Advertisement
Security

DoD Halts CMMC Phase II Amid Concerns Over Defense Industrial Base

The US Department of Defense has paused critical CMMC security assessment requirements to reevaluate the program's impact on innovation.

··50 minutes ago·2 min read
man in black and gray camouflage uniform wearing black helmet and black helmet
Photo by Daniel on Unsplash
Advertisement

The United States Department of Defense has officially moved to suspend the second phase of its Cybersecurity Maturity Model Certification program. This unexpected reversal, aimed at fostering greater innovation within the defense industrial base, signals a significant pivot in how the agency approaches the cybersecurity compliance landscape for its contractors.

Revisiting Compliance Strategy

Originally slated to activate on November 10, 2026, the Phase II requirements represented a major step toward mandatory, independent security assessments. While the initial phase relied heavily on self-attestation, the second stage was intended to push contractors handling controlled unclassified information toward verification by certified third-party organizations. The Department of Defense, also referred to as the Department of War, has now opted to hit the brakes to conduct a comprehensive review of the program's overall structure.

A newly formed CMMC Reform Task Force will lead a 60-day review of the certification framework. The directive, which aligns with the acquisition transformation system strategy of Secretary of War Pete Hegseth, aims to shift the focus away from rigid administrative overhead and toward more flexible, resilient security measures. During this interim period, the agency will continue to enforce the NIST SP 800-171 Rev 2 standard through existing self-assessment and government-led review processes.

Metrics of the Defense Industrial Base

The scale of the program and the industry's readiness have been focal points of the recent debate regarding the feasibility of the rollout:

  • 220,000 to 300,000: The estimated number of companies participating in the defense industrial base.
  • 80,000: The approximate number of contractors expected to require CMMC Phase II assessments.
  • 1%: The percentage of defense contractors that felt fully prepared for Phase II audits, according to an October 2025 CyberSheath report.

Official Stance on Red Tape

The Department of Defense clarified that the suspension is necessary to prevent the program from stifling the very capabilities it seeks to protect. Officials expressed concern that the current path was disproportionately affecting small and non-traditional businesses.

Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape.

— A. Davies, CIO at the Department of Defense

Implications for Security Maturity

For organizations operating within the defense sector, the suspension of Phase II does not signify a total retreat from security obligations. Experts warn that the underlying requirements—particularly those related to NIST SP 800-171—remain vital for protecting sensitive government information. Companies that use this window to relax their security posture may find themselves poorly positioned should enforcement protocols be reinstated or replaced with equally stringent mandates. Ultimately, the industry is entering a period of uncertainty, where the balance between regulatory compliance and operational agility remains a moving target for the foreseeable future.

#cmmc#defense#cybersecurity#compliance#nist

Iliyas Mansuree

Founder & Editor, Xploitwire

16 years of experience in data privacy, cloud security, and information protection. More by this author →

← Back to all stories
Advertisement