This week, the Department of War announced that it was immediately suspending the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were originally scheduled to go into effect on November 10.

“All Phase I self-assessment requirements remain firmly in place,” the Pentagon added, noting that it will begin a comprehensive review of CMMC aimed at aligning with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives that seek to prioritize speed to capability, lower the barriers for small, medium, and non-traditional businesses, and to replace what it described as “bureaucratic compliance” with scalable, resilient cybersecurity measures.

Critical Driver to the Arsenal of Freedom

The Department further stated that ensuring access to “leading-edge commercial capabilities” was a critical driver of Hegseth’s operational execution of the “Arsenal of Freedom” initiative. The Pentagon emphasized that although the current CMMC program was developed to enhance the defense industrial base (DIB) cybersecurity, it resulted in “prohibitive compliance costs and bureaucratic burdens.”

The Department cited recent data, including reports from the Small Business Administration (SBA), which it said confirmed that CMMC compliance was forcing innovative companies out of the DIB and in turn delaying the delivery of critical capabilities to the warfighters.

“In support of Secretary Pete Hegseth’s directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program,” said Pentagon Chief Information Officer Kirsten A. Davies in a statement on Monday. “Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape.”

As a result, the Department had confirmed that it was suspending the transition to Phase II requirements of CMMC, along with pending and future CMMC implementation milestones throughout the Pentagon.

“We have a strategic imperative to reduce bureaucracy as we build the world’s strongest Arsenal of Freedom. The CIO’s decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain,” said Under Secretary of War for Acquisition and Sustainment Michael Duffey.

Realignment of the Cybersecurity Posture

The Pentagon also emphasized that it would realign its cybersecurity posture with the principles of the ATS. Under this effort, the Department Chief Information Officer (CIO) was tasked with establishing a CMMC Reform Task Force to conduct a comprehensive top-to-bottom review of the certification program.

“This task force will serve as the central hub for synthesizing industry feedback from our public Request for Information (RFI) regarding compliance challenges,” the Pentagon explained.

The team will use the data gathered to recommend realistic and scalable security measures that can prioritize speed to capability and lower barriers for small and non-traditional businesses. Delivery of its final report to the CIO is due within 60 days.

During the interim period, the Department will continue to enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, focusing on tangible cyber hygiene rather than administrative overhead.

“Suspending CMMC Phase II is not inherently the wrong decision, but it becomes dangerous if reducing compliance burden is interpreted as reducing cybersecurity accountability,” explained Ensar Seker, chief information security officer (CISO) at cybersecurity threat intelligence company SOCRadar.

Seker told ClearanceJobs that the Pentagon is right to recognize that complex and expensive certification processes can exclude smaller and non-traditional companies from the Defense Industrial Base.

“A company’s ability to pay consultants and prepare audit documentation is not necessarily the same as its ability to defend sensitive information. However, the underlying security problem that CMMC was intended to address has not diminished. It has become more urgent,” Seker warned.

He also pointed to a plethora of threats that the U.S. federal government and the DIB now face.

“Foreign intelligence services, cybercriminal groups, and initial-access brokers continually target defense contractors because smaller suppliers can provide an indirect route to sensitive government information, intellectual property, credentials, and larger defense networks,” Seker continued. “Artificial intelligence is further lowering the cost of reconnaissance, vulnerability discovery, phishing, impersonation, and attack automation. These developments make independent assurance and visibility across the defense supply chain more important, not less important.”

The Correct Course Correction?

The Pentagon is attempting to make a course correction, but is this actually the best way to go about it? The CMMC framework has been in active development for several years, and as noted, it was slated to begin on November 10. At that point, it would have mandated third-party cybersecurity certifications (C3PAO) for applicable contracts.

Given the current and emerging cyber threats, simply suspending CMMC may be a rash move to make.

“The right course is therefore not simply to eliminate Phase II and rely indefinitely on self-attestation. The Department should use this review to replace checklist-heavy compliance with a risk-based and technically measurable model,” suggested Seker.

Moreover, it might be wise for higher-risk contractors handling Controlled Unclassified Information to face independent validation still. At the same time, smaller businesses should receive subsidized assessments, shared security services, clearer technical guidance, and requirements proportional to the sensitivity of the data they handle.

“Success should be measured through demonstrated control effectiveness: multifactor authentication, secure identity management, rapid vulnerability remediation, endpoint and network visibility, incident reporting, resilient backups, supply-chain monitoring, and evidence that these controls continue to operate after an assessment is completed,” Seker added.

Even as this may seek to prioritize speed to capability and lower the barriers for enterprise and other non-traditional businesses, there are tradeoffs that should be considered.

“Reducing unnecessary bureaucracy can indeed strengthen national security if resources are redirected toward actual defensive capability,” Seker continued. “But removing verification without establishing a credible alternative would create security blind spots precisely when AI-enabled adversaries and foreign actors are becoming faster, more scalable, and more persistent.”

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.