Key Takeaways
- The Department of Defense (DoD) has paused Phase II of the Cybersecurity Maturity Model Certification (CMMC) program, halting mandatory third‑party assessments for contractors.
- CMMC does not create cybersecurity standards; it enforces compliance with NIST SP 800‑171 Rev 2, which defines 110 controls for protecting Controlled Unclassified Information (CUI).
- During the pause, the DoD will rely on contractor self‑assessments focused on tangible cyber hygiene rather than administrative paperwork.
- Industry experts warn that self‑attestation without independent verification creates a “grading your own homework” problem, increasing uncertainty and potential False Claims Act risk.
- A future solution is likely to be a risk‑based model: lighter requirements and self‑assessment for low‑risk work, with stronger evidence and government‑led or independent assessments reserved for high‑risk contracts.
- Any revised framework must balance security assurance with reduced cost and complexity, especially for small and mid‑sized defense contractors.
Background on the CMMC Pause
On Monday, leaders from the Department of Defense and the Small Business Administration announced a temporary halt to Phase II of the Cybersecurity Maturity Model Certification (CMMC) program. Phase II originally required defense contractors bidding on certain capabilities to undergo third‑party assessments confirming compliance with cybersecurity standards. The pause does not eliminate the underlying standards; it merely suspends the external validation component while the DoD evaluates how best to maintain assurance without imposing undue burden on industry.
What CMMC Actually Does
CMMC itself does not set cybersecurity requirements; those are sourced from NIST SP 800‑171 Revision 2, which outlines 110 specific controls designed to protect Controlled Unclassified Information (CUI). The certification model acts as a gatekeeper: it verifies that a contractor claiming to meet those NIST controls has indeed implemented them adequately. By separating standard‑setting from verification, CMMC aimed to provide a scalable, tiered approach to cybersecurity maturity across the Defense Industrial Base (DIB).
The Rationale Behind the Pause
DoD officials characterized the pause as a pragmatic step rather than a reversal of policy. Katie Arrington, often credited as the architect of CMMC, noted in a LinkedIn video that the hiatus “shouldn’t be a shocker to anybody” and anticipates that the Pentagon will eventually return to a similar verification regime once it recognizes that “there really is no other way to get compliance.” The pause is intended to give the department time to reassess how to achieve the same security outcomes while addressing concerns about cost, complexity, and accessibility for smaller contractors.
Shift to Self‑Assessments
During the hiatus, the DoD will enforce baseline cybersecurity compliance through contractor self‑assessments. These assessments are meant to concentrate on tangible cyber hygiene—practical actions like patch management, multi‑factor authentication, and secure configuration—rather than on administrative overhead that can distract from actual security improvements. The department believes this focus will sustain a baseline level of protection while it works on a longer‑term solution.
Industry Concerns About Self‑Attestation
Experts and industry figures have warned that relying solely on self‑assessments recreates the “grading your own homework” problem identified by the DoD Inspector General seven years ago. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, emphasized that without independent validation, the government cannot verify the truth of a contractor’s claims. Michael Brooks, a lead CMMC Certified Assessor at A‑LIGN, added that this approach heightens uncertainty for program offices, prime contractors, and supply‑chain partners, and raises the risk of False Claims Act violations when cybersecurity assertions cannot be substantiated.
The Need for Reliable Evidence
Georgianna Shea, chief technologist at the Foundation for Defense of Democracies Center on Cyber and Technology Innovation, argued that the central policy question is not whether third‑party assessments are inherently good or bad, but whether the DoD can obtain reliable evidence of cybersecurity commensurate with the actual risk. She cautioned that certification without meaningful evidence can become a mere compliance industry, while self‑attestation without verification can devolve into a paper exercise. Any future program must avoid both extremes by ensuring that evidence is proportionate to the risk posed by the information, systems, or suppliers involved.
Perspective from a Service Provider
Emil Sayegh, CEO of Cybersheath—a firm that also offers CMMC certification services—echoed the view that most organizations genuinely believe they are compliant, but interpreting and objectively evaluating cybersecurity controls is challenging without independent validation. He noted that third‑party assessments were never intended solely to catch bad actors; they were designed to provide an objective measure of cybersecurity maturity and create accountability in a system that otherwise leans heavily on contractor self‑representations. Sayegh hopes the DoD will use the pause to craft a framework that preserves CMMC’s security objectives while reducing unnecessary cost and complexity, particularly for small and mid‑sized contractors.
A Risk‑Based Path Forward
Shea envisions the Pentagon possibly slimming Phase II‑style third‑party assessments to be more fit for purpose: applying lighter requirements and self‑assessment for lower‑risk contracts, while reserving stronger evidence and independent or government‑led assessments for higher‑risk work—such as systems handling particularly sensitive CUI or supporting critical missions. This risk‑based model could lower barriers for small and non‑traditional businesses without treating every contractor as if it presented the same level of threat. The challenge, she warned, lies in developing a consistent method for determining risk across the diverse DIB.
Conclusion and Outlook
The current pause in CMMC Phase II does not signal a abandonment of cybersecurity rigor; rather, it reflects a recognition that the existing one‑size‑fits‑all third‑party assessment approach may be overly burdensome for many contractors while still leaving gaps in assurance. Stakeholders agree that some form of independent verification remains essential to trusted cybersecurity across the defense supply chain. The path forward will likely involve a differentiated, risk‑based strategy that balances security needs with the practical realities of cost and accessibility, aiming to protect CUI without imposing unjustifiable barriers on the nation’s defense industrial base. The next 60‑90 days will be critical as the DoD works to translate these insights into a concrete, sustainable framework.

