Key Takeaways
- The DoD has suspended the planned rollout of phase‑two CMMC third‑party assessments, which were to begin requiring independent cybersecurity audits for all contracts handling sensitive but unclassified information starting Nov 10, 2026.
- Phase‑one self‑assessment requirements, effective November 2025, remain in force while the suspension is in effect.
- CIO Kirsten Davies announced a 60‑day “top‑to‑bottom” review of the CMMC program, citing concerns that the current model imposes prohibitive burdens on small and non‑traditional defense contractors.
- The review will be led by a newly formed CMMC Reform Task Force tasked with recommending a framework that lowers barriers to entry, prioritizes speed to capability, and replaces costly third‑party compliance with scalable, realistic security measures.
- During the suspension, DoD will continue to rely on self‑assessments and select government‑led evaluations, focusing on tangible cyber hygiene rather than extensive third‑party certification.
Background on the CMMC Program
The Cybersecurity Maturity Model Certification (CMMC) framework was introduced by the Department of Defense to ensure that contractors handling federal information maintain adequate cybersecurity protections. The model consists of multiple maturity levels, ranging from basic cyber hygiene to advanced, proactive defenses. Initially, the DoD planned a staggered implementation: phase‑one required contractors to perform self‑assessments for certain levels, while phase‑two would mandate independent evaluations by Certified Third‑Party Assessment Organizations (C3PAOs) for all contracts involving sensitive but unclassified data. This phased approach aimed to gradually raise the security posture of the Defense Industrial Base (DIB) while giving industry time to adapt.
Decision to Suspend Phase‑Two Rollout
On July 13, 2026, DoD Chief Information Officer Kirsten Davies issued a memo announcing the suspension of plans to introduce phase‑two CMMC requirements. The memo specifically halted the November 10, 2026 deadline that would have compelled third‑party cybersecurity assessments across the entirety of the DIB for relevant contracts. Davies emphasized that the pause is temporary, pending the outcome of a comprehensive review, and that existing phase‑one self‑assessment obligations remain unchanged. The suspension also extends to any pending or future CMMC milestones until further notice, effectively freezing the program’s expansion.
Rationale Behind the Suspension
Davies justified the suspension by asserting that the current CMMC iteration conflicts with Secretary Pete Hegseth’s Acquisition Transformation System initiative, which seeks to eliminate unnecessary bureaucracy and foster innovation within the defense sector. She argued that while cybersecurity is indispensable, the existing compliance regime imposes “significant and often prohibitive burdens” on contractors, especially small businesses and non‑traditional entrants that drive technological advancement. The memo warned that allowing administrative compliance to overshadow warfighting capability could undermine the very industrial base the DoD aims to protect.
Evidence of Industry Strain
The memo cited “recent data and feedback” indicating that the CMMC program, as structured, is incompatible with the DoD’s goal of rapidly expanding the DIB. Notably, reports from the Small Business Administration highlighted concerns about escalating compliance costs, a scarcity of qualified third‑party assessors, and convoluted regulatory timelines. These factors, according to Davies, are pushing innovative newcomers and small firms to forego DoD contracts altogether, thereby constricting the supply chain and limiting access to critical capabilities. The cumulative effect is a market distortion where compliance costs outweigh the benefits of participation for many potential suppliers.
Impact on Small and Non‑Traditional Businesses
Small and non‑traditional businesses form a vital segment of the defense ecosystem, often delivering agile solutions and cutting‑edge technologies that larger primes may overlook. The CMMC’s third‑party assessment requirement imposes substantial financial and administrative overhead: firms must engage accredited C3PAOs, allocate resources for remediation, and navigate lengthy assessment cycles. For companies with limited budgets and staff, these demands can be prohibitive, effectively barring them from competing for DoD work. Davies’ memo underscored that such barriers threaten the diversity and resilience of the industrial base, potentially concentrating power that the department relies on for rapid innovation.
Formation of the CMMC Reform Task Force
To address these challenges, Davies has instituted a 60‑day “CMMC Reform Task Force” charged with delivering actionable recommendations. The task force’s mandate centers on three primary objectives: (1) prioritizing speed to capability so that security measures do not impede mission timelines, (2) lowering barriers for small, medium, and non‑traditional businesses to encourage broader participation, and (3) replacing the existing high‑cost, third‑party compliance model with scalable, realistic security practices that maintain adequate protection without excessive bureaucracy. The group is expected to consult stakeholders across industry, academia, and government to craft a revised framework aligned with the Acquisition Transformation System’s principles.
Current Interim Measures
While the review proceeds, the DoD will continue to rely on phase‑one self‑assessments and select government‑led evaluations to satisfy cybersecurity requirements for contracts. Davies emphasized a shift in focus toward “tangible cyber hygiene” rather than pursuing costly third‑party certifications and the associated red tape. This approach aims to maintain baseline security controls—such as patch management, access controls, and incident response readiness—while the department explores less burdensome alternatives that still mitigate risk effectively.
Implications for Contractors
For contractors currently navigating the CMMC landscape, the suspension provides a temporary reprieve from the looming requirement to secure third‑party assessments. Companies that had already begun procuring C3PAO audits in anticipation of the November 2026 deadline may now pause those expenditures, reallocating resources toward other compliance activities or business development. However, the uncertainty surrounding the program’s future necessitates vigilance; contractors should monitor the task force’s findings and be prepared to adapt to any revised standards that emerge from the review process.
Broader Strategic Context
The DoD’s reconsideration of CMMC reflects a larger strategic pivot toward balancing security imperatives with acquisition agility. As near‑peer competitors accelerate their own technological advancements, the department seeks to ensure that its procurement processes do not become a choke point for innovation. By reassessing CMMC, the DoD aims to preserve the integrity of its supply chain while fostering an environment where cutting‑edge solutions can reach warfighters swiftly. The outcome of the 60‑day review could set a precedent for how future cybersecurity frameworks are designed—emphasizing effectiveness, proportionality, and accessibility over rigid, one‑size‑fits‑all mandates.
Conclusion
In summary, the DoD’s decision to suspend the ramp‑up of CMMC third‑party assessments, coupled with a top‑to‑bottom review led by CIO Kirsten Davies, signals a reevaluation of how cybersecurity compliance is imposed on the defense industrial base. The move responds to mounting concerns about cost, assessment capacity, and the stifling effect on small and innovative contractors. Through the newly formed CMMC Reform Task Force, the department seeks to craft a more streamlined, scalable approach that upholds essential security protections while enabling rapid capability delivery and industrial base growth. Stakeholders across the DIB should anticipate potential changes to compliance requirements and prepare to engage with the forthcoming recommendations.

