The Pentagon has temporarily halted the cyber audit regulation that was driving small suppliers away.
The figure that appears to have put an end to the program is not a monetary amount. It is a ratio: over 100,000 companies within the American defense supply chain require an independent cybersecurity audit, while there are about 100 accredited assessors authorized to perform such audits. "The math just simply doesn’t math," stated Kirsten Davies, the Pentagon's chief information officer, to reporters, delivering perhaps the most quotable line produced during a federal certification review.
On Monday, the Department of Defense halted Phase 2 of the Cybersecurity Maturity Model Certification program, the compliance system that would have mandated contractors dealing with sensitive but unclassified information to complete an audit by a certified third-party assessor before they could receive contract awards. These requirements were slated to begin on November 10. They are now on hold, along with all other pending CMMC milestones, until further notice.
A newly established CMMC Reform Task Force has 60 days to evaluate the entire program and provide a report. Both Davies and Michael Duffey, the under secretary for acquisition and sustainment, did not rule out the possibility of completely abolishing CMMC after the review concludes.
The reasoning is detailed in a memo signed by Davies on July 13, where she refers to the program as a "compliance checklist" that is "structurally incompatible" with the department’s goal of broadening its supplier base. She explained that the combination of compliance costs, a lack of assessment resources, and complicated regulatory timelines is "actively forcing innovative new entrants and small businesses to opt out" of defense contracts.
According to Davies, data collected by the Small Business Administration indicated that the later stages of CMMC could impose compliance costs exceeding $7 billion annually on small and medium-sized companies. Kelly Loeffler, the SBA administrator, noted that her agency had received feedback from "mission-critical small businesses" indicating that certification was becoming an insurmountable barrier to defense contracts.
This situation did not catch anyone by surprise. The Government Accountability Office had cautioned in March that the standards might be too challenging and costly for smaller suppliers to fulfill, resulting in some opting out of the defense industrial base altogether. The industry has echoed these concerns since 2019, with the reality being that mid-sized firms suffer greater losses from cybercrime than larger corporations do.
CMMC has now been paused on two occasions. The Biden administration halted it in 2021 for a review that simplified the requirements, leading to the creation of "CMMC 2.0," which took years to finalize and enforce.
Phase 1 began in November 2025, requiring self-assessments. Phase 2 was intended to introduce the audits that were central to the initiative, replacing self-attestation, which inspector general reports had found contractors frequently neglected.
Phase 1 self-assessments remain in effect. During the suspension, the Pentagon announced it would monitor compliance via self-assessments and certain government-led checks against the NIST 800-171 standard—essentially reverting to the honor system that CMMC was meant to replace.
Recent federal cybersecurity efforts have not instilled confidence, especially considering that CISA, the agency responsible for defending civilian networks, lacked its own incident response playbook when it experienced a breach.
Davies made it clear that funds already allocated for certification were not wasted. "Every dollar spent on security is a wise dollar spent," she told contractors who had invested considerable time and money preparing for a deadline that vanished on a Monday afternoon. "We are not diminishing cybersecurity through this measure. We are reducing bureaucratic barriers."
This decision aligns with a department that has become lax with its own regulations when they hinder purchasing, having blacklisted Anthropic as a security threat while allowing its intelligence agencies to continue using Claude, and having spent years encouraging outsiders to hack its networks under the belief that friendly attackers are preferable to paperwork.
The Cyber AB, which accredits CMMC assessors, was not notified in advance. Davies confirmed on Monday that her office had not yet communicated the suspension or the review to them.
Now, a request for information is being sent out to the defense industrial base. The task force will review the responses before recommending potential replacements for the program, if necessary, and will report back in mid-September.
Other articles
The Pentagon has temporarily halted the cyber audit regulation that was driving small suppliers away.
The Pentagon has halted CMMC Phase 2 cybersecurity audits, citing high costs and a lack of assessors as factors pushing small contractors out of the process.
