DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn’t math’
The Pentagon placed an immediate freeze on forthcoming cybersecurity requirements after government research suggested the policy would drive many businesses out of the defense industrial base at a time when the U.S. military urgently needs their innovations.
Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey unveiled plans Monday to suspend the much-anticipated Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements that were set to take effect Nov. 10. A new CMMC Reform Task Force is expected to conduct a review of the entire program and submit a report of its findings and recommendations within the next 60 days.
This major pause comes as contractors have been hustling to obtain third-party assessments of their CMMC compliance in preparation for that near-term enforcement date.
“Every dollar spent on security is a wise dollar spent, and so those who have been forward leaning in uplifting their cyber posture — in assessing what their posture is, and doing something about it — they have contributed to national security,” Davies told a small group of reporters ahead of the official announcement. “That is not money that is spent in vain, and so that is a huge message.”
The Pentagon plans to release a new request for information to garner stakeholders’ feedback on the move and associated compliance challenges. The CMMC Reform Task Force will analyze the responses as part of its upcoming review of the program.
“We’re standing that up, effective today. So that will be a cross-department task force with representatives from the Office of the CIO, [and other directorates including] from Acquisition and Sustainment, from Research and Engineering, Information and Security, Legislative Affairs, Public Affairs, Legal,” Davies told DefenseScoop. “It’s truly going to be a cross-functional team.”
CMMC is a tiered cybersecurity framework that requires defense contractors working with federal contract information (FCI) or controlled unclassified information (CUI) to implement specific cyber controls defined by the National Institute of Standards and Technology (NIST). The Pentagon began a three-year implementation plan in November 2025 that was intended to incrementally introduce CMMC requirements each year.
The program was established in 2019 by the first Trump administration as a mechanism to ensure defense contractors were properly storing and transmitting the Pentagon’s sensitive data and preventing it from being exploited by adversaries. CMMC did not create new cybersecurity requirements, but instead mandated that vendors prove they are implementing cyber controls enforced by federal law.
After it was introduced, CMMC was met with significant backlash from the defense industrial base. Many argued that the program was too complicated and would place a significant cost burden on vendors — namely small businesses, subcontractors and new entrants into the defense industry.
Feedback from industry prompted the Defense Department to reorganize the program into what is known as CMMC 2.0. And after a multi-year federal rulemaking process, the Pentagon formally began enforcing CMMC compliance in contracts in November 2025 — requiring contract solicitations to include verification as a condition to win bids.
The Defense Department originally planned to introduce CMMC requirements through a three-year implementation plan. Phase 1 began in November 2025 and required self-assessments under CMMC Level 1 and Level 2.
Phase 2 was expected to kick off in November 2026, and would have forced companies to achieve CMMC Level 2 by passing an assessment from a Certified Third-Party Assessor Organization (C3PAO) in order to receive contract awards. Phase 3 would have followed in November 2027, introducing Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessments.
During this interim period as senior leaders figure out the best path ahead, they said DOD will enforce cybersecurity compliance with the NIST Special Publication 800-171 Revision 2 standard through self-assessments and select government-led assessments.
“By pausing [CMMC] Phase 2 implementation, we are keeping more companies in the DIB who would otherwise be forced out of the market at a time when we need them most,” Duffey said.
“We are not reducing cybersecurity through this measure,” Davies added. “We are reducing the red tape it gets to them getting to the place where they can get their capabilities into the hands of our warfighters.”
The industrial base’s readiness for CMMC has been a significant concern, as misconceptions about the program and the years it took to actually begin implementation caused some vendors to delay taking actions.
A report from the Government Accountability Office published in March found that the cybersecurity standards might prove too difficult and costly for some small businesses to meet, forcing them out of the defense industrial base. DefenseScoop previously reported that the time and money a contractor has to spend on CMMC depends on multiple factors — such as how well it has implemented cybersecurity controls in the past, as well as what information it is handling.
The main hurdle isn’t always adding new cybersecurity capabilities, but actually updating a company’s internal processes, cyber governance or responsibilities to prove compliance.
“Every single meeting I’ve had on the Hill has had a peppering, or a flavor of ‘What is your plan for CMMC?’ So this is a broad across-the-board conversation that small and medium-sized businesses are having with their representatives, [the primes and DOD],” Davies said. “I think at this point, really, what it’s come to is a fulcrum of ‘we really need to do something about this.’ This is not achieving what it was intended to achieve, and so we need to think differently about it.”
Recent data from the Small Business Administration also deeply influenced this temporary suspension. Davies noted that SBA Administrator Kelly Loeffler recently led an extensive tour of small to medium-sized businesses across America.
CMMC compliance was “the number one topic” that came up in conversation, SBA told DOD.
In particular, Davies said the insights suggested that moving into the future phases of the CMMC implementation could cost more $7 billion annually for such businesses to gain compliance approvals. At the same time, there appears to be a massive mismatch between the more than 100,000 DIB companies needing third‑party assessments, and only around 100 assessors approved to complete them.
“So the math just simply doesn’t math for small to medium-sized businesses to even get compliant by the transition date,” Davies said.
The department relies on a CMMC ecosystem comprising private sector stakeholders to carry out the program’s goals. The Cyber AB serves as the official CMMC accreditation body, while technology firm ISACA is responsible for training and certifying assessors who work at C3PAOs.
Davies said Monday that her office had not yet informed the Cyber AB about the Pentagon’s plans to suspend Phase 2 implementation or the impending 60-day study.
In response to multiple questions from reporters on potential paths ahead, Davies and Duffey notably did not rule out the department completely cancelling the CMMC program altogether at the end of this pause and review period.
“I think there’s a possibility for a number of avenues for us to take. We’re really going to be relying on the results from the RFI, which is truly the defense industrial base’s opportunity to give us direct feedback … about what they think would be effective from that perspective,” the CIO told DefenseScoop.