The Pentagon has halted the cyber audit regulation that was driving small suppliers away.

The Pentagon has halted the cyber audit regulation that was driving small suppliers away.

      The figure that appears to have brought the program to a halt is not a monetary one; rather, it is a ratio: over 100,000 businesses within the American defense supply chain require an independent cybersecurity audit, while there are only around 100 accredited assessors authorized to conduct such audits.

      "The math simply doesn’t add up," Kirsten Davies, the Pentagon’s chief information officer, stated to reporters, potentially offering the most quotable line ever produced during a federal certification review.

      On Monday, the Department of Defense suspended Phase 2 of the Cybersecurity Maturity Model Certification program, which was designed to mandate audits from certified third-party assessors for contractors managing sensitive yet unclassified information before they could secure contract awards.

      These requirements were set to be implemented on November 10, but they are now on hold, along with all other pending CMMC milestones, pending further updates.

      A newly established CMMC Reform Task Force has been given 60 days to evaluate the entire program and report its findings. Both Davies and Michael Duffey, the undersecretary for acquisition and sustainment, did not dismiss the possibility of eliminating CMMC entirely following the review.

      The rationale is outlined in a memo signed by Davies on July 13, which describes the program as a “compliance checklist” that is “structurally incompatible” with the department's goal of broadening its supplier base.

      She noted that the combination of compliance costs, a lack of assessment capacity, and intricate regulatory timelines is “actively forcing innovative new entrants and small businesses to opt out” of defense contracts.

      Davies mentioned data from the Small Business Administration indicating that the later phases of CMMC could impose compliance approval costs exceeding $7 billion annually on small and medium-sized firms.

      Kelly Loeffler, the SBA administrator, stated that her agency has heard directly from “mission-critical small businesses” indicating that certification has become an untenable barrier to defense contracts.

      None of this was unexpected for those observing the situation. The Government Accountability Office warned in March that the standards might be too challenging and costly for smaller suppliers, causing some to exit the defense industrial base rather than attempt compliance. The industry has echoed these concerns since 2019, acknowledging that mid-sized companies endure greater losses from cybercrime than larger corporations do.

      CMMC has now been paused on two occasions. The Biden administration suspended it in 2021 for a review that reduced the requirements and resulted in “CMMC 2.0,” which took years to finalize.

      Phase 1 commenced in November 2025, mandating self-assessments. Phase 2 was intended to implement audits, which were central to the initiative, replacing self-attestation that inspector general reports have consistently revealed contractors were failing to fulfill.

      Phase 1 self-assessments remain in effect. During the suspension, the Pentagon has stated it will enforce compliance through those self-assessments and selected government-led checks against the NIST 800-171 standard, essentially reverting to the honor system that CMMC was designed to replace.

      Recent federal cyber management has not inspired confidence, particularly given that CISA, the agency tasked with protecting civilian networks, lacked its own incident response framework when it experienced a breach.

      Davies was careful to assert that funds already allocated for certification were not wasted. “Every dollar spent on security is a wise dollar spent,” she stated, addressing contractors who had invested a year and significant amounts in preparation for a deadline that disappeared on a Monday afternoon. “We are not diminishing cybersecurity through this measure. We are reducing the bureaucratic obstacles.”

      This decision aligns with a department that has become lenient concerning its own regulations when they impede procurement, having blacklisted Anthropic as a security threat while its intelligence agencies continued to use Claude, and having spent years encouraging outsiders to penetrate its networks based on the belief that friendly hackers are preferable to paperwork.

      The Cyber AB, the organization that accredits CMMC assessors, was not notified in advance. Davies confirmed on Monday that her office had not yet informed it of the suspension or the forthcoming review.

      A request for information is now being circulated within the defense industrial base. The task force will review the responses before suggesting possible replacements for the program, if any, and will report in mid-September.

Other articles

Nvidia creates a whitelist: over fifty percent of its Asian clients are excluded from it. Nvidia creates a whitelist: over fifty percent of its Asian clients are excluded from it. Nvidia has reduced its roster of Asian clients authorized to purchase AI chips by more than 50%, implementing a whitelist and stricter screening processes in Singapore, Malaysia, and Japan. Smartphone shipments in China decline for the fifth consecutive quarter due to the impact of memory costs. Smartphone shipments in China decline for the fifth consecutive quarter due to the impact of memory costs. In the second quarter of 2026, smartphone shipments in China decreased by 4.3% to 66 million units, marking the fifth consecutive decline, largely due to rising memory costs leading to increased Android prices. Both Huawei and Apple experienced growth. Nvidia creates a white list: over half of its Asian clients are excluded from it. Nvidia creates a white list: over half of its Asian clients are excluded from it. Nvidia has significantly reduced its roster of Asian clients authorized to purchase AI chips, implementing a white list and stricter screening processes in Singapore, Malaysia, and Japan. The Seoul court has put a hold on the decision that designated Coupang's founder as its controlling individual. The Seoul court has put a hold on the decision that designated Coupang's founder as its controlling individual. The Seoul High Court has put a halt to the FTC’s classification of Coupang founder Bom Kim as the controlling figure of the group while his legal case against the regulator is ongoing. The forthcoming AI energy commitment from the White House focuses on utilities. The forthcoming AI energy commitment from the White House focuses on utilities. The White House intends to request utilities, data centre operators, and governors to commit to ensuring that the demand for AI power does not increase residential electricity costs. The next AI energy commitment from the White House focuses on utility companies. The next AI energy commitment from the White House focuses on utility companies. The White House intends to request utilities, data center operators, and governors to commit to ensuring that the demand for AI power does not increase residential electricity costs.

The Pentagon has halted the cyber audit regulation that was driving small suppliers away.

The Pentagon has halted CMMC Phase 2 cybersecurity audits, pointing to high costs and a lack of assessors as reasons that are pushing small contractors away.