Key Takeaways
- The Pentagon has imposed an immediate freeze on the forthcoming CMMC Phase 2 requirements slated to begin Nov. 10, pending a 60‑day review.
- A cross‑department CMMC Reform Task Force, led by CIO Kirsten Davies and Under Secretary Michael Duffey, will gather stakeholder feedback via a new RFI and recommend changes or possible cancellation of the program.
- Industry feedback highlighted that the original CMMC framework was overly complex and costly, especially for small businesses, risking their exclusion from the defense industrial base.
- While pausing Phase 2, the DOD will continue to enforce cybersecurity through NIST SP 800‑171 Rev 2 self‑assessments and limited government‑led evaluations.
- Officials stressed that the pause aims to reduce red tape, not cybersecurity rigor, and to keep more contractors in the supply chain at a time when innovation is urgently needed.
- The outcome of the 60‑day study will determine whether CMMC is revised, retained in a modified form, or discontinued altogether.
Overview of the Pentagon’s Freeze on CMMC Phase 2
The Department of Defense announced an immediate halt to the rollout of Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, which were scheduled to take effect on November 10. The decision follows government research indicating that enforcing the next phase would push many contractors out of the defense industrial base at a moment when the U.S. military desperately needs their innovative capabilities. By freezing the requirement, the Pentagon hopes to preserve contractor participation while it reevaluates the program’s feasibility and impact.
Leadership Announcement and Formation of the CMMC Reform Task Force
Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey unveiled the freeze during a briefing on Monday. They announced the creation of a CMMC Reform Task Force, a cross‑functional team comprising representatives from the Office of the CIO, Acquisition and Sustainment, Research and Engineering, Information and Security, Legislative Affairs, Public Affairs, and Legal. The task force has 60 days to analyze stakeholder input, produce findings, and deliver recommendations on the future of CMMC.
Contractors’ Rush to Meet the Imminent Deadline
Prior to the pause, defense contractors had been scrambling to obtain third‑party assessments of their CMMC compliance in preparation for the November 10 enforcement date. The looming deadline had created a surge of activity as firms sought to avoid disqualification from upcoming contract solicitations. The abrupt freeze alleviates that pressure, giving companies breathing room while the DOD reconsiders the approach.
Davies on the Value of Cybersecurity Investment
Speaking to a small group of reporters ahead of the official announcement, Kirsten Davies emphasized that “every dollar spent on security is a wise dollar spent.” She praised organizations that had already advanced their cyber posture, noting that such investments contribute directly to national security and are not wasted. Davies used this point to reassure industry that the pause does not signal a retreat from cybersecurity diligence.
Plans for a New Request for Information (RFI)
To inform its review, the Pentagon will issue a new request for information aimed at gathering stakeholder feedback on the pause and associated compliance challenges. The CMMC Reform Task Force will analyze the responses as part of its 60‑day study. Davies described the RFI as “the defense industrial base’s opportunity to give us direct feedback” about what modifications would be effective and practical from the contractors’ perspective.
CMMC Framework Origins and Three‑Year Implementation Plan
CMMC is a tiered cybersecurity framework that obliges defense contractors handling federal contract information (FCI) or controlled unclassified information (CUI) to implement specific controls defined by the National Institute of Standards and Technology (NIST). Initially launched in 2019 under the first Trump administration, the program was designed to ensure contractors properly safeguard Pentagon data without creating new cyber mandates—only requiring proof of compliance with existing federal law. The DOD originally planned a three‑year rollout: Phase 1 (self‑assessments for Levels 1‑2) began in November 2025; Phase 2 would have mandated third‑party assessments for Level 2 starting November 2026; and Phase 3 would have introduced Level 3 evaluations via the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) in November 2027.
Industry Backlash and the Shift to CMMC 2.0
Soon after its introduction, CMMC drew significant criticism from the defense industrial base, with many arguing that the program was excessively complicated and imposed prohibitive costs—particularly on small businesses, subcontractors, and new entrants. In response to this feedback, the DOD reorganized the requirements into what became known as CMMC 2.0. After a multi‑year federal rulemaking process, the updated framework was formally embedded in contracts beginning in November 2025, requiring verification of compliance as a condition for award.
Details of the Phased Implementation Timeline
Under the original schedule, Phase 1 (November 2025) required contractors to perform self‑assessments against CMMC Levels 1 and 2. Phase 2, slated for November 2026, would have compelled firms to achieve Level 2 certification by passing an assessment conducted by a Certified Third‑Party Assessor Organization (C3PAO). Phase 3, planned for November 2027, would have raised the bar to Level 3, necessitating evaluations by the DIBCAC. The pause specifically affects the Phase 2 mandate, leaving Phase 1’s self‑assessment requirement in place for now.
Interim Enforcement Through NIST SP 800‑171 Rev 2
While the CMMC Phase 2 requirement is suspended, the DOD will continue to enforce cybersecurity standards using the NIST Special Publication 800‑171 Revision 2 framework. Contractors will be expected to comply via self‑assessments, supplemented by select government‑led evaluations. This approach maintains a baseline of protection for FCI and CUI while avoiding the immediate financial and logistical burden of third‑party CMMC assessments.
Leadership Statements on Retaining Contractors and Security Rigor
Under Secretary Duffey argued that pausing Phase 2 “keeps more companies in the DIB who would otherwise be forced out of the market at a time when we need them most.” Davies echoed this sentiment, insisting that the move does not reduce cybersecurity but rather “reduces the red tape it takes [contractors] to get to the place where they can get their capabilities into the hands of our warfighters.” Both officials stressed that the goal is to preserve the industrial base’s capacity to innovate while still safeguarding sensitive information.
Readiness Concerns, GAO Findings, and Process‑Centric Challenges
A March Government Accountability Office report warned that the cybersecurity standards could prove too difficult and costly for many small businesses, potentially driving them out of the defense supply chain. Industry analysts noted that the primary obstacle is often not the addition of new technical controls but the need to overhaul internal processes, cyber governance, and accountability structures to demonstrate compliance. Davies observed that every congressional meeting she attended featured questions about the DOD’s CMMC plan, underscoring widespread anxiety among small and medium‑sized enterprises.
SBA Input, Cost Estimates, and Assessor Shortage
Recent data from the Small Business Administration further shaped the pause decision. Davies revealed that SBA Administrator Kelly Loeffler’s nationwide tour of small‑ to medium‑sized businesses identified CMMC compliance as the “number one topic” of concern. The SBA indicated that meeting future CMMC phases could cost such firms upwards of $7 billion annually. Adding to the strain, there are more than 100,000 defense‑industrial‑base companies needing third‑party assessments, yet only about 100 assessors are currently authorized to perform them—a mismatch that makes timely compliance implausible for many.
Structure of the CMMC Ecosystem and Notification Gaps
The CMMC program relies on a private‑sector ecosystem: the Cyber AB serves as the official accreditation body, while ISACA handles training and certification for assessors who work at C3PAOs. Davies acknowledged that her office had not yet notified the Cyber AB of the Pentagon’s intent to suspend Phase 2 implementation or launch the ensuing 60‑day study, highlighting a communication gap that the task force will need to address.
Potential Paths Forward, Including Possible Cancellation
When questioned about possible outcomes, Davies and Duffey declined to rule out the complete cancellation of the CMMC program after the review period. Davies stated that the department will “really be relying on the results from the RFI,” which will provide the defense industrial base’s candid perspective on what would work best. The upcoming study could lead to a revised CMMC framework, a retained but modified version, or, if feedback warrants, the termination of the initiative altogether.

