Advertisement
Security

Pentagon Halts CMMC Phase 2 Rollout Amid Defense Industry Overhaul

A 60-day review of the CMMC program aims to reduce compliance friction for small firms while maintaining core security standards.

··3 hours ago·2 min read
teal LED panel
Photo by Adi Goldstein on Unsplash
Advertisement

The U.S. defense sector is entering a period of strategic recalibration as the Pentagon hits the brakes on the second phase of its ambitious Cybersecurity Maturity Model Certification (CMMC) rollout. Originally scheduled to begin in November, the transition is now frozen for a 60-day window while officials conduct an intensive review of the program's long-term structure.

Clearing Roadblocks for Defense Readiness

The pause is framed as a necessary adjustment to streamline procurement processes without compromising the fundamental integrity of protected information. According to leadership, the initiative is meant to reconcile rigorous security mandates with the practical realities of a complex defense industrial base. The Department of War is actively seeking feedback from industry stakeholders to develop more efficient, scaled-back measures that prevent small and nontraditional businesses from being priced out of the sector by administrative burdens.

“The Department of War is taking decisive action to clear bureaucratic roadblocks and revitalize our defense industrial base in support of Secretary of War Pete Hegseth’s directive to aggressively scale warfighter readiness, [But] I want to be clear, across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical, nonnegotiable priority.”

— Kirsten Davies, CIO at the Department of War

The Compliance Landscape and Timeline

The CMMC framework serves as a vital gatekeeping mechanism for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The program, which underwent a major pivot to version 2.0, relies on a three-tier structure designed to verify that organizations meet specific, baseline cybersecurity controls.

  • Phase one began on November 10, 2025, focused on self-assessments for Level 1 and Level 2 requirements.
  • Phase two was set to commence on November 10, 2026, introducing third-party certification mandates.
  • Phase three is projected for November 2027, focusing on Level 3 certification criteria.
  • Full program implementation across all applicable contracts is targeted for 2028.

Assessor Shortages and Operational Hurdles

Beyond the philosophical shift in oversight, the Pentagon is contending with tangible logistical constraints. Officials explicitly identified a lack of sufficient approved third-party assessors as a primary factor undermining the feasibility of the original November deadline. By re-evaluating the current rollout, the Department of War aims to address these capacity gaps while ensuring that the transition to mandatory third-party verification does not inadvertently stall the production and delivery of essential equipment.

Implications for the Defense Ecosystem

For contractors and technology providers, this suspension creates a temporary reprieve from immediate compliance costs, yet it signals a broader shift toward a more nuanced, flexible regulatory environment. While the fundamental requirement to secure federal data remains, the industry should expect potential revisions to the methodology behind the current three-tier structure. Businesses currently navigating these standards should remain attentive to the outcomes of the 60-day review, as the resulting reforms could significantly alter the resource requirements and timeline for achieving future certification milestones.

#cmmc#defense#cybersecurity#compliance#pentagon

Iliyas Mansuree

Founder & Editor, Xploitwire

16 years of experience in data privacy, cloud security, and information protection. More by this author →

← Back to all stories
Advertisement