SBA Commends U.S. Department of War’s Suspension of CMMC Phase II for Small Defense Contractors
The department will keep Level 1 and Level 2 self-assessments in place while it reviews complaints that audit costs are driving suppliers away.
- On Monday, the Pentagon suspended the Phase 2 rollout of the Cybersecurity Maturity Model Certification program, originally scheduled for November 10, 2026, and launched a 60-day review of the certification regime.
- Defense Department Chief Information Officer Kirsten Davies initiated the pause after research suggested CMMC compliance forces innovative firms out of the Defense Industrial Base ; a newly formed CMMC Reform Task Force will deliver recommendations within 60 days.
- Small Business Administration data indicates compliance costs could exceed $7 billion annually, while more than 100,000 DIB companies would need assessments supported by only about 100 approved assessors. This mismatch created unsustainable barriers.
- During this suspension, the Defense Department will enforce cybersecurity compliance using NIST Special Publication 800-171 standards through self-assessments and government-led audits; officials did not rule out canceling the program entirely after the review concludes.
- Aligning with Defense Secretary Pete Hegseth's Acquisition Transformation System , the suspension prioritizes speed and reduces regulatory burdens on nontraditional companies. The review aims to replace prohibitive third-party models with scalable, realistic security measures.
22 Articles
22 Articles
Pentagon pauses the cyber audit rule that was pushing small suppliers out
The figure that seems to have finished the programme off is not a cost. It is a ratio: more than 100,000 companies in the American defence supply chain needing an independent cybersecurity audit, against roughly 100 accredited assessors licensed to carry one out. “So the math just simply doesn’t math,” Kirsten Davies, the Pentagon’s chief […] This story continues at The Next Web
Pentagon Pauses Cybersecurity Certification Program for Defense Contractors
The Pentagon has suspended the next phase of a cybersecurity certification program for defense contractors. This decision comes after concerns from industry executives that the requirements were excluding small suppliers from military contracts and limiting competition within the defense supply chain.
DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn't math’
The Pentagon placed an immediate freeze on forthcoming cybersecurity requirements after government research suggested the policy would drive many businesses out of the defense industrial base at a time when the U.S. military urgently needs their innovations. Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey unveiled plans Monday to suspend the much-anticipate…
Pentagon pauses cyber audit rule blamed for supplier exits
WASHINGTON, July 13 : The Pentagon is suspending the next phase of a cybersecurity certification program for defense contractors, backing off a compliance requirement that industry executives had warned was pushing small suppliers out of military work and narrowing competition in the defense supply chain.The
DOD suspends CMMC Phase 2, launches 60-day ‘reform’ review
The Defense Department has essentially ended the Cybersecurity Maturity Model Certification program by suspending its second phase requirements. DOD is keeping in place Phase 1, which requires self-assessments for how companies protect controlled unclassified information in their systems. But DOD said Monday it is suspending Phase 2, which was to begin on Nov. 10 and requires third-party certifications. DOD is also launching a review of CMMC to …
Coverage Details
Bias Distribution
- 82% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium











