Key Takeaways
- The Pentagon is immediately suspending the third‑party assessment component of CMMC Phase II, which was set to take effect November 10, 2026.
- Officials say the move cuts “red tape” while preserving the underlying cybersecurity standards; they emphasize that protecting federal data remains a non‑negotiable priority.
- A July 10 memo cites the current CMMC structure as overly burdensome, especially for small and non‑traditional defense firms that drive innovation.
- The suspension responds to a documented shortage of qualified assessors—fewer than 150 for over 100,000 businesses needing evaluation.
- A 60‑day task force will review CMMC, gather industry feedback, and recommend ways to speed capability delivery and lower entry barriers.
- During the review, baseline compliance will be enforced through NIST SP 800‑171 Rev 2 self‑assessments, focusing on tangible cyber hygiene rather than administrative audits.
Announcement of the CMMC Phase II Suspension
Kirsten Davies, the Department of Defense’s chief information officer, announced at a Pentagon briefing that the Cybersecurity Maturity Model Certification (CMMC) Phase II) suspended effective immediately. She clarified that the decision does not weaken cybersecurity obligations but removes the “onerous burdens” associated with third‑party audits. Davies stressed that investing in and dynamically maintaining robust cybersecurity remains a critical, non‑negotiable priority across the Department of War and the defense industrial base.
Memo Highlights Disproportionate Burden on Small Firms
A July 10 memo released alongside the announcement explains that the current CMMC framework imposes “significant and often prohibitive burdens” on the Defense Industrial Base (DIB), particularly on small and non‑traditional businesses. The memo argues that while cybersecurity is essential, administrative compliance should not impede warfighting capability or industrial‑base growth. It notes that the program’s complexity disproportionately affects the very firms that are expected to drive innovation and rapid capability delivery.
Administrative Streamlining Aligns with Administration Goals
The suspension aligns with the current administration’s broader agenda to loosen perceived bureaucratic restrictions that slow the delivery of defense systems. By reducing red tape, the Pentagon aims to accelerate fielding of new capabilities while simultaneously expanding the industrial base. Officials contend that streamlining compliance processes will help meet urgent warfighter readiness targets without sacrificing security fundamentals.
Historical Evolution of CMMC from Trump to Biden
CMMC originated during the first Trump administration around 2019, prompted by concerns that adversaries were exploiting contractors to steal sensitive data. The original model featured five maturity levels graded by the sensitivity of work performed. In 2021, the Biden administration reworked the program into CMMC 2.0, collapsing the five levels into three and seeking to simplify compliance while retaining core security objectives. Phase II, now suspended, required both self‑assessments and third‑party evaluations every three years for levels II and III.
What Phase II Required and Why It Was Targeted
Under CMMC Phase II, contractors handling controlled unclassified information (CUI) had to undergo periodic third‑party audits in addition to internal self‑assessments. These audits were intended to verify that companies implemented the necessary cybersecurity controls consistently. The Pentagon identified this dual‑assessment requirement as the primary source of administrative overhead, especially for smaller firms lacking dedicated compliance staff or resources to engage external assessors regularly.
Scarcity of Qualified Assessors Creates a Compliance Bottleneck
Kirsten Davies highlighted a stark mismatch between demand and supply: more than 100,000 DIB businesses still needed third‑party assessments, yet fewer than 150 qualified assessors are available nationwide. This imbalance makes it practically impossible for many small‑ and medium‑sized firms to achieve compliance by the former November 10, 2026 deadline. The memo notes that the shortage would have produced a massive backlog, undermining the very goal of expanding the industrial base.
Task Force to Review CMMC and Maintain Baseline Standards
To address these challenges, the Pentagon will launch a task force charged with conducting a comprehensive review of CMMC over the next 60 days. The group will synthesize public request‑for‑information feedback, identify compliance pain points, and recommend realistic measures that prioritize speed to capability and lower barriers for small and non‑traditional entrants. During the review period, baseline cybersecurity will continue to be enforced via NIST SP 800‑171 Rev 2 self‑assessments, which focus on tangible cyber hygiene rather than the administrative overhead of third‑party audits.
Officials Reassure That Cybersecurity Remains Intact
Both Davies and Michael Duffey, Undersecretary of Defense for Acquisition and Sustainment, emphasized that the suspension does not relax any cybersecurity standards. Duffey stated that businesses must still adhere to the NIST‑outlined requirements; the change merely eliminates the bureaucratic layer of third‑party assessments. He affirmed that the department expects contractors to maintain the same level of protection for federal data, ensuring that the security posture of the supply chain is not compromised.
Industry Reaction and Critique from CMMC’s Architect
The decision has been welcomed by many defense firms, especially small businesses that have long argued the CMMC regimen created prohibitive obstacles to competing for contracts. Conversely, Katie Arrington—widely regarded as the architect of the original CMMC during the Trump administration—criticized the move, asserting that companies complaining about CMMC’s difficulty are ignoring their existing obligations under NIST SP 800‑171. She contended that firms have been contracted since 2014 to meet those 110 requirements and that claiming non‑compliance is misguided. Her remarks underscore the ongoing tension between streamlining procurement and ensuring rigorous cybersecurity across the defense supply chain.

