WASHINGTON — The Pentagon has suspended Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, effective immediately, citing prohibitive compliance burdens on the defense industrial base, particularly small and non-traditional contractors.
“In support of Secretary of Defense Pete Hegseth’s directive to aggressively scale warfighter readiness, I’m announcing the immediate suspension of the Cybersecurity Maturity Model Certification, or CMMC, Phase II requirements, which were originally scheduled to go into effect November 10, 2026,” Chief Information Officer Kirsten Davies told reporters at the Pentagon. “I want to be clear across the Department of Defense and our defense industrial base: investing in and dynamically maintaining robust cybersecurity remains a critical, non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data.”
Davies added, “We are not reducing cybersecurity through this measure. We are reducing the red tape.”
A July 10 memo released by the department states that the current CMMC framework imposes “significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation. While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.”
The administration has prioritized reducing bureaucratic hurdles to accelerate capability delivery and expand the industrial base. CMMC has been in development since 2019, driven by concerns that adversaries were infiltrating contractors and suppliers to steal and aggregate sensitive information. The program was designed to secure the entire supply chain against such threats.
Originally structured as a five-tier framework, the Biden administration streamlined the program to three levels under CMMC 2.0 in 2021. Phase II — the target of the suspension — mandated both self-assessments and third-party assessments every three years for Levels II and III.
“What is changing? Let me be direct,” said Michael Duffey, Undersecretary of Defense for Acquisition and Sustainment. “We are halting complex audits. We are stopping the requirement for third-party assessors and audits. We are cleaning up active solicitations immediately. If a current defense solicitation or contract contains those suspended Phase II requirements, I have directed our program managers and contracting officers to amend or modify them as soon as possible.”
A critical bottleneck drove the decision: the Pentagon estimates over 100,000 defense industrial base businesses require third-party assessments, yet only roughly 100 assessors are available.
“The math just simply doesn’t math for small to medium-sized businesses to even get compliant by the former transition date,” Davies said.
The memo notes that feedback from the Small Business Administration documents the current CMMC program as “structurally incompatible with our need to rapidly expand the DIB.”
The department will launch a task force to conduct a comprehensive 60-day review of CMMC, serving as a central hub for synthesizing industry feedback on compliance challenges. The task force will issue a final report recommending realistic measures that prioritize speed to capability and lower barriers for small and non-traditional companies.
During the review period, the Pentagon will continue enforcing baseline cybersecurity compliance through the NIST SP 800-171 Rev 2 standard via self-assessments, focusing on tangible cyber hygiene rather than administrative overhead.
Officials emphasized the suspension does not relax security standards.
“We’re not relaxing any standards by any means,” Duffey said. “We expect businesses to adhere to the standards that NIST has outlined. What we’re removing is the bureaucracy of the third-party assessment.”
The decision is expected to relieve defense firms that have long argued the CMMC regimen created excessive obstacles, particularly for resource-constrained small businesses. However, it draws criticism from program architects such as Katie Arrington, widely credited with creating CMMC during the first Trump administration.
“Going on LinkedIn and complaining to the world that the CMMC is too hard … you’re — and I want to say this with the most respect I can to anybody — you’re foolish in what your statement is, because your company has been contracted since 2014 to institute the 110 requirements of the NIST 171,” Arrington said last year while performing the duties of the DoD CIO. “What you’re saying is you’re noncompliant.”
Also Read
- Fashion Mogul Peter Nygard Pleads Guilty to Quebec Sexual Assault Charges
- Man Shot By ICE In Maine Was Not Operation’s Target, Senator Says
- Oslo Royal Palace Hosts Record Crowd to Celebrate Norway’s World Cup Squad After Quarterfinal Exit
- South Carolina Appoints Lindsey Graham’s Sister to Complete Senate Term Following His Death

