Pentagon Suspends CMMC Phase 2 as It Revises Contractor Cybersecurity Rules

www.news4hackers.com-pentagon-suspends-cmmc-phase-2-as-it-revises-contractor-cybersecurity-rules-pentagon-suspends-cmmc-phase-2-as-it-revises-contractor-cybersecurity-rules

The Department of War halts CMMC Phase 2 implementation to review program structure and address challenges for smaller contractors.

Pentagon Halts CMMC Phase 2 Implementation

The Department of War has paused the implementation of Phase 2 requirements for the Cybersecurity Maturity Model Certification (CMMC) framework, initiating a 60-day evaluation of the program’s structure and execution. This decision follows concerns about administrative inefficiencies and the need to address challenges faced by smaller contractors. Officials emphasized that the pause does not compromise cybersecurity standards but aims to streamline processes while maintaining compliance with existing regulations for handling sensitive government data.

Review and Reform Task Force

A newly established CMMC review and reform task force will gather input from industry stakeholders to propose adjustments that reduce compliance burdens for small and nontraditional businesses. The initiative aligns with broader efforts to enhance the efficiency of defense contracting while ensuring robust cybersecurity measures remain in place.

Kirsten Davies, the Department of War’s Chief Information Officer, stated that the action is designed to eliminate bureaucratic hurdles without diminishing the importance of cybersecurity. She reiterated that contractors must continue meeting Phase 1 requirements and adhering to current guidelines for protecting federal contract information (FCI) and controlled unclassified information (CUI).

CMMC Framework Overview

Michael Duffey, Undersecretary of War for Acquisition and Sustainment, highlighted that the pause is necessary to prevent smaller manufacturers from being excluded from defense contracts due to compliance costs. The CMMC framework, which verifies that companies handling government data meet baseline security standards, was restructured in 2025 to simplify its original five-level system into three tiers.

Phase Details and Certification Requirements

Level 1 focuses on FCI protection, Level 2 requires adherence to NIST 800-171 standards for CUI, and Level 3 addresses advanced persistent threats targeting critical CUI. Phase 1 of the revised framework, implemented in November 2025, mandated self-assessments for Levels 1 and 2. Phase 2, originally scheduled for November 2026, would have required third-party certification for Level 2 contracts. However, officials cited a shortage of approved assessors as a key factor in delaying the timeline.

Phase 3, set for November 2027, would introduce Level 3 certification requirements, with full implementation across all applicable contracts expected by 2028. The review process will assess the feasibility of scaling back certain requirements to accelerate contract approvals while maintaining security thresholds.

Commitment to Cybersecurity and Industry Feedback

Officials stressed that the Department of War remains committed to prioritizing cybersecurity as a nonnegotiable component of its operations. The decision comes amid ongoing scrutiny of the CMMC program’s impact on small businesses and its ability to adapt to evolving threats. The task force’s recommendations will inform potential modifications to the framework, ensuring it balances security needs with operational efficiency.

The pause allows time to address gaps in the certification process and ensure the program remains viable for all contractors. Officials noted that the review will focus on aligning the CMMC with industry feedback to foster broader participation in defense contracting. The Department of War reiterated its commitment to strengthening the defense industrial base while upholding rigorous cybersecurity protocols.

Future Implications

The outcome of the review will shape the future of the CMMC framework, influencing how contractors navigate compliance requirements in the coming years.



About Author

en_USEnglish