Pentagon Puts CMMC Audits on Hold
The DoD has suspended mandatory third-party assessments, but experts warn that core legal cybersecurity obligations remain unchanged.
The Department of War has officially stepped back from its mandatory third-party assessment requirement for the Cybersecurity Maturity Model Certification (CMMC) Phase 2. This pivot follows concerns that the existing assessor ecosystem could not handle the projected demand and that the financial burden of compliance was disproportionately impacting small and mid-sized contractors within the defense industrial base.
A newly established CMMC Reform Task Force is now entering a 60-day review period. The group is tasked with evaluating industry feedback and delivering specific policy recommendations by mid-September.
The Compliance Gap Remains
Despite the halt in third-party audits, the regulatory landscape for defense contractors remains largely unchanged. The pause specifically targets independent verification rather than the foundational security requirements. Contractors must still comply with Phase 1 self-assessment obligations, maintain SPRS score submissions, and adhere to the DFARS 252.204-7012 requirement to protect controlled unclassified information (CUI).
Phase 1 is still in place. If you handle CUI, you’re still self-assessing against all 110 NIST 800-171 requirements and posting that score to SPRS. DFARS 252.204-7012 is still in your contracts.
— Abdie Mohamed, GRC Engineering Lead, NR Labs
Industry professionals stress that while the external audit pressure has evaporated, the risk of litigation under the False Claims Act persists. Companies that provide inaccurate or inflated security self-assessments remain vulnerable to government audits and potential legal penalties if their internal security posture fails to match their stated compliance scores.
Scaling Challenges and Costs
The suspension highlights a significant disconnect between the government's ambitious rollout plan and the actual capacity of available auditors. Analysts point to several specific data points that underscore the structural strain the program faced before the current pause:
- 100: Approximate number of authorized C3PAOs available to oversee over 100,000 potential companies.
- 76,598: The number of entities the Department of War previously estimated would require Level 2 C3PAO certification.
- $9M: Settlement amount reached by Aerojet Rocketdyne regarding self-reported security gaps.
- $8.4M: Settlement amount paid by Raytheon following investigations into security claims.
- $4.6M: Fine levied against MORSE Corp due to discrepancies between self-reported scores and actual assessor findings.
- $1.25M: Settlement amount reached by Penn State related to cybersecurity compliance gaps.
Refining the Future Framework
Experts are divided on the ideal path forward once the 60-day review period concludes. Some advocates suggest shifting toward personal accountability for corporate leadership, arguing that if executives face real consequences for misrepresenting security posture, the need for intensive auditing will naturally diminish. Others suggest that the current scoping process for CUI is fundamentally flawed, forcing excessive costs on subcontractors who do not actually interact with sensitive technical data.
The debate extends to the assessor ecosystem itself. Rather than abandoning third-party validation, some argue the Pentagon should focus on streamlining the process, such as allowing for delta assessments during mergers or acquisitions, rather than requiring full recertification for every organizational change.
Implications for Defense Contractors
For organizations operating within the defense space, the takeaway is clear: the pause in third-party verification is not a license to relax security standards. The underlying legal mandate to protect controlled unclassified information is absolute, and the threat environment continues to move at an accelerated pace. Businesses should treat this interval as an opportunity to move beyond a "check-the-box" mentality.
Success in this revised landscape will likely belong to those who integrate CMMC requirements into their broader organizational resilience strategy. Companies that proactively audit their own CUI usage and align security controls with actual business risk will be better positioned to weather future regulatory shifts. Relying on the current pause to delay necessary security upgrades could prove costly, as the potential for future False Claims Act exposure—and the resulting legal and financial fallout—remains a persistent threat for any contractor that fails to maintain the required standards.
Continue Reading
AI Spam Filters Falter Against Salting
Modern LLM-powered email security is struggling to identify phishing attempts that use decades-old text-hiding techniques.
GPT-5.6 Data Erasure: An Honest Error?
OpenAI confirms that its latest model occasionally wipes user files, attributing the behavior to internal alignment miscalculations.
Critical Path Traversal Flaw Found in IBM Langflow OSS
A critical vulnerability in IBM Langflow OSS allows for arbitrary file writes, posing a severe risk to systems utilizing the APIRequest component.