{"id":242893,"date":"2026-07-13T17:40:00","date_gmt":"2026-07-13T21:40:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/dod-halts-cybersecurity-requirements-for-cmmc-phase-2-the-math-just-simply-doesnt-math\/"},"modified":"2026-07-13T17:55:07","modified_gmt":"2026-07-13T21:55:07","slug":"dod-halts-cybersecurity-requirements-for-cmmc-phase-2-the-math-just-simply-doesnt-math","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/dod-halts-cybersecurity-requirements-for-cmmc-phase-2-the-math-just-simply-doesnt-math\/","title":{"rendered":"DOD halts cybersecurity requirements for CMMC Phase 2: \u2018The math just simply doesn&#8217;t math\u2019\u00a0"},"content":{"rendered":"<p><a href=\"https:\/\/defensescoop.com\/2026\/07\/13\/dod-halts-cmmc-cybersecurity-requirements-phase-2\/\">DOD halts cybersecurity requirements for CMMC Phase 2: \u2018The math just simply doesn&#8217;t math\u2019\u00a0<\/a><\/p>\n<p><a href=\"https:\/\/defensescoop.com\/2026\/07\/13\/dod-halts-cmmc-cybersecurity-requirements-phase-2\/\">https:\/\/defensescoop.com\/2026\/07\/13\/dod-halts-cmmc-cybersecurity-requirements-phase-2\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-13 17:40:00<\/a><\/p>\n<p>Source Domain: <a href=\"defensescoop.com\">defensescoop.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>The Pentagon placed an immediate freeze on forthcoming cybersecurity requirements after government research suggested the policy would drive many businesses out of the defense industrial base at a time when the U.S. military urgently needs their innovations.<\/p>\n<p>Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey unveiled plans Monday to suspend the much-anticipated Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements that were set to take effect Nov. 10. A new CMMC Reform Task Force is expected to conduct a review of the entire program and submit a report of its findings and recommendations within the next 60 days.\u00a0<\/p>\n<p>This major pause comes as contractors have been hustling to obtain third-party assessments of their CMMC compliance in preparation for that near-term enforcement date.<\/p>\n<p>\u201cEvery dollar spent on security is a wise dollar spent, and so those who have been forward leaning in in uplifting their cyber posture \u2014 in assessing what their posture is, and doing something about it \u2014 they have contributed to national security,\u201d Davies told a small group of reporters ahead of the official announcement. \u201cThat is not money that is spent in vain, and so that is a huge message.\u201d<\/p>\n<p>The Pentagon plans to release a new request for information to garner stakeholders\u2019 feedback on the move and associated compliance challenges. The CMMC Reform Task Force will analyze the responses as part of its upcoming review of the program.<\/p>\n<p>\u201cWe\u2019re standing that up, effective today. So that will be a cross-department task force with representatives from the Office of the CIO, [and other directorates including] from Acquisition and Sustainment, from Research and Engineering, Information and Security, Legislative Affairs, Public Affairs, Legal,\u201d Davies told DefenseScoop. \u201cIt\u2019s truly going to be a cross-functional team.\u201d<\/p>\n<p>CMMC is a tiered cybersecurity framework that requires defense contractors working with federal contract information (FCI) or controlled unclassified information (CUI) to implement specific cyber controls defined by the National Institute of Standards and Technology (NIST). The Pentagon began a three-year implementation plan in November 2025 that was intended to incrementally introduce CMMC requirements each year.<\/p>\n<p>The program was established in 2019 by the first Trump administration as a mechanism to ensure defense contractors were properly storing and transmitting the Pentagon\u2019s sensitive data and preventing it from being exploited by adversaries. CMMC did not create new cybersecurity requirements, but instead mandated that vendors prove they are implementing cyber controls enforced by federal law.<\/p>\n<p>After it was introduced, CMMC was met with significant backlash from the defense industrial base. Many argued that the program was too complicated and would place a significant cost burden on vendors \u2014 namely small businesses, subcontractors and new entrants into the defense industry.<\/p>\n<p>Feedback from industry prompted the Defense Department to reorganize the program into what is known as CMMC 2.0. And after a multi-year federal rulemaking process, the Pentagon formally began enforcing CMMC compliance in contracts in November 2025 \u2014 requiring contract solicitations to include verification as a condition to win bids.<\/p>\n<p>The Defense Department originally planned to introduce CMMC requirements through a three-year implementation plan. Phase 1 began in November 2025 and required self-assessments under CMMC Level 1 and Level 2.<\/p>\n<p>Phase 2 was expected to kick off in November 2026, and would have forced companies to achieve CMMC Level 2 by passing an assessment from a Certified Third-Party Assessor Organization (C3PAO) in order to receive contract awards. Phase 3 would have followed in November 2027, introducing Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessments.