The Department of War has officially suspended the implementation of the Cybersecurity Maturity Model Certification (CMMC) phase two requirements, initiating a comprehensive 60-day program review. Originally scheduled to take effect this coming November, the pause aims to reevaluate contractor cybersecurity regulations without compromising national security. Officials emphasized that defense contractors must still adhere to phase one rules and existing guidelines concerning government information.
A newly established CMMC review and reform task force will gather industry feedback to streamline security measures, particularly to help small and non-traditional businesses navigate the procurement pipeline. Department of War CIO Kirsten Davies explained that this decision is intended to cut bureaucratic red tape while supporting efforts to accelerate warfighter readiness. Despite the temporary freeze, Davies reinforced that robust cybersecurity remains a non-negotiable priority across the defense industrial base.
Supporting this move, Michael Duffey, the Undersecretary of War for Acquisition and Sustainment, highlighted that the suspension is crucial to prevent smaller manufacturers from being priced out of defense contracts due to high compliance costs. The CMMC framework serves as a verification process ensuring that any business handling federal contract information (FCI) or controlled unclassified information (CUI) satisfies baseline security benchmarks before securing military contracts.
Under the streamlined CMMC 2.0 framework, cybersecurity requirements are divided into three tiers: Level 1 for basic FCI protection, Level 2 aligned with NIST 800-171 standards for CUI, and Level 3 for defending against advanced persistent threats. The phased rollout began in late 2025 with self-assessments, but the transition to Phase 2—which mandates third-party certifications for Level 2—has been halted. Officials acknowledged that a critical shortage of authorized third-party assessors made the November 2026 deadline impossible to meet.
The overall timeline for subsequent milestones will likely be adjusted depending on the results of the 60-day evaluation. Under the original schedule, phase three was slated to introduce Level 3 certification protocols in late 2027, culminating in complete implementation across all relevant defense contracts by 2028. The current review will determine how the Pentagon balances rigorous cybersecurity enforcement with a flexible, accessible supply chain.
Source: https://www.securityweek.com/pentagon-suspends-cmmc-phase-2-as-it-rethinks-contractor-cybersecurity-rules/


