Skip to main content
Compliance

Pentagon Hits Pause on Cybersecurity Certification Requirements

Partially constructed government facility with workers in background, symbolizing a pause or delay.

"Created prohibitive compliance costs and bureaucratic burdens," the Department said on July 13 in explaining why it halted the planned rollout of Cybersecurity Maturity Model Certification (CMMC) Phase II for defense contractors. The suspension pauses a major shift in how the Department of Defense (DoD) planned to verify cybersecurity practices across the defense industrial base (DIB) and launches a 60‑day internal review that could reshape enforcement and acquisition rules.

What the DoD announced and the immediate pause

The DoD announced it has suspended CMMC Phase II requirements that had been scheduled to take effect on November 10, 2026. The Department framed the move as necessary to allow for more innovation in the US defense industrial base and to address what it described as excessive compliance costs and bureaucratic burdens. The pause follows a July 13 statement and will be followed by a formal review led by a new CMMC Reform Task Force.

What Phase II would have required of contractors

CMMC Phase II was designed to move contractors handling controlled unclassified information (CUI) from self‑attestation to mandatory third‑party verification. Specifically, the requirements would have mandated independent assessments by Certified Third‑Party Assessment Organizations (C3PAOs) to verify compliance with the 110 security controls in NIST SP 800‑171. Under the DoD’s prior estimates, between 220,000 and 300,000 companies participate in the DIB, with roughly 80,000 expected to require Phase II assessments.

CMMC Reform Task Force, interim enforcement, and alignment with ATS

The DoD will establish a CMMC Reform Task Force to conduct a 60‑day, top‑to‑bottom review of the program. That review is explicitly meant to ensure alignment with Secretary of War Pete Hegseth's acquisition transformation system (ATS) strategy, including directives to lower barriers for small, medium and non‑traditional businesses and to "replace bureaucratic compliance with scalable, resilient cybersecurity measures." The Department’s CIO, A. Davies, will be responsible for putting together the task force and stated, "Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape."

During the interim period, the DoD said it will enforce cybersecurity compliance through NIST SP 800‑171 Rev 2 via continued self‑assessments and select government‑led assessments, "focusing on tangible cyber hygiene rather than administrative overhead."

What the suspension would have meant for the phased rollout

The suspended Phase II was only the second stage in a four‑phase CMMC schedule. Phase I allowed companies to self‑report compliance levels; Phase II would have required independent, third‑party verification. The DoD had planned Phase III to introduce CMMC Level 3 audits led directly by the DoD for the most sensitive contracts in November 2027, and Phase IV to require full CMMC compliance for all DoD contractors and subcontractors in November 2028. Those later phases now stand in question pending the task force review.

Expert reactions: university and consortium voices

Security compliance experts reacted quickly. Dave Schroeder, director of National Security Initiatives at the University of Wisconsin Madison, wrote on LinkedIn that because CMMC is a program to prove a firm’s compliance with NIST SP 800‑171 and DFARS 252.204‑7012, the likely reason behind the DoD action is that not enough contractors were ready to comply with Phase II by the November 10 deadline. Separately, Nelina Varenas, director and founding member of the KDM Consortium, emphasized in a LinkedIn article on July 14 that contractors should not interpret the delay as a reason to abandon compliance. She noted that "all CMMC Level 1 self‑assessment requirements remain in place" and called the suspension "valuable breathing room" to get cybersecurity practices right, concluding, "This is not the time to step back; it’s the time to ensure compliance is done right."

How the defense industrial base, the DoD, and security teams are likely to act

  • Defense industrial base companies: The DoD cited recent data, including reports from the Small Business Administration (SBA), saying CMMC compliance was forcing innovative companies out of the DIB and could delay delivery of capabilities. With Phase II paused, affected firms have more time to pursue NIST SP 800‑171 self‑assessments, but the DoD estimate that roughly 80,000 companies would have needed Phase II assessments remains a planning constraint.
  • The DoD and acquisition leaders: The Department will rely on the CMMC Reform Task Force’s 60‑day review to realign the program with the ATS directives, lower barriers for small and non‑traditional suppliers, and prioritize "tangible cyber hygiene" over administrative processes. A. Davies will lead task‑force formation and interim enforcement decisions.
  • Security compliance teams and advisors: Experts urged continued investment in compliance work despite the pause. The CyberSheath report from October 2025 — cited by the source — found only 1% of defense contractors felt fully prepared for Phase II audits, underscoring why many compliance teams will treat the suspension as a window for remediation rather than relaxation.

The DoD’s July 13 suspension moves a major verification step to the back burner while the Department rethinks how to balance security, cost and access to suppliers. The immediate question now is what the 60‑day CMMC Reform Task Force will recommend and whether future phases — including the DoD‑led Level 3 audits and universal compliance timelines slated for November 2027 and November 2028 — will be revised, delayed or replaced.

Original story