The Pentagon has decided to halt the implementation of Phase 2 of the Cybersecurity Maturity Model Certification (CMMC), initially planned for November, to undergo a thorough 60-day evaluation of the entire framework.
Reasons for the Suspension
Kirsten Davies, the Chief Information Officer at the Department of War, announced that this decision aims to remove bureaucratic barriers without compromising the level of cybersecurity required from contractors. Despite this suspension, contractors are still obligated to adhere to Phase 1 requirements and other existing regulations concerning the management of government information.
A new task force dedicated to CMMC review and reform will engage with industry stakeholders to gather feedback. This initiative seeks to propose simplified security measures that would expedite the contracting process, particularly benefiting small and nontraditional businesses.
Impact on Defense Contractors
According to Undersecretary of War for Acquisition and Sustainment Michael Duffey, the suspension is crucial to prevent smaller manufacturers from being excluded from defense contracts due to high compliance costs. The CMMC establishes a framework for ensuring companies dealing with government data meet essential cybersecurity standards before securing defense contracts.
The program also impacts contractors and subcontractors handling federal contract information or controlled unclassified information, irrespective of their size.
Future of CMMC Implementation
Originally, CMMC 2.0 had streamlined the certification process, reducing it from five levels to three. Level 1 addresses the protection of federal contract information, Level 2 aligns with NIST 800-171 for controlled unclassified information, and Level 3 focuses on safeguarding critical data against advanced persistent threats.
The rollout began on November 10, 2025, with initial phases requiring Level 1 and Level 2 self-assessments. Phase 2, slated for November 10, 2026, was to include Level 2 third-party certification assessments for new contracts but has been postponed due to a shortage of certified assessors.
The third phase, planned for November 2027, would introduce Level 3 certification, while the final phase aims for full integration into applicable contracts by 2028.
This strategic pause allows for a reassessment of the framework, ensuring that it remains effective and inclusive for all defense contractors.
