Pentagon Suspends CMMC Phase II Plans, Cites Concerns With Compliance ‘Burdens’

Pentagon CIO Kirsten Davies delivers remarks at a CIO town hall at the Mark Center in Alexandria Virginia, on Feb. 10, 2026. (DoD photo by U.S. Navy Petty Officer 1st Class Alexander Kubitza)

The Pentagon announced Monday it is suspending planned implementation of the next Cybersecurity Maturity Model Certification (CMMC) phase, which included third-party audits, as it reviews the future of the program.

While current Phase I requirements for industry to self-assess for cyber security compliance will remain in place, Pentagon officials said the costs and bureaucratic burdens associated with current CMMC plans were deterring some small businesses and newer defense entrants from pursuing contracts with the department.

“While the original intent of CMMC was to strengthen the cyber security of the DIB, the research is illuminating that it is instead creating costly bureaucratic burdens, which are resulting in innovative small, medium and non-traditional businesses having to choose between completing paperwork and paying for assessments or exiting the defense base altogether. This is simply not acceptable,” Kirsten Davies, the Pentagon’s chief information officer, told reporters.

“This is not achieving what it was intended to achieve, and so we need to think differently about it,” Davies added.

CMMC is the Pentagon’s program for setting cyber security contracting standards, with the department first rolling out the initiative in 2019 before it moved to a “2.0” model in 2021 aimed at addressing cost and complexity concerns by reducing the number of tiers of compliance from five to three and allowing for more self-assessment opportunities on certain types of programs (Defense Daily, Nov. 4, 2021).

However, a memo signed on Monday by Davies and Michael Duffey, the department’s acquisition chief, states that the current iteration of CMMC “imposes significant and often prohibitive burdens,” especially for small and non-traditional businesses, and that it’s “structurally incompatible” with the efforts to expand the defense industrial base.

“The combination of prohibitive compliance costs, severe shortages in third-party assessment capacity and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [Pentagon] contracts and freezing critical suppliers out of the market,” the memo states.

Duffey said he has “no doubt” that CMMC and the planned Phase II requirements had kept some companies from competing for contracts.

A recent Small Business Administration survey with small to medium-sized businesses provided data that backed up concerns with CMMC’s potential impact, according to Davies, to include highlighting “significant duplicative overlap” with existing regulatory requirements for the handling of federal data.

“The data we are seeing, including recent reports from the Small Business Administration, the SBA, makes one thing clear: the current CMMC requirements, including the future planned requirements, are creating prohibitive compliance costs and unacceptable bureaucratic burdens, especially to small businesses,” Davies said. “We will not allow duplicative and ineffective administrative hurdles to delay the delivery of critical capabilities to our warfighters.”

“It is anticipated that moving on into the future phases of the CMMC implementation was going to cost over $7 billion per annum for small to medium-sized businesses to get compliant with those,” she added.

Davies noted that over 100,000 defense firms still needed to complete a third-party cyber security assessment to comply with Phase II requirements, while just over 100 assessors were available to conduct those audits.

“So the math just simply doesn’t math for small to medium-sized businesses to even get compliance by the [former] transition date, which [was] November,” Davies said. “The research is showing us that there are not enough assessors to meet the demand of the industry.”

The memo states that, effective immediately, the Pentagon is suspending the planned transition into Phase II of CMMC on November 10 and has paused “pending and future CMMC implementation milestones across solicitations and contracts.”

“We are halting complex audits. We are stopping the requirement for third-party assessors and audits. Instead, we are establishing a pragmatic, secure baseline, enforcing proven NIST cyber security standards through simplified Level One and Level Two self-assessments,” Duffey said.

Duffey said the Pentagon will on “cleaning up active solicitations immediately” for those contracts that had CMMC Phase II compliance built into requirements.

“If a current defense solicitation or contract contains those suspended Phase II requirements, I have directed our program managers and contracting officers to amend or modify them as soon as possible to remove the burden,” Duffey added.

60 Day Review

The Pentagon is establishing a CMMC Reform Task Force to conduct a 60-day review of the program, noting a goal for “replacing bureaucratic compliance with scalable, resilient cyber security measures.”

A Request for Information will be published to gather industry’s feedback on cyber security compliance measures for contracting, which the task force will use to inform a final report with recommendations to Davies.

During the interim period as the review gets underway, the Pentagon confirmed it will continue to enforce cyber security compliance with the NIST SP 800-171 Rev 2 standard “through self-assessments and select government-led assessments, focusing on tangible cyber hygiene rather than administrative overhead.”

“I want to be clear, across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cyber security remains a critical,  non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data. First of all, Phase I self-assessment requirements remain firmly in place. Second, we will continue to enforce compliance with the NIST SP 800-171 Rev 2 standard, focusing on tangible cyber hygiene rather than administrative overhead. And third, all defense contractors and subcontractors remain contractually obligated to safeguard covered defense information under existing DFARS requirements,” Davies told reporters.

“What we’re doing is reducing this red tape burden of simply having a check-the-box exercise of compliance. But the self-assessment is actually still quite valid for companies to be seeing where they stand in basic cyber hygiene because that keeps them in business,” she added.

Davies noted that the non-profit CMMC Accreditation Body, which certifies third-party auditors, had not been informed of the memo as of its public release on Monday afternoon.

“So my phone will be very busy for the rest of the day,” Davies said.

Davies also addressed potential for pushback by those firms that have invested resources to get after meeting the now-suspended CMMC Phase II compliance requirements.

“Every dollar spent on security is a wise dollar spent. And so, those who have been forward-leaning in uplifting their cyber posture, in assessing what their posture is and doing something about it, they have contributed to national security. They’ve contributed to the operational resiliency of their own company. That is not money that is spent in vain,” she said.

This story was first published by Defense Daily