Pentagon Halts CMMC Phase 2: Industry Reactions and Next Steps
The DoD has paused CMMC Phase 2, halting mandatory third-party assessments for contractors handling controlled unclassified information.
CMMC Phase 2 Suspension
The Department of Defense has paused the implementation of CMMC Phase 2, halting mandatory third-party assessments for contractors handling controlled unclassified information. The decision follows concerns that the current assessor ecosystem lacks capacity to meet demand and that compliance costs threaten the viability of small and mid-sized firms within the defense industrial base.
A newly established CMMC Reform Task Force will evaluate the program over 60 days, gathering input from stakeholders and proposing adjustments by mid-September. Notably, the suspension applies exclusively to independent verification processes, leaving Phase 1 self-assessments, SPRS score submissions, and the DFARS 252.204-7012 requirement to protect CUI unchanged.
Industry experts emphasize that while third-party audits are suspended, the legal obligation to safeguard CUI remains in effect. This creates potential exposure under the False Claims Act, as self-attestation without verification could lead to penalties if discrepancies are later discovered.
Multiple settlements involving contractors such as Aerojet Rocketdyne, Raytheon, and MORSE Corp highlight precedents where self-reported compliance failed to align with actual implementation.
The pause has sparked debate over whether to scale back assessments, automate processes, or maintain existing frameworks.
Stakeholder Reactions
Abdie Mohamed, GRC Engineering Lead at NR Labs, notes that Phase 1 requirements persist, requiring contractors to self-assess against 110 NIST 800-171 controls and submit scores to SPRS. He warns that the absence of third-party validation increases the risk of False Claims Act violations, citing historical cases where audits uncovered gaps between self-reported and actual compliance.
Chris Nyhuis, CEO of Vigilant, argues the suspension addresses systemic inefficiencies in the audit process. He emphasizes that the pause allows small defense contractors to avoid prolonged compliance delays, which could hinder their ability to compete for federal contracts. However, he cautions that self-attestation without oversight risks creating a “fast lie” scenario, where companies prioritize speed over security.
Ned Butler, Manager of CMMC Services at Redspin, clarifies that the costs associated with CMMC assessments are comparable to other certification frameworks like PCI or HITRUST. He attributes industry complaints about high compliance costs to the underlying requirements of DFARS 252.204-7012, which mandate NIST 800-171 implementation.
Robert Teague, VP of CMMC Services at Redspin, highlights that small and mid-sized contractors have successfully navigated CMMC assessments, with 79 of 150 completed assessments involving organizations with fewer than 600 employees. He disputes claims of insufficient assessor capacity, citing over 100 authorized C3PAOs and thousands of certified professionals.
Chetrice Romero, Senior Cybersecurity Advisor at Ice Miller, stresses that CMMC is not merely a compliance exercise but a framework for building organizational resilience. She advises contractors to prioritize understanding their CUI landscape and aligning security strategies with business operations.
Emil Sayegh, CEO of CyberSheath, warns that the absence of third-party verification increases exposure to legal risks under the False Claims Act. He notes that government investigations could later validate or invalidate self-reported compliance, with severe financial and reputational consequences.
Frank Balonis, Field CISO at Kiteworks, clarifies that the suspension does not alter the legal obligations tied to CUI protection. He highlights that SPRS scores, now the primary verification mechanism, remain subject to scrutiny under the Civil Cyber Fraud Initiative.
Michael Gruden, Partner at Steptoe, notes that the suspension reflects the challenges of implementing rigorous compliance requirements across the defense industrial base. He advises contractors to use the interim period to strengthen CUI governance and validate self-assessments.
Kate Growley, Partner at Crowell & Moring, observes that the suspension does not negate existing contractual obligations tied to NIST 800-171 implementation. She suggests that contractors can redirect resources from preparing for C3PAO assessments toward addressing unresolved compliance gaps.
Tyler Fordham, Director of Offensive Security at Dark Wolf, advocates for technical validation methods such as penetration testing and automated compliance tools to replace manual audits. He argues that automation could scale security verification while reducing costs for small businesses.
Austin Berglas, Global Head of Professional Services at BlueVoyant, reiterates that NIST 800-171 compliance is a longstanding requirement, with CMMC providing a structured verification process. He warns that the pause could lead to increased False Claims Act violations if contractors lower their security postures to inflate SPRS scores.
Conclusion
The CMMC Reform Task Force’s findings will shape the future of the program, with stakeholders urging a balanced approach that addresses capacity constraints while preserving security safeguards. The interim period offers an opportunity for contractors to strengthen their compliance posture, but the long-term success of CMMC will depend on resolving structural challenges and maintaining rigorous oversight.
“The pause has sparked debate over whether to scale back assessments, automate processes, or maintain existing frameworks.”