<\/p>\n<p>During this interim period as senior leaders figure out the best path ahead, they said DOD will enforce cybersecurity compliance with the NIST Special Publication 800-171 Revision 2 standard through self-assessments and select government-led assessments.<\/p>\n<p>\u201cBy pausing [CMMC] Phase 2 implementation, we are keeping more companies in the DIB who would otherwise be forced out of the market at a time when we need them most,\u201d Duffey said.<\/p>\n<p>\u201cWe are not reducing cybersecurity through this measure,\u201d Davies added. \u201cWe are reducing the red tape it gets to them getting to the place where they can get their capabilities into the hands of our warfighters.\u201d<\/p>\n<p>The industrial base\u2019s readiness for CMMC has been a significant concern, as misconceptions about the program and the years it took to actually begin implementation caused some vendors to delay taking actions.<\/p>\n<p>A report from the Government Accountability Office published in March found that the cybersecurity standards might prove too difficult and costly for some small businesses to meet, forcing them out of the defense industrial base. DefenseScoop previously reported that the time and money a contractor has to spend on CMMC depends on multiple factors \u2014 such as how well it has implemented cybersecurity controls in the past, as well as what information it is handling.\u00a0<\/p>\n<p>The main hurdle isn\u2019t always adding new cybersecurity capabilities, but actually updating a company\u2019s internal processes, cyber governance or responsibilities to prove compliance.<\/p>\n<p>\u201cEvery single meeting I\u2019ve had on the Hill has had a peppering, or a flavor of \u2018What is your plan for CMMC?\u2019 So this is a broad across-the-board conversation that small and medium-sized businesses are having with their representatives, [the primes and DOD],\u201d Davies said. \u201cI think at this point, really, what it\u2019s come to is a fulcrum of \u2018we really need to do something about this.\u2019 This is not achieving what it was intended to achieve, and so we need to think differently about it.\u201d<\/p>\n<p>Recent data from the Small Business Administration also deeply influenced this temporary suspension. Davies noted that SBA Administrator Kelly Loeffler recently led an extensive tour of small to medium-sized businesses across America.\u00a0<\/p>\n<p>CMMC compliance was \u201cthe number one topic\u201d that came up in conversation, SBA told DOD.\u00a0<\/p>\n<p>In particular, Davies said the insights suggested that moving into the future phases of the CMMC implementation could cost more $7 billion annually for such businesses to gain compliance approvals. At the same time, there appears to be a massive mismatch between the more than 100,000 DIB companies needing third\u2011party assessments, and only around 100 assessors approved to complete them.<\/p>\n<p>\u201cSo the math just simply doesn\u2019t math for small to medium-sized businesses to even get compliant by the transition date,\u201d Davies said.<\/p>\n<p>The department relies on a CMMC ecosystem comprising private sector stakeholders to carry out the program\u2019s goals. The Cyber AB serves as the official CMMC accreditation body, while technology firm ISACA is responsible for training and certifying assessors who work at C3PAOs.<\/p>\n<p>Davies said Monday that her office had not yet informed the Cyber AB about the Pentagon\u2019s plans to suspend Phase 2 implementation or the impending 60-day study.<\/p>\n<p>In response to multiple questions from reporters on potential paths ahead, Davies and Duffey notably did not rule out the department completely cancelling the CMMC program altogether at the end of this pause and review period.<\/p>\n<p>\u201cI think there\u2019s a possibility for a number of avenues for us to take. We\u2019re really going to be relying on the results from the RFI, which is truly the defense industrial base\u2019s opportunity to give us direct feedback \u2026 about what they think would be effective from that perspective,\u201d the CIO told DefenseScoop.<\/p>\n<p>\t\t\tWritten by Brandi Vincent and Mikayla Easley<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DOD halts cybersecurity requirements for CMMC Phase 2: \u2018The math just simply doesn&#8217;t math\u2019\u00a0 https:\/\/defensescoop.com\/2026\/07\/13\/dod-halts-cmmc-cybersecurity-requirements-phase-2\/&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242894,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/defensescoop.com\/wp-content\/uploads\/sites\/8\/2022\/06\/Pentagon-e1733939510914.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-242893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242893"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242893"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242893\/revisions"}],"predecessor-version":[{"id":242895,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242893\/revisions\/242895"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242894"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}