The Department of War has put a temporary halt to the mandatory third-party assessment requirement for CMMC Phase 2. This decision stems from concerns that scaling the assessor ecosystem to meet demand is unfeasible and that compliance costs are excluding smaller firms from the defense industry.
CMMC Reform Task Force to Review Program
A newly established CMMC Reform Task Force will conduct a 60-day review of the program. The task force aims to gather industry feedback and submit recommendations by mid-September. This pause affects only the independent verification process, leaving Phase 1 self-assessment requirements and the obligation to protect controlled unclassified information (CUI) intact.
Industry Perspectives on the Suspension
Industry leaders recognize that, while the third-party audit is paused, the legal duty to safeguard CUI remains. The suspension has prompted discussions on whether assessments should be streamlined, automated, or largely maintained. Some experts warn that self-attestation without verification could lead to increased False Claims Act exposure.
Abdie Mohamed of NR Labs notes that Phase 1 obligations persist and highlights previous settlements resulting from discrepancies between self-reported compliance scores and actual findings. Mohamed expresses concern about the interim reliance on self-attestation without third-party audits.
Potential Changes and Implications
Chris Nyhuis of Vigilant supports the pause, arguing it addresses economic barriers that hinder rapid innovation in defense. Nyhuis cautions that while the audit regime has been paused, the underlying security requirements have not changed. The emphasis on self-attestation focuses on protecting national interests, but critics warn of potential compliance risks without third-party checks.
Ned Butler from Redspin suggests that the real costs lie in implementing the NIST SP 800-171 requirements. He advocates for structural adjustments, such as allowing contractors to manage transitions internally after mergers, rather than requiring full recertification.
Future Outlook for CMMC Compliance
While the suspension provides a temporary reprieve, it underscores the need for contractors to maintain rigorous cybersecurity practices. Organizations are advised to use this period to address technical gaps and enhance readiness. The review is expected to yield a refined CMMC framework that balances compliance with operational feasibility.
Defense contractors must remain vigilant, as the broader cybersecurity threat landscape continues to evolve. The Department of War’s review may lead to significant changes in the approach to verifying compliance with CMMC standards.
