A US Air Force client system technician types on his computer at Maxwell Air Force Base, Alabama, Feb.19, 2025. (U.S. Air Force photo by Senior Airman Elizabeth Figueroa.)
WASHINGTON — The Pentagon is suspending part of its cybersecurity requirements for industry, specifically related to third party assessments, citing onerous burdens on especially smaller defense firms.
“In support of Secretary of War Hegseth’s directive to aggressively scale warfighter readiness, I’m announcing the immediate suspension of the Cybersecurity Maturity Model Certification, or CMMC, Phase II requirements, which were originally scheduled to go into effect November 10, 2026,” Kirsten Davies, chief information officer, told reporters at the Pentagon today, using the secondary name for the secretary of defense. “I want to be clear across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data.”
Davies added later, “We are not reducing cybersecurity through this measure. We are reducing the red tape.”
A July 10 memo released by the Pentagon today notes that the current iteration of CMMC imposes “significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation. While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.”
The current administration has made it a top priority to loosen perceived bureaucratic restrictions and hurdles in order to speed up the delivery of systems and capabilities while seeking to simultaneously grow the industrial base.
CMMC has been in the works since at least 2019, during the first Trump administration. At the time, there was worry that America’s enemies were able to infiltrate contractors and suppliers to steal information and aggregate it to gain a significant advantage. The program was meant to bolster the security of the entire industrial base so that the weakest link wouldn’t be an in for adversaries.
As initially conceived, it was a tiered cybersecurity framework that graded companies on a scale of one to five based on the classification and security necessary for the work they conducted. In 2021, the Biden administration reworked the program paring down the levels from five to three under what was dubbed as CMMC 2.0. Phase II, the target of the memo, required both self assessment and assessments from a third party every three years.
presented by

ASELSAN at SAHA 2026: Introducing next-generation multi-domain defense systems
Unveiled at SAHA 2026, ASELSAN’s latest portfolio reflects a layered and integrated defense architecture, bringing together electronic warfare, counter-UAV, airborne and naval capabilities within a unified operational framework.
“What is changing? Let me be direct. We are halting complex audits. We are stopping the requirement for third-party assessors and audits,” Michael Duffey, Undersecretary of Defense for Acquisition and Sustainment, told reporters. “We are cleaning up active solicitations immediately. If a current defense solicitation or contract contains those suspended phase two requirements, I have directed our program managers and contracting officers to amend or modify them as soon as possible.”
Those audits apply to third party assessments as part of CMMC Phases, or Levels, II and III, according to documents provided by the Pentagon.
There was always difficulty in getting enough organizations qualified to conduct the assessments, which would have created a massive backlog for companies hoping to receive audits and be in compliance.
“We’re seeing that there’s over 100,000 DIB businesses still that needed a third-party assessment conducted and somewhere in the neighborhood of 100, maybe a little over 100 assessors that are available for that. So the math just simply doesn’t math for small to medium-sized businesses to even get compliant by … the former transition date November 10, 2026,” Davies said.
The memo said thatdata and feedback from the Small Business Administration have documented that the current CMMC program is “structurally incompatible with our need to rapidly expand the DIB.”
The Pentagon will now initiate a task force that will conduct a comprehensive review of CMMC and serve as the central hub for synthesizing industry feedback from public request for information regarding compliance challenges. The task force will issue a final report within 60 days, recommending realistic measures that prioritize speed to capability and lower the barrier of entry for small and non-traditional companies.
During the 60-day review period, the Pentagon said it will continue to enforce baseline cybersecurity compliance through NIST SP 800-171 Rev 2 standard through self-assessments, which the department says, will focus on tangible cyber hygiene as opposed to administrative overhead.
The officials insisted that the suspension will not sacrifice cybersecurity.
“We’re not relaxing any standards by any means,” Duffey said. “We expect businesses to adhere to the standards that NIST has outlined. What we’re removing is the bureaucracy of the third-party assessment.”
The decision is likely to please defense firms who have long argued the CMMC regimen created too many obstacles for defense work, especially forsmall companies don’t have the resources to meet compliance requirements and testing — much to the chagrin of those who developed it.
“Going on LinkedIn and complaining to the world that the CMMC is too hard … you’re — and I want to say [with] the most respect I can to anybody — you’re foolish in what your statement is, because your company has been contracted since 2014 to institute the 110 requirements of the NIST 171. What you’re saying is you’re noncompliant,” Katie Arrington, largely thought of as the creator of CMMC during the first Trump administration, said last year as the official performing the duties of the DoD CIO. She has since left government.
Read Original at Breaking Defense →

