← Back to Military
Pentagon Suspends Cybersecurity Certification Phase 2, Launches Review Amid Criticisms
Military Jul 13, 2026

Pentagon Suspends Cybersecurity Certification Phase 2, Launches Review Amid Criticisms

The Department of Defense has suspended the second phase of its Cybersecurity Maturity Model Certification (CMMC) program, a move aimed at addressing concerns over compliance costs and bureaucratic burdens. The decision was announced by DOD Chief Information Officer Kirsten Davies on Monday, marking a significant shift in the department's approach to cybersecurity standards for contractors.

Phase 2 of CMMC, which was set to commence on November 10th, would have required third-party certifications from defense industry suppliers. However, the Pentagon has decided to maintain Phase 1 requirements, which involve self-assessments by companies regarding their protection of controlled unclassified information (CUI). This decision comes after a period during which CMMC faced criticism for its complexity and financial impact on small businesses.

The suspension of Phase 2 is part of a broader review process initiated by the department to ensure that future cybersecurity measures align better with Secretary Pete Hegseth’s acquisition initiatives. These initiatives emphasize speed, efficiency, and reducing barriers for new entrants into the defense industrial base (DIB). The aim is to streamline bureaucratic compliance procedures in favor of more resilient and scalable cybersecurity practices.

The CMMC program was originally conceived during the Trump administration as a means to enhance cyber and supply chain security within the DIB. It underwent revisions under the Biden administration, with the goal of further refining its standards. However, recent feedback from industry participants indicated that the certification process had become overly cumbersome and costly, leading some companies to exit the defense market altogether.

In response to these concerns, the Department of Defense has established a CMMC Reform Task Force tasked with conducting an extensive review of the program over the next 60 days. The task force will gather input from industry stakeholders through a Request for Information (RFI) posted on SAM.gov, seeking detailed feedback on various aspects of the current cybersecurity framework.

The RFI invites companies to comment on cost drivers associated with CMMC compliance, administrative burdens faced by businesses, and the effectiveness of specific National Institute of Standards and Technology (NIST) 800-171 security controls in mitigating risks. Additionally, DOD is interested in understanding how companies are currently utilizing commercial cybersecurity tools and managed services and whether these measures should be recognized within a compliance framework instead of requiring separate assessments.

Michael Duffey, the undersecretary for acquisition and sustainment at DOD, emphasized that the suspension ensures maintenance of strict security baselines while reducing unnecessary regulatory overhead. This approach is intended to foster innovation and competition in the defense supply chain by alleviating financial pressures on smaller firms.

The department's actions reflect a broader trend toward balancing stringent cybersecurity requirements with practical considerations for industry efficiency and growth. By suspending Phase 2 and initiating this review, DOD aims to create a more adaptable and responsive framework that better serves both national security interests and the needs of defense contractors.

← Back to Military