Pentagon. The Department of War has suspended the planned implementation of the CMMC program’s Phase II requirements.

Pentagon Suspends CMMC Phase II Requirements

  • DOW has suspended CMMC Phase II implementation requirements
  • The review will examine scalable cybersecurity approaches for the defense industrial base
  • POC will host two DOW summits this summer 

The Department of War has suspended the planned implementation of the Cybersecurity Maturity Model Certification, or CMMC, program’s Phase II requirements, which were scheduled to take effect on Nov. 10.

Pentagon Suspends CMMC Phase II Requirements

As DOW continues evaluating approaches to strengthen cybersecurity while accelerating access to emerging capabilities, government and industry leaders will discuss technology priorities shaping future missions at the Potomac Officers Club’s upcoming DOW events this summer. Sign up now for the 2026 Air and Space Summit on July 30 to hear discussions on artificial intelligence, Golden Dome, network modernization and other defense technology priorities. You can also save your seat for the 2026 Navy Summit on Aug. 27 to explore naval modernization, autonomous systems and next-generation capabilities.

DOW said Monday the suspension will take effect immediately as it conducts a review of the CMMC program to align with Secretary of War Pete Hegseth’s Acquisition Transformation System directives focused on accelerating capability delivery, reducing barriers for small and medium-sized businesses, and strengthening cybersecurity measures.

The suspension applies to the transition to CMMC Phase II requirements, as well as pending and future CMMC implementation milestones across DOW solicitations and contracts.

The department said Phase I self-assessment requirements remain in place.

What Did DOW & SBA Officials Say About the Suspension?

DOW Chief Information Officer Kirsten Davies said the department is suspending CMMC Phase II requirements and launching a 60-day review of the program to reduce compliance barriers while maintaining cybersecurity protections.

“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness,” Davies said. “We believe the DIB can achieve both, while we reduce unnecessary government red tape.”

Michael Duffey, under secretary of war for acquisition and sustainment, said the decision will maintain security standards while reducing costs and supporting competition across the defense industrial base.

“We have a strategic imperative to reduce bureaucracy as we build the world’s strongest Arsenal of Freedom. The CIO’s decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain,” Duffey said.

Small Business Administration Administrator Kelly Loeffler said the agency supports the department’s action, noting that small businesses have raised concerns about CMMC compliance costs and barriers to participation in the DIB.

“With over 100,000 small businesses impacted and compliance costs approaching as much as $600,000, the SBA strongly supports the Department of War’s decisive action to preserve strong cybersecurity while cutting red tape, bringing American innovators into our defense supply chain, and advancing the DoW’s efforts to rapidly expand modern capabilities essential to warfighter readiness,” Loeffler stated.

Davies, Duffey and Loeffler are all 2026 Wash100 Award recipients.

How Will DOW Review CMMC Requirements?

The Pentagon is establishing a CMMC Reform Task Force to conduct a comprehensive review of the certification program and recommend updated cybersecurity measures.

The task force will collect industry feedback through a public request for information on compliance challenges and use those insights to develop scalable security approaches focused on speed to capability and reducing barriers for small and non-traditional businesses. The task force will provide its final report to the DOW CIO within 60 days.

During the review period, the department will enforce cybersecurity compliance through the National Institute of Standards and Technology’s SP 800-171 Rev. 2 self-assessments and select government-led assessments.

DOW also emphasized that the suspension does not remove contractors’ responsibility to protect federal data. Defense contractors and subcontractors must continue safeguarding covered defense information in accordance with DFARS clause 252.204-7012.

Sponsor

Related Articles

Executive Interviews