realistic, scalable security measures that prioritize speed-to-capability and lower barriers for small and nontraditional businesses, while still providing insights on [defense industrial base] cybersecurity and operational resilience.”

Michael Duffey, undersecretary of war for acquisition and sustainment, said reform of the CMMC program is an important move toward getting the defense industrial base ready to produce things the War Department needs at the speed the department needs them.

“Rebuilding our military’s competitive edge starts with a simple reality: we must put our acquisition system on a wartime footing,” Duffey said. “We cannot expect our industries to build at the speed of relevance if they are drowning in peacetime paperwork and administrative bureaucracy.”

By suspending onerous CMMC phase two requirements, he said, more private-sector businesses — especially small businesses — will choose to pursue doing important work for the department.

“This is about unleashing the arsenal of freedom,” Duffey said. “For too long, overly burdensome cybersecurity regulations have acted as a barrier to entry, locking out the very startups, small businesses and nontraditional manufacturers across the country who drive American innovation. By pausing phase two implementation, we are keeping more companies in the DIB who would otherwise be forced out of the market at a time when we need them most.”

The CMMC program, first announced in early 2020, was designed to ensure that private-sector companies working with the War Department could demonstrate their ability to securely handle sensitive government information. The program used a system of private-sector, department-approved assessors to evaluate a private company’s cybersecurity compliance.

Davies said the number of available assessors is not large enough to conduct all the evaluations needed in time for the upcoming November deadline.