Pentagon suspends CMMC phase two requirements, launches review of program
Pentagon suspends CMMC phase two requirements, launches review of program
Publish Date: 2026-07-13 16:41:00
Source Domain: federalnewsnetwork.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
DoD CIO Kirsten Davies is suspending plans to ramp up CMMC third-party assessments, as part of a review that casts doubt on the future of the current program.
Justin Doubleday@jdoubledayWFED
July 13, 2026 4:39 pm
2 min read
The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.
In a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.
DoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.
But the Pentagon is now launching a 60-day, “top-to-bottom” review of the certification program, according to a July 13 memo signed out by DoD Chief Information Officer Kirsten Davies.]]>
The memo suggests that the CMMC program, as currently planned, conflicts with Defense Secretary Pete Hegseth’s Acquisition Transformation System initiative’s focus on eliminating bureaucracy and enabling innovation.
“The current iteration of the Cybersecurity Maturity Model Certification (CMMC) program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation,” Davies wrote. “While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.”
Davies’ memo points to “recent data and feedback” that suggest “the current CMMC program is structurally incompatible with our need to rapidly expand the DIB.” The memo specifically references reports from the Small Business Administration, which has raised previously concerns about CMMC compliance costs.
“The combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [DoD] contracts and freezing critical suppliers out of the market,” Davies wrote.
Davies has tasked the 60-day “CMMC Reform Task Force” with providing recommendations on a framework that “prioritizes speed to capability, lowers barriers for small, medium, and non-traditional businesses, and replaces prohibitive, third-party compliance models with scalable, realistic security measures.”
In addition to the previous November deadline for third-party assessments to ramp up, the memo suspends all pending and future CMMC milestones “until further notice.” DoD programs can continue including CMMC self-assessment requirements in contracts.
In advance of the November deadline, some DoD program offices had already begun requiring audits by CMMC third-party assessment organizations (C3PAOs).]]>
During the suspension, DoD will continue using the self-assessments and select government-led assessments. Davies wrote that DoD will focus on “tangible cyber hygiene rather than third-party certifications and bureaucratic, high cost-imposing red tape.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.