CMMC may be paused, but cybersecurity audits likely to return: Industry, experts
CMMC may be paused, but cybersecurity audits likely to return: Industry, experts
Publish Date: 2026-07-16 13:02:00
Source Domain: breakingdefense.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
WASHINGTON — Despite the pause of third-party audits in a Defense Department program for contractors, the Pentagon will likely have to return to some kind of review regime to ensure there are no unlocked virtual doors for adversary hackers to walk through, according to industry officials and experts.
Leaders in the Department of Defense and Small Business Administration announced Monday that they are taking a pause on Phase II of the Cybersecurity Maturity Model Certification (CMMC) program, which requires companies working with the DoD to undergo third-party assessments to ensure they’re compliant with cybersecurity standards.
CMMC does not set the standards; those come from NIST SP 800-171 Rev 2, which outlines 110 cybersecurity requirements to protect controlled unclassified information (CUI). CMMC, rather, is focused on ensuring any contractor bidding for a certain capability complies with said standards.
Through the pause, the Pentagon said it will continue to enforce baseline cybersecurity compliance through self-assessments, which the department says will focus on tangible cyber hygiene as opposed to administrative overhead.
The CMMC Phase II pause “shouldn’t be a shocker to anybody,” according to Katie Arrington, thought of as the creator of CMMC. But, she said in a video posted to LinkedIn, at the end of the day the Pentagon is likely to come back around to where it is now, realizing “that there really is no other way to get compliance.”
Experts and industry figures agreed that even if the pause on CMMC does not itself lower the cybersecurity expectations, it does leave a gap in how the department can hold contractors to those standards.
“The fundamental problem identified by the DoD Inspector General seven years ago this month is that DoD’s policy of letting contractor[s] grade their own homework is a failure,” Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, said in written responses to Breaking Defense. Summit 7 is a managed IT and cybersecurity service provider focused on helping defense contractors with cybersecurity requirements, including CMMC compliance. “The question that’s never been answered is ‘how does the government know what you claimed in your self-assessment is true?’”
Without some type of third-party validation mechanism, Michael Brooks, a lead CMMC Certified Assessor at A-LIGN, said the Pentagon is forced to rely more heavily on contractors’ word.
“That can increase uncertainty for program offices, prime contractors, and supply chain partners, while also increasing False Claims Act risk when cybersecurity assertions cannot be substantiated,” he said. “The Department still needs assurance that CUI is being protected, prime contractors still need confidence in their supply chains, and the government still needs a defensible way to assess cybersecurity risk across the Defense Industrial Base.”
Georgianna Shea, chief technologist at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation, suggested the DoD didn’t necessarily need a third party to assess cybersecurity standards, but it does need some kind of proof.
“The central policy question should not be whether third-party assessments are universally good or bad. It should be whether the Department can obtain reliable evidence of cybersecurity in a manner proportionate to the actual risk. Certification without meaningful evidence can become a compliance industry. Self-attestation without verification can become a paper exercise. The future program needs to avoid both outcomes,” she said.
Relying solely on self-assessments to enforce standards, Cybersheath CEO Emil Sayegh said, could mean contractors are operating with gaps in compliance — even if they don’t mean to.
“Most [organizations] genuinely believe they are compliant. The challenge is that interpreting and objectively evaluating cybersecurity controls is difficult, particularly without independent validation,” said Sayegh, whose firm also provides CMMC certification services. “Third-party assessments were never just about identifying bad actors. They were designed to provide an objective measure of cybersecurity maturity and create accountability in a system that otherwise relies heavily on contractor self-representations.”
As for what happens next, Sayegh said, “My hope is that the Department uses the next 60 days to develop a framework that preserves the security objectives of CMMC while reducing unnecessary cost and complexity, particularly for small and mid-sized contractors.”
Shea said she sees the Pentagon perhaps slimming Phase II-style third-party assessments to be more fit for purpose: stronger certification standards for higher-risk work.
“I do not think the Phase 2 suspension necessarily kills CMMC, but it may end CMMC as a broadly applied, certification-centered program. The direction signaled by the Department appears to be a more risk-based model: lighter requirements and self-assessment for lower-risk contracts, with stronger evidence and independent or government-led assessment reserved for information, systems and suppliers that present greater mission consequences,” she said. “Done correctly, that could reduce unnecessary barriers for small and nontraditional businesses without treating every contractor as though it presents the same level of risk. The difficult part will be determining risk consistently.”