What's Happening?
The Department of Defense (DoD) has announced the suspension of the Cybersecurity Maturity Model Certification (CMMC) phase two requirements, which were set to mandate third-party cybersecurity assessments for all contracts involving sensitive but unclassified
information starting November 10, 2026. This decision is part of a comprehensive review of the CMMC program, initiated by DoD Chief Information Officer Kirsten Davies. The review aims to address concerns that the current CMMC framework imposes significant burdens on the Defense Industrial Base, particularly affecting small and non-traditional businesses. The review will explore alternatives that prioritize speed to capability and lower barriers for these businesses, while maintaining essential cybersecurity standards.
Why It's Important?
The suspension and review of the CMMC program highlight the ongoing challenges in balancing cybersecurity requirements with the operational needs of the defense sector. The current CMMC framework has been criticized for its prohibitive compliance costs and complex regulatory timelines, which have deterred small businesses from participating in defense contracts. This review could lead to significant changes in how cybersecurity compliance is managed, potentially easing the entry of innovative and small-scale businesses into the defense market. The outcome of this review could impact the broader defense industrial base by reshaping compliance requirements to better align with the needs of modern warfare and industrial growth.
What's Next?
The DoD has initiated a 60-day review period, during which the CMMC Reform Task Force will provide recommendations for a revised framework. This framework is expected to focus on reducing regulatory burdens and offering scalable security measures that are more accessible to small and medium-sized businesses. The review's findings could lead to a restructuring of the CMMC program, potentially replacing the current third-party compliance model with more flexible and realistic security measures. Stakeholders, including small businesses and defense contractors, will be closely monitoring the review process and its outcomes, as these could significantly influence future contracting opportunities and cybersecurity practices within the defense sector.













