Updated
Updated · DefenseScoop · Jul 13
Pentagon Freezes CMMC Phase 2, Orders 60-Day Review as 100,000 Firms Face 100 Assessors
Updated
Updated · DefenseScoop · Jul 13

Pentagon Freezes CMMC Phase 2, Orders 60-Day Review as 100,000 Firms Face 100 Assessors

3 articles · Updated · DefenseScoop · Jul 13

Summary

  • Nov. 10 Phase 2 enforcement was halted immediately, stopping the planned requirement that defense contractors pass third-party CMMC assessments to win certain contract awards.
  • A 60-day cross-department task force will review the entire program after Pentagon research and SBA feedback showed future phases could cost small and midsize firms more than $7 billion a year.
  • More than 100,000 defense industrial base companies would need third-party assessments, but only about 100 approved assessors are available, a mismatch officials said made the timeline unworkable.
  • Phase 1 self-assessments and select government-led checks under NIST SP 800-171 will continue during the pause, which officials said is meant to cut red tape rather than weaken cybersecurity.
  • The review could reshape CMMC 2.0 more broadly: Pentagon leaders said they will seek industry feedback through a new request for information and did not rule out canceling the program.

Insights

With costly audits scrapped, what is the Pentagon's new, faster model for securing the defense supply chain?
Does this pivot from security audits to 'reducing red tape' create new vulnerabilities for America's enemies to exploit?

Pentagon Suspends CMMC: 60-Day Review Aims to Lower Barriers and Reform Defense Cybersecurity Certification

Overview

On July 13, 2026, the Pentagon announced an immediate suspension and comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program due to growing concerns over high compliance costs and bureaucratic burdens. Reports showed these challenges were forcing innovative companies out of the defense industrial base, risking delays in delivering critical capabilities to warfighters. In response, the Department of Defense launched a 60-day, top-to-bottom review led by the newly established CMMC Reform Task Force. The goal is to recommend realistic security measures that lower barriers for small and non-traditional businesses while ensuring strong cybersecurity across the defense sector.

...