"In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program," said DOD Chief Information Officer Kirsten Davies.
What the Pentagon announced
The Department of Defense has suspended Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) program and launched a 60-day review of the program's future. The department will keep Phase 1 in place — which requires self-assessments documenting how companies protect controlled unclassified information in their systems — but will not move forward with Phase 2 requirements that were scheduled to begin on Nov. 10. Phase 3, which was to begin in November 2027, and Phase 4 for full implementation are also suspended.
Reasons cited: costs, bureaucracy, and supply‑chain impacts
In its announcement, DOD said it was responding to complaints that CMMC was increasing compliance costs and adding bureaucratic burdens. The department noted a Small Business Administration report that CMMC compliance had caused some companies to leave the defense industrial base, a dynamic that DOD said is delaying the deliveries of critical capabilities to operators. DOD framed the move as aligning with Defense Secretary Pete Hegseth’s acquisition initiatives, which prioritize speed and lowering barriers for new entrants, and with broader Acquisition Transformation System directives aimed at replacing bureaucratic compliance with “scalable, resilient cybersecurity measures.”
What will remain and what will change in assessments
With Phase 2 suspended, DOD will rely on self-assessments and “select government-led assessments” to maintain oversight of contractor cybersecurity. The department emphasized that cybersecurity and operational resilience remain critical priorities even as it seeks to “reduce unnecessary government red tape,” according to Kirsten Davies. DOD said Davies made the decision to suspend Phase 2 and initiate the review.
Michael Duffey, defense undersecretary for acquisition and sustainment, described the decision this way: “The CIO's decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain.”
CMMC Reform Task Force and the request for information
DOD has formed a CMMC Reform Task Force to conduct the 60-day review. Part of the task force's role will be to review comments submitted in response to a request for information (RFI) the department posted the same day as the suspension announcement. The RFI asks companies to identify cost drivers and administrative burdens tied to CMMC compliance and to say which NIST 800-171 security controls deliver meaningful risk reduction.
The department also asked respondents to describe how they are already using commercial cybersecurity tools and managed services, and how DOD might recognize those commercial solutions in a compliance framework instead of requiring separate assessments. Responses to the RFI are due Aug. 14.
What this means for small and medium-sized businesses, technologists and security teams, and acquisition officials
- Small and medium-sized businesses: The department cited concerns that CMMC compliance had driven some firms out of the defense industrial base and delayed deliveries. With Phase 2 suspended, these companies face a temporary reduction in third-party certification demands, while the 60-day study may reshape requirements that previously raised costs and barriers.
- Technologists and security teams: Phase 1 self-assessments will remain the baseline for protecting controlled unclassified information. Security teams will need to continue documenting protections under NIST 800-171 controls and may be asked to explain how commercial cybersecurity tools and managed services are already being used and could be recognized in any revised framework.
- Acquisition and procurement officials: The suspension was cast as an alignment with acquisition priorities that emphasize speed and lowering barriers for new entrants. Officials involved in contracting and acquisition will be watching the task force review and the RFI responses for guidance on replacing “bureaucratic compliance” with what DOD calls “scalable, resilient cybersecurity measures.”
The immediate, concrete next steps are the 60-day review led by the CMMC Reform Task Force and the RFI comment period that closes Aug. 14. The department has stated its intent to preserve a strict security baseline while re-examining third-party certification requirements that it says increased costs and drove firms away from the defense supply chain. How the department will formally recognize commercial cybersecurity tools and managed services — and which NIST 800-171 controls it will prioritize — are explicit subjects of the review and the RFI responses the task force will now consider.
Source: Defense One — DOD suspends CMMC Phase II, launches 60-day reform review




