Pentagon suspends CMMC phase two requirements, launches review of program | Federal News Network
.async-hide { opacity: 0 !important}
Listen Live
Listen
Schedule
Search
Search
Trending:
State Dept. hiring excludes former staff<br>Changes to discipline, firing for feds<br>What's next for sold fed buildings?
-->
Cybersecurity
Pentagon suspends CMMC phase two requirements, launches review of program
DoD CIO Kirsten Davies is suspending plans to ramp up CMMC third-party assessments, as part of a review that casts doubt on the future of the current program.
Justin Doubleday@jdoubledayWFED
July 13, 2026 4:39 pm
5 min read
The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.
In a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.
DoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.
But the Pentagon is now launching a 60-day, “top-to-bottom” review of the certification program, according to a July 13 memo signed out by DoD Chief Information Officer Kirsten Davies.
Join us July 21 – 23 for Federal News Network's Space & Satellite Exchange where government and industry leaders will discuss advancing connectivity, resilience and mission reach. Register today!
The memo suggests that the CMMC program, as currently planned, conflicts with Defense Secretary Pete Hegseth’s Acquisition Transformation System initiative’s focus on eliminating bureaucracy and enabling innovation.
“The current iteration of the Cybersecurity Maturity Model Certification (CMMC) program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation,” Davies wrote. “While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.”
Davies’ memo points to “recent data and feedback” that suggest “the current CMMC program is structurally incompatible with our need to rapidly expand the DIB.” The memo specifically references reports from the Small Business Administration, which has raised previously concerns about CMMC compliance costs.
“The combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [DoD] contracts and freezing critical suppliers out of the market,” Davies wrote.
Davies has tasked the 60-day “CMMC Reform Task Force” with providing recommendations on a framework that “prioritizes speed to capability, lowers barriers for small, medium, and non-traditional businesses, and replaces prohibitive, third-party compliance models with scalable, realistic security measures.”
In addition to the previous November deadline for third-party assessments to ramp up, the memo suspends all pending and future CMMC milestones “until further notice.” DoD programs can continue including CMMC self-assessment requirements in contracts.
In advance of the November deadline, some DoD program offices had already begun requiring audits by CMMC third-party assessment organizations (C3PAOs).
Sign up for our daily newsletter so you never miss a beat on all things federal
During the suspension, DoD will continue using the self-assessments and select government-led assessments. Davies wrote that DoD will focus on “tangible cyber hygiene rather than third-party certifications and bureaucratic, high cost-imposing red tape.”
In a statement, SBA Administrator Kelly Loeffler applauded DoD’s decision.
“Working closely with the Department of War, the Trump SBA has heard directly from mission‑critical small businesses that CMMC compliance was becoming an untenable barrier pushing them out of the Defense Industrial Base, even though these firms are the backbone of national security," Loeffler said.
CMMC saga continues
The CMMC suspension and review are yet another unexpected twist in DoD’s yearslong effort to enforce contractor cyber standards.
Those efforts began nearly a decade ago, as inspector general audits and other reports revealed many defense contractors were not following the required standards, despite self-attesting to meting them. The Pentagon began developing the CMMC program during the first Trump administration under former acquisition official Katie Arrington.
The primary thrust behind CMMC is to use...