The Pentagon is suspending Cybersecurity Maturity Model Certification (CMMC) phase two requirements that were set to take effect in November, pending a 60-day review of the entire program.
Kirsten Davies, CIO at the Department of War (formerly the Department of Defense), said the move clears bureaucratic obstacles without lowering the bar on cybersecurity, noting that contractors must still meet phase one requirements and existing regulations for handling government information.
A newly formed CMMC review and reform task force will collect industry feedback and then recommend scaled-back security measures to speed up contracting for small and nontraditional businesses.
“The Department of War is taking decisive action to clear bureaucratic roadblocks and revitalize our defense industrial base in support of Secretary of War Pete Hegseth’s directive to aggressively scale warfighter readiness,” said Davies, adding, “[But] I want to be clear, across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical, nonnegotiable priority.”
Undersecretary of War for Acquisition and Sustainment Michael Duffey framed the pause as necessary to keep smaller manufacturers from being squeezed out of defense work by compliance costs.
The CMMC is a framework for verifying that companies handling government information meet baseline cybersecurity standards before they can win defense contracts. Contractors and subcontractors that process federal contract information (FCI) or controlled unclassified information (CUI) are subject to the framework, regardless of their size.
CMMC 2.0 streamlined the program from five levels to three: Level 1 covers protection of FCI, Level 2 covers CUI based on NIST 800-171, and Level 3 focuses on critical CUI against advanced persistent threats.
The rule took effect on November 10, 2025, kicking off a multi-year phased rollout, with phase one requiring Level 1 and Level 2 self-assessments. The second phase was set to start on November 10, 2026, and would require Level 2 third-party certification assessments for new contracts.
However, when announcing the changes on Monday, officials cited a shortage of approved third-party assessors as one reason the November deadline was no longer feasible.
Phase three, scheduled for November 2027, would introduce Level 3 certification requirements, while the fourth and final phase would bring full implementation across applicable contracts by 2028.
Related: UK Government Rolls Out Agentic AI Defense Plan Alongside Industry Pledge
Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws
Related: White House Issues Memo to Bolster NSS Cybersecurity

