Advertisement

Pentagon task force to review CMMC hits the ground running

The task force held its first meeting Thursday, just days removed from CIO Kirsten Davies initiating a pause of CMMC phase 2 requirements and a review of the entire program.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Department of Defense Chief Information Officer Kirsten Davies delivers remarks at a CIO town hall at the Mark Center, Alexandria Va., Feb. 10, 2026. (DoD photo by U.S. Navy Petty Officer 1st Class Alexander Kubitza)

The Department of Defense task force established to conduct a top-to-bottom review of the Cybersecurity Maturity Model Certification kicked off Thursday, according to the Pentagon’s top IT chief.

Kirsten Davies, chief information officer of the DOD, told reporters the task force met for the first time Thursday in the Pentagon after she formally announced its creation Monday as part of a 60-day pause of forthcoming phase 2 requirements under the CMMC program and a review of the overall program.

Phase 2 requirements were set to take effect Nov. 10. They would have required defense contractors to meet level 2 of CMMC compliance by receiving accreditation from a Certified Third-Party Assessor Organization to receive contract awards. 

As part of the review, the department issued a request for information to solicit feedback from defense industrial base companies and assessment organizations on how burdensome CMMC compliance is, what existing commercial cyber solutions they use to safeguard data and how the department “might better recognize or accept these commercial solutions within a compliance or risk framework,” among other things. At the conclusion of the 60 days, the task force will take responses to that RFI into account for its final recommendations on how to proceed with the CMMC program.

Advertisement

Davies reiterated that the group features leadership from the department’s directorates for acquisition and sustainment, and intelligence and security, the Office of the CIO, general counsel, public affairs and legislative affairs, as well as the Small Business Administration and the White House. When asked, she stopped short of naming its members, its total size or how often it plans to meet.

“We are in the 60 days. [The task force] is actually stood up. They had their first meeting today across the hallway from my office,” she said, adding that the group will report to her principal deputy.

Davies committed to making the report publicly available when ready, saying that when the 60-day period concludes, she will give the task force “about 15 days” to get “all of the recommendations synthesized, all the feedback from industry put back together.”

“We’re hoping shortly thereafter that we’ll be able to make that report public along with the recommendations. It could include everything from, you know, an overhaul to small tweaks here and there,” Davies said. “But …  we’re not going to do a death by 1,000 cuts and just change for the sake of change. We are going to listen to what the defense industrial base has to say, especially small and innovative companies, and we are going to incorporate the voice of small companies to make sure that we are truly reducing barriers to entry for them to do business with the department.”

The Pentagon is leaving all options on the table in terms of potential outcomes for the review, which the CIO described as a “soup-to-nuts” process.

Advertisement

“We’re looking at the totality of the Cybersecurity Maturity Model Certification program,” Davies told reporters. “We’re also going to be looking at that through the lens of the NIST framework requirements, the DFARS requirements, as well as the cyber threat landscape. So when we think about the cyber threats to IT and OT environments, are we actually looking at the right requirements? Have we presented, put forth the right framework, or is there a better way to actually get at the result of more cybersecurity and greater resiliency?” 

Despite the pause, Davies stressed the importance of continued supply chain cybersecurity and that defense contractors must continue to self-attest to meeting the NIST 800-171 Rev. 2 standards for handling controlled unclassified information — the core of CMMC compliance. 

“We also have the ability at any time, based on contractual regulations, to step in and conduct in-person assessments or documentation assessments of our defense industrial base as well,” she said.

Davies was joined by Michael Duffey, undersecretary of defense for acquisition and sustainment, and Kelly Loeffler, head of the Small Business Administration, on a tour of a small, innovative defense manufacturing contractor called Kform in Sterling, Virginia. The trio made brief remarks and took questions after the tour with the company’s CEO, Callye Keen, who also spoke briefly about the impact of CMMC on his company.

“Year after year, we have to make the decision: Do I buy another piece of equipment? Do I invest in a robot? Do I hire another engineer? Or do I meet CMMC compliance, or yet another piece of compliance?” Keen said.

Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. Prior to joining Scoop News Group in early 2014, Billy embedded himself in Washington, DC's tech startup scene for a year as a tech reporter at InTheCapital, now known as DC Inno. After earning his degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts