BUSINESS
Pentagon Suspends CMMC Phase 2, Relieving Small Firms, Straining Assessors
The Pentagon suspended CMMC Phase 2 third-party cyber audits on July 13 and launched a 60-day review after citing a $7 billion compliance cost.
The Pentagon suspended its signature cybersecurity audit mandate for defense contractors on July 13, freezing Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) program four months before it was due to take effect. Defense Department Chief Information Officer Kirsten Davies ordered a 60-day, top-to-bottom review of the entire program, the second time in five years the mandate has been paused and rewritten.
Davies said the numbers made the November deadline impossible to defend. Small business advocates who fought the mandate for years are celebrating. The assessor industry the Pentagon spent years accrediting just lost its reason to exist, at least for now.
What Did the Pentagon Actually Suspend?
The Pentagon suspended Phase 2 of CMMC, the rule requiring outside auditors, known as Certified Third-Party Assessor Organizations (C3PAOs), to certify that contractors handling sensitive but unclassified data met Level 2 standards set by the National Institute of Standards and Technology. Phase 1, which only requires companies to self-assess against those same standards, stays fully in force.
“I’m announcing the immediate suspension of the Cybersecurity Maturity Model Certification, or CMMC, Phase II requirements, which were originally scheduled to go into effect November 10, 2026,” Davies told reporters at the Pentagon. The Department of War made the suspension official the same day, pulling the third-party audit requirement out of active solicitations.
Michael Duffey, the undersecretary of defense for acquisition and sustainment, said program managers were told to strip the suspended language out of contracts right away. “We are cleaning up active solicitations immediately,” Duffey said. “If a current defense solicitation or contract contains those suspended phase two requirements, I have directed our program managers and contracting officers to amend or modify them as soon as possible.”
| Phase | Original Target Date | What It Required | Status After July 13 |
|---|---|---|---|
| Phase 1 | Nov. 10, 2025 | Self-assessment for Levels 1 and 2 | Remains in force |
| Phase 2 | Nov. 10, 2026 | Third-party C3PAO certification for Level 2 | Suspended indefinitely |
| Phase 3 | Nov. 2027 | Government-led assessments for Level 3 | Suspended indefinitely |
| Phase 4 | Full rollout | CMMC required across all applicable contracts | Suspended indefinitely |
Officials were careful to say the pause is about process, not standards. “We’re not relaxing any standards by any means,” Duffey said. “We expect businesses to adhere to the standards that NIST has outlined. What we’re removing is the bureaucracy of the third-party assessment.”
The Math Behind a Stalled Mandate
“So the math just simply doesn’t math for small to medium-sized businesses to even get compliant by the transition date,” Davies said. She put a number on the mismatch driving the decision: roughly 100 accredited assessors nationwide against more than 100,000 companies in the defense industrial base still needing a third-party review.
The suspension is a strange companion to the rest of the Pentagon’s supply chain posture this year. The same department relaxing cyber audits for its own contractors is simultaneously moving to blacklist Chinese suppliers like Alibaba and BYD from defense-adjacent business.
- $7 billion: what Davies said pushing into Phase 2 and beyond could have cost defense businesses annually in compliance approvals.
- About 100: the number of accredited third-party assessors available nationwide, against more than 100,000 companies still needing a check.
- 1 percent: the share of the defense industrial base an October 2025 CyberSheath report found was fully prepared for the CMMC final rule.
- 30 percent: the share of contractors that had completed a validated third-party check, versus 69 percent that had only self-certified, per the State of the DIB Report 2025.
A Government Accountability Office report published in March reached a similar conclusion, warning that the standards could prove too costly for some small businesses to meet and push them out of the defense industrial base entirely.
Small Businesses Get the Relief They Lobbied For
The Small Business Administration commended the suspension within hours, saying the third-party mandate had become a genuine threat to the pipeline of small firms the Pentagon says it needs most.
“Working closely with the Department of War, the Trump SBA has heard directly from mission-critical small businesses that CMMC compliance was becoming an untenable barrier pushing them out of the Defense Industrial Base, even though these firms are the backbone of national security,” said Kelly Loeffler, the Small Business Administration administrator.
Loeffler put a price tag on the burden: compliance costs approaching $600,000 for some small businesses, with more than 120,000 companies in the defense industrial base potentially affected had Phase 2 gone live as scheduled.
Davies’s own memo used similar language, describing small and non-traditional businesses as “the engine of American innovation” being squeezed by what she called a “compliance checklist” that had drifted from its original security goal.
The Army had already tried to soften the blow on its own, standing up a low-cost marketplace of digital compliance tools to help smaller firms meet CMMC standards ahead of Phase 2. It wasn’t enough to close the gap.
The Assessor Industry Wasn’t in the Room
Davies acknowledged that her office had not yet told the Cyber AB, the nonprofit accreditation body that oversees CMMC’s third-party assessors, about the suspension or the coming review before the news broke publicly. The organization that built the assessment network found out with everyone else.
That network took years to build. The Cyber AB accredits the C3PAOs, and ISACA, the technology governance group, was designated in December 2025 to train and certify the individual assessors who staff them. Each assessor clears a federal background check that alone can take six to eight months, time that is now effectively stranded.
Cybersecurity leaders had already flagged the assessor scarcity as a supply chain risk months before the Pentagon acted, warning the shortage carried national security stakes of its own.
“The U.S. Defense Industrial Base contributes nearly $450 billion annually to the U.S. economy,” said M. Dee Childs, associate vice president and special advisor to the CIO for regulated research at Clemson University. Delayed certification, she said, restricts access to work that fuels regional economies and research programs alike.
Three Resets in Seven Years
CMMC has now been paused or substantially rewritten three times since Katie Arrington, a former Pentagon acquisition official, began building it during the first Trump administration in 2019. Inspector general audits around that time found many contractors were not following required standards despite self-attesting that they did, which is the entire reason outside verification became the point of the program.
The first reset came in 2021, when the Biden administration paused the program for its own review after small businesses raised many of the same cost complaints Davies cited this month. The response then was to strip the framework down from five certification tiers to three and call it CMMC 2.0. A painstaking, multi-year rulemaking process followed before the final contracting rules took effect in November 2025, this time with a phased rollout meant to give industry room to prepare.
The people who built CMMC have mostly moved on. Arrington left government service in 2025. Stacey Bostjanick, another longtime program official, retired earlier this year. Davies was sworn in as the Pentagon’s chief information officer in December 2025, arriving from senior technology and cyber roles in the private sector.
She signaled the direction of this review months before signing the memo. “I can commit to you that is the lens through which I’m looking at CMMC,” Davies told the House Armed Services Committee in March, describing her approach as following Secretary Pete Hegseth’s directive “to reduce the regulatory burden and offer new entrants a shot at getting in and doing business with us.”
What the Reform Task Force Must Decide by September
Davies stood up a CMMC Reform Task Force the same day the suspension was announced. “It’s truly going to be a cross-functional team,” she said, describing a group pulling from across the department:
- Office of the Chief Information Officer
- Acquisition and Sustainment
- Research and Engineering
- Information and Security
- Legislative Affairs
- Public Affairs
- Legal
Companies have until Aug. 14 to respond to a new request for information asking what actually drives compliance costs, which of the 110 security controls meaningfully reduce risk, and whether commercial security tools and managed service providers could substitute for a formal audit. Counting 60 days from the July 13 announcement puts the task force’s final report around mid-September.
The same acquisition playbook has already reshaped other big Pentagon technology deals this year, including a $9.7 billion cloud computing contract awarded to Dell, part of a broader push under Hegseth’s Acquisition Transformation System to trade paperwork for speed.
None of that erases the legal exposure already on the books. Every contractor and subcontractor remains bound by Defense Federal Acquisition Regulation Supplement clause 252.204-7012 to safeguard covered defense information, and the Justice Department can still pursue False Claims Act cases over bad self-assessments under its Civil Cyber-Fraud Initiative. The audit mandate is gone for now. The paperwork obligation, and the liability that comes with getting it wrong, is not.
-
TECHNOLOGY3 years agoHow to Adjust a Bulova Watch Band – An Easy Guide
-
News3 years agoFred Pentland: Athletic Bilbao’s English mentor who changed the essence of Spanish football
-
FINANCE3 years agoTax Planning for Every Season: Guide to Maximizing Your Tax Benefits
-
Education3 years agoAfrican Ministers New Education Plan
-
BUSINESS3 years agoWhat is Entrepreneurial Operating System? A Comprehensive Guide to EOS
-
Education3 years agoInnovate Your Learning Journey with Technology and Enhance Education
-
News3 years agoRussians formally out of World Athletics Championships
-
BUSINESS3 years agoTop 9 Most Expensive American Cities to Rent an Apartment
