The Pentagon has halted the cyber audit regulation that was driving small suppliers away.
The figure that appears to have brought the program to a halt is not a monetary one; rather, it is a ratio: over 100,000 businesses within the American defense supply chain require an independent cybersecurity audit, while there are only around 100 accredited assessors authorized to conduct such audits.
"The math simply doesn’t add up," Kirsten Davies, the Pentagon’s chief information officer, stated to reporters, potentially offering the most quotable line ever produced during a federal certification review.
On Monday, the Department of Defense suspended Phase 2 of the Cybersecurity Maturity Model Certification program, which was designed to mandate audits from certified third-party assessors for contractors managing sensitive yet unclassified information before they could secure contract awards.
These requirements were set to be implemented on November 10, but they are now on hold, along with all other pending CMMC milestones, pending further updates.
A newly established CMMC Reform Task Force has been given 60 days to evaluate the entire program and report its findings. Both Davies and Michael Duffey, the undersecretary for acquisition and sustainment, did not dismiss the possibility of eliminating CMMC entirely following the review.
The rationale is outlined in a memo signed by Davies on July 13, which describes the program as a “compliance checklist” that is “structurally incompatible” with the department's goal of broadening its supplier base.
She noted that the combination of compliance costs, a lack of assessment capacity, and intricate regulatory timelines is “actively forcing innovative new entrants and small businesses to opt out” of defense contracts.
Davies mentioned data from the Small Business Administration indicating that the later phases of CMMC could impose compliance approval costs exceeding $7 billion annually on small and medium-sized firms.
Kelly Loeffler, the SBA administrator, stated that her agency has heard directly from “mission-critical small businesses” indicating that certification has become an untenable barrier to defense contracts.
None of this was unexpected for those observing the situation. The Government Accountability Office warned in March that the standards might be too challenging and costly for smaller suppliers, causing some to exit the defense industrial base rather than attempt compliance. The industry has echoed these concerns since 2019, acknowledging that mid-sized companies endure greater losses from cybercrime than larger corporations do.
CMMC has now been paused on two occasions. The Biden administration suspended it in 2021 for a review that reduced the requirements and resulted in “CMMC 2.0,” which took years to finalize.
Phase 1 commenced in November 2025, mandating self-assessments. Phase 2 was intended to implement audits, which were central to the initiative, replacing self-attestation that inspector general reports have consistently revealed contractors were failing to fulfill.
Phase 1 self-assessments remain in effect. During the suspension, the Pentagon has stated it will enforce compliance through those self-assessments and selected government-led checks against the NIST 800-171 standard, essentially reverting to the honor system that CMMC was designed to replace.
Recent federal cyber management has not inspired confidence, particularly given that CISA, the agency tasked with protecting civilian networks, lacked its own incident response framework when it experienced a breach.
Davies was careful to assert that funds already allocated for certification were not wasted. “Every dollar spent on security is a wise dollar spent,” she stated, addressing contractors who had invested a year and significant amounts in preparation for a deadline that disappeared on a Monday afternoon. “We are not diminishing cybersecurity through this measure. We are reducing the bureaucratic obstacles.”
This decision aligns with a department that has become lenient concerning its own regulations when they impede procurement, having blacklisted Anthropic as a security threat while its intelligence agencies continued to use Claude, and having spent years encouraging outsiders to penetrate its networks based on the belief that friendly hackers are preferable to paperwork.
The Cyber AB, the organization that accredits CMMC assessors, was not notified in advance. Davies confirmed on Monday that her office had not yet informed it of the suspension or the forthcoming review.
A request for information is now being circulated within the defense industrial base. The task force will review the responses before suggesting possible replacements for the program, if any, and will report in mid-September.
Other articles
The Pentagon has halted the cyber audit regulation that was driving small suppliers away.
The Pentagon has halted CMMC Phase 2 cybersecurity audits, pointing to high costs and a lack of assessors as reasons that are pushing small contractors away.
