{"id":242959,"date":"2026-07-14T01:09:00","date_gmt":"2026-07-14T05:09:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/14\/the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing\/"},"modified":"2026-07-14T01:30:12","modified_gmt":"2026-07-14T05:30:12","slug":"the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/14\/the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing\/","title":{"rendered":"The Pentagon Just Paused Its Cybersecurity Certification Program. Here&#8217;s What Everyone Is Missing."},"content":{"rendered":"<p><a href=\"https:\/\/www.forbes.com\/sites\/emilsayegh\/2026\/07\/14\/the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing\/\">The Pentagon Just Paused Its Cybersecurity Certification Program. Here&#8217;s What Everyone Is Missing.<\/a><\/p>\n<p><a href=\"https:\/\/www.forbes.com\/sites\/emilsayegh\/2026\/07\/14\/the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing\/\">https:\/\/www.forbes.com\/sites\/emilsayegh\/2026\/07\/14\/the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-14 01:09:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.forbes.com\">www.forbes.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Secretary of War Pete Hegseth announces a 60-day review of the Cybersecurity Maturity Model Certification (CMMC) program, signaling a shift from emphasizing certification timelines toward reassessing how the Department validates cybersecurity across the Defense Industrial Base.Getty ImagesFew cybersecurity initiatives have generated as much debate across the Defense Industrial Base as the Cybersecurity Maturity Model Certification. Yesterday, that debate took another unexpected turn when Secretary of War Pete Hegseth&#8217;s Department of War suspended implementation of CMMC Phase II, established a 60-day CMMC Reform Task Force, and directed the Department to redesign the certification framework while maintaining existing cybersecurity obligations. The decision immediately raised questions about the future of CMMC, the role of third-party assessments, and whether defense contractors should continue investing in cybersecurity readiness.What Secretary Hegseth&#8217;s Team Actually AnnouncedAccording to the memorandum signed by the DOD\u2019s Chief Information Officer Kristen Davies, the Department will suspend the November 2026 transition to mandatory Phase II implementation, hold pending implementation milestones in abeyance, limit new procurements to Level 1 and Level 2 self-assessments during the review period, and deliver recommendations for a redesigned framework within sixty days. At the same time, the memorandum explicitly states that existing contractual cybersecurity requirements remain in effect, including compliance with National Institute of Standards and Technology Special Publication 800-171 Revision 2 and applicable Defense Federal Acquisition Regulation Supplement clauses. In announcing the decision, Under Secretary of War for Acquisition and Sustainment Michael Duffey described the Department&#8217;s objective as reducing &#8220;paralyzing costs&#8221; while preserving innovation and expanding participation throughout the Defense Industrial Base. Chief Information Officer Davies similarly argued that the existing implementation model had become difficult to scale, noting that more than 100,000 contractors would ultimately require assessments while only a fraction of that assessment capacity currently exists. Those comments make clear that the Department&#8217;s concern is not whether cybersecurity matters. The concern is whether the current implementation model is the most effective way to achieve it.Within hours, predictable narratives began emerging across the cybersecurity community. Some declared that CMMC was effectively dead. Others insisted that nothing had changed because contractors are still required to protect Controlled Unclassified Information.Neither conclusion accurately reflects what the Department actually announced.The Immediate Business ImpactThe Department&#8217;s decision represents a significant near-term disruption to the cybersecurity market.The November 2026 implementation milestone had become the primary catalyst driving customer urgency. Thousands of defense contractors were preparing for mandatory third-party assessments, while managed service providers, CMMC Third-Party Assessment Organizations, software vendors, and consultants had aligned hiring plans, investment strategies, and operating models around that timeline.Removing that milestone may slow purchasing decisions, delay some certification activities, and create uncertainty throughout the ecosystem. Organizations whose business models depend primarily on performing third-party assessments may likely experience the greatest immediate disruption. Defense contractors will understandably reassess budgets and implementation schedules until the Department provides additional guidance.What Contractors Should Not MisinterpretThe greater risk is not the Department&#8217;s announcement. The greater risk is that defense contractors misinterpret what the announcement actually changed.The memorandum does not suspend the responsibility to protect Controlled Unclassified Information. It does not suspend National Institute of Standards and Technology Special Publication 800-171. It does not eliminate Defense Federal Acquisition Regulation Supplement clause 252.204-7012. It does not eliminate System Security Plan requirements, Plans of Action and Milestones, or the obligation to accurately represent cybersecurity posture through Supplier Performance Risk System self-assessments. It certainly does not suspend the Department of Justice&#8217;s Civil Cyber-Fraud Initiative.Perhaps most importantly, CMMC itself is no longer merely a proposed framework. It completed the federal rulemaking process and became part of the Department&#8217;s regulatory framework. Today&#8217;s announcement changes implementation. It does not erase the underlying cybersecurity expectations that defense contractors have spent years preparing to satisfy.The Wrong DebateMuch of the industry&#8217;s discussion over the past year centered on whether the government had enough CMMC Third-Party Assessment Organizations to certify the Defense Industrial Base. That was always an incomplete diagnosis.More than 1,200 organizations have already achieved certification under the existing framework. That demonstrates meaningful progress was occurring and that the assessment ecosystem was continuing to mature.The larger challenge was contractor cyber readiness. Too many organizations postponed cybersecurity investments until regulatory deadlines approached. Others underestimated the operational effort required to implement the 110 security requirements contained within National Institute of Standards and Technology Special Publication 800-171. Still others viewed CMMC primarily as an audit rather than a transformation of how they manage cybersecurity risk. Yesterdays&#8217;s announcement does not eliminate that readiness gap.An Opportunity Hidden Inside UncertaintyEvery significant policy change creates uncertainty. It also creates opportunity.Organizations now have something many believed they lacked only days ago: additional time. That time should not be viewed as an opportunity to delay cybersecurity investments. It should be viewed as an opportunity to strengthen governance, reduce technical debt, mature operational processes, improve identity management, enhance monitoring and incident response capabilities, and fully implement the security controls that will continue protecting sensitive defense information regardless of how the certification framework evolves.The companies that use this period to build mature cybersecurity programs will be better positioned regardless of what the Department ultimately decides.Looking Beyond ComplianceThe most important lesson from this week&#8217;s announcement extends well beyond CMMC compliance. Cybersecurity was never supposed to be driven solely by compliance deadlines. Third-party certification was intended to validate cybersecurity maturity, not create it. The objective has always been a stronger Defense Industrial Base capable of protecting America&#8217;s most sensitive technologies, safeguarding Controlled Unclassified Information, and maintaining the military advantage upon which national security depends.Implementation strategies may evolve. Certification frameworks may change. Political administrations will come and go. But, the responsibility to protect the Defense Industrial Base remains exactly the same. That mission did not pause this week, and neither should the industry&#8217;s commitment to achieving it.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Pentagon Just Paused Its Cybersecurity Certification Program. Here&#8217;s What Everyone Is Missing. https:\/\/www.forbes.com\/sites\/emilsayegh\/2026\/07\/14\/the-pentagon-just-paused-its-cybersecurity-certification-program-heres-what-everyone-is-missing\/ Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242960,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imageio.forbes.com\/specials-images\/imageserve\/6a55c31a10d8d7f192568951\/0x0.jpg?format=jpg&height=900&width=1600&fit=bounds","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-242959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242959"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242959"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242959\/revisions"}],"predecessor-version":[{"id":242961,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242959\/revisions\/242961"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242960"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}