Pentagon Pauses CMMC Phase 2 as Defense Contractors Face New Compliance Uncertainty
- 35 minutes ago
- 6 min read
The Pentagon has halted the next stage of its Cybersecurity Maturity Model Certification rollout, delaying a major expansion of independent cybersecurity audits for companies working across the defense supply chain.
The Defense Department announced July 13 that it is suspending CMMC Phase 2, which had been scheduled to begin November 10, 2026. The phase would have significantly increased the number of contracts requiring assessments conducted by certified third-party organizations.
Phase 1 remains active, meaning contractors covered by the program may still be required to complete CMMC self-assessments and affirm that their systems comply with applicable cybersecurity requirements.
The pause is accompanied by a 60-day review that could reshape a program the Pentagon spent years developing. A newly established CMMC Reform Task Force will examine the cost, structure and assessment model of the certification regime before making recommendations to Defense Department leadership.
The Pentagon said the review will explore alternatives that preserve cybersecurity protections while reducing costs and barriers for small, medium-sized and nontraditional defense contractors. Pending and future implementation milestones have also been suspended until further notice.
CMMC audits paused, but security rules remain
The practical effect is a temporary return to a system that relies more heavily on contractor attestations and selected government assessments.
That does not mean companies handling controlled unclassified information, commonly known as CUI, can stop implementing security controls.
Defense contractors subject to DFARS clause 252.204-7012 must continue protecting covered defense information and implementing the applicable requirements of NIST Special Publication 800-171. The clause also includes cyber incident reporting, evidence preservation and subcontractor obligations.
CMMC’s contracting rules similarly require contractors to maintain an appropriate security status for systems that process, store or transmit federal contract information or CUI. Companies must also submit annual affirmations of continuous compliance through the Supplier Performance Risk System.
Jared Shepard, CEO of secure mobility company Hypori, said the Pentagon’s decision changes the verification process, not the underlying responsibility to protect defense information.
“CMMC Phase II is paused, not the underlying law. Your CUI safeguarding obligations under DFARS and NIST 800-171 are unchanged. What was suspended is Phase II, the requirement for an independent third-party assessor to verify Level 2 compliance. Contractors handling CUI still have to comply with the same 110 controls. They’re just grading their own homework again instead of having a third party check it, for now, during a stated 60-day review period.”
Shepard warned that eliminating an independent assessment may actually increase the risks associated with inaccurate compliance claims.
“This reduces the audit burden. It does not reduce the legal exposure, arguably the opposite. Without a C3PAO validating your work, a false self-attestation becomes the fact pattern DOJ’s Civil Cyber-Fraud Initiative was built for. Removing the external check doesn’t remove the underlying obligation. It removes the safety net of ‘at least a third party would have caught it before it became fraud.’”
Pentagon says CMMC is pushing suppliers away
The review reflects longstanding concerns that certification expenses and a shortage of authorized assessors could exclude smaller companies from defense contracts.
In a memo ordering the review, Defense Department Chief Information Officer Kirsten Davies described the current CMMC framework as a potentially prohibitive burden for small and nontraditional businesses.
“The current iteration of the Cybersecurity Maturity Model Certification (CMMC) program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation,” Davies wrote. “While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.”
The Pentagon said it wants a cybersecurity model that can scale across a diverse supplier ecosystem without discouraging commercial technology companies, startups and specialized manufacturers from pursuing defense work.
Davies said feedback received by the department indicates the existing framework may conflict with efforts to expand and modernize the defense industrial base.
“The combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [DoD] contracts and freezing critical suppliers out of the market,” Davies wrote.
The task force has been directed to develop recommendations that lower barriers while replacing what the Pentagon characterized as expensive, inflexible compliance mechanisms with more scalable security controls.
During the review, the department said it will rely on self-assessments and selected government-led evaluations, with greater emphasis on measurable security practices rather than certification paperwork.
Self-attestation creates False Claims Act risk
The return to self-assessment is likely to attract scrutiny because contractor cybersecurity attestations have already become a major federal enforcement issue.
Justin Beals, CEO and founder of compliance automation company Strike Graph, said the suspension should not be interpreted as a broader retreat from defense cybersecurity requirements.
“This isn't a security stand-down. It's a stand-down on who checks your homework. Phase I self-assessment stays in place, but the third-party verification that would catch a bad self-assessment doesn't.”
Beals pointed to the potential personal and corporate consequences of affirming compliance without sufficient evidence.
“That matters because DFARS 252.204-7012 and 252.204-7021 didn't go anywhere. Affirming officials are still personally exposed under the False Claims Act for a compliance claim nobody independently verified, the exact gap that produced the $4.6 million MORSECORP settlement.”
The Justice Department announced that settlement in March 2025 after alleging that defense contractor MORSECORP submitted claims while failing to meet cybersecurity requirements in Army and Air Force contracts. Prosecutors said the company reported a NIST SP 800-171 assessment score of 104 in 2021, although a later review by a cybersecurity consultant calculated its actual score at negative 142.
The case illustrates why contractors should not treat the absence of an external auditor as proof that their compliance posture will never be examined. A cyber incident, whistleblower complaint, acquisition review or government investigation could still expose gaps between an organization’s representations and its actual security controls.
“Companies that treat this suspension as permission to stop building evidence will be the ones exposed when the Reform Task Force's review lands in 60 days, or when an incident forces the question first,” Beals said. “Self-attestation was never the finish line. It was always a claim waiting to be tested.”
Reducing the CUI boundary becomes more important
The CMMC pause may also intensify efforts by contractors to reduce the number of systems, employees and vendors that handle sensitive defense information.
Organizations can limit their compliance scope by isolating CUI inside controlled environments rather than allowing it to spread across general corporate systems. A smaller CUI boundary can reduce the number of devices, applications and processes that must satisfy NIST SP 800-171 requirements.
“Reducing your CUI boundary is now more valuable, not less,” Shepard said. “In a self-attestation environment, being able to narrow what you even have to attest to is more valuable, not less. Fewer controls to self-certify accurately means less surface area for an FCA claim to attach to.”
That approach does not eliminate compliance duties, but it may make them easier to document and defend.
Contractors should expect the Pentagon’s review to examine whether third-party assessments should be narrowed, replaced or reserved for companies supporting higher-risk programs. The task force may also recommend more government-led assessments, revised thresholds or alternative technical validation mechanisms.
Another reset for the CMMC program
CMMC was created after years of government audits found that many defense contractors were not consistently implementing cybersecurity protections they had agreed to follow.
The original model sought to replace widespread self-attestation with independent certification. It was later paused in 2021 after industry groups and small businesses raised concerns about cost and complexity.
That review produced CMMC 2.0, a streamlined version with fewer maturity levels and a mix of self-assessments, third-party evaluations and government assessments. Final contracting requirements began taking effect in November 2025 through a phased rollout.
The latest suspension places the program’s central enforcement mechanism back under examination just as contractors and assessment organizations were preparing for broader adoption.
For defense companies, the safest assumption is that CMMC’s paperwork and audit model may change, but the obligation to protect government information will remain.
The Pentagon’s next decision will determine whether independent certification continues as the centerpiece of contractor cybersecurity enforcement or becomes one component of a more flexible, risk-based system. Until then, companies that handle CUI must continue implementing NIST SP 800-171, preserving compliance evidence and ensuring that every cybersecurity affirmation can survive scrutiny.