
Pentagon Halts Cybersecurity Requirements for CMMC Phase 2 Amid Industry Concerns
The Department of Defense has placed an immediate freeze on the upcoming cybersecurity requirements under the Cybersecurity Maturity Model Certification (CMMC) Phase 2, following research indicating that these regulations could drive many businesses out of the defense industrial base. This decision comes at a critical time when the U.S. military is in urgent need of innovation and support from contractors.
Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey announced plans to suspend CMMC Phase 2 requirements, which were scheduled to take effect on November 10th. A new CMMC Reform Task Force is expected to conduct a review of the entire program within the next two months.
This pause in enforcement comes as contractors have been actively preparing for compliance through third-party assessments ahead of the original implementation date. Davies emphasized that companies that proactively improved their cybersecurity posture would continue to contribute positively to national security, despite the temporary suspension of CMMC Phase 2 requirements.
The Pentagon intends to release a new request for information (RFI) to gather feedback from stakeholders on the move and associated compliance challenges. The task force will analyze these responses as part of its review process. This cross-functional team includes representatives from various departments such as Acquisition and Sustainment, Research and Engineering, Information Security, Legislative Affairs, Public Affairs, and Legal.
CMMC is a tiered cybersecurity framework designed to ensure that defense contractors properly handle sensitive data by implementing specific cyber controls defined by the National Institute of Standards and Technology (NIST). The program was introduced in 2019 under the Trump administration with the aim of preventing adversaries from exploiting Pentagon's sensitive information. However, CMMC faced significant backlash from the defense industry due to its perceived complexity and cost burden on vendors, particularly small businesses and new entrants.
In response to industry feedback, the Defense Department reorganized CMMC into what is known as CMMC 2.0. After a multi-year federal rulemaking process, the Pentagon began enforcing CMMC compliance in contracts starting November 2025. The original plan was to introduce requirements through a three-year implementation schedule, with Phase 1 focusing on self-assessments under Levels 1 and 2.
Phase 2 would have required companies to achieve Level 2 by passing an assessment from a Certified Third-Party Assessor Organization (C3PAO) in order to receive contract awards. However, concerns about the program's feasibility led to its suspension. During this interim period, DOD will enforce cybersecurity compliance through NIST Special Publication 800-171 Revision 2 standards using self-assessments and select government-led assessments.
Duffey emphasized that by pausing Phase 2 implementation, they aim to retain more companies in the defense industrial base at a time when their contributions are most needed. Davies clarified that this decision does not reduce cybersecurity measures but rather streamlines access for contractors to meet compliance without excessive red tape.
The readiness of the defense industry for CMMC has been a significant concern due to misconceptions about the program and delays in its implementation. A report from the Government Accountability Office published in March highlighted that the standards might prove too challenging and costly for some small businesses, potentially forcing them out of the market. This underscores the need for a balanced approach between enhancing cybersecurity measures and supporting industry sustainability.
The main challenge often lies not in adding new cybersecurity capabilities but in updating internal processes, cyber governance, or responsibilities to meet compliance requirements. By pausing Phase 2, DOD aims to address these concerns while ensuring that critical defense contractors remain operational and innovative during this transitional period.
Latest News





