The Defense Department has essentially ended the Cybersecurity Maturity Model Certification program by suspending its second phase requirements.
The Pentagon will keep in place Phase 1, which requires self-assessments for how companies protect controlled unclassified information in their systems. But the department said Monday it is suspending Phase 2, which was to begin on Nov. 10 and requires third-party certifications.
DOD is also launching a review of CMMC to make sure it aligns with Defense Secretary Pete Hegseth’s acquisition initiatives, which prioritize speed, and lowering barriers for new entrants. The Acquisition Transformation System directives also aim to replace bureaucratic compliance with what DOD calls “scalable, resilient cybersecurity measures.”
The CMMC program got its start during the first Trump administration and was revised and streamlined during the Biden administration. CMMC has been envisioned as a cyber and supply chain security standard for the defense industrial base.
According to DOD’s Monday statement, the department is responding to complaints that CMMC was increasing compliance costs and adding bureaucratic burdens.
The Small Business Administration also reported that CMMC compliance had caused some companies to leave the defense industrial base, which DOD said is delaying the deliveries of critical capabilities to operators.
“In support of Secretary Pete Hegseth’s directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program,” said DOD Chief Information Officer Kirsten Davies.
Davies said cybersecurity and operational resilience are critical priorities.
“We believe the DIB can achieve both, while we reduce unnecessary government red tape,” she said.
Phase 3 of CMMC, which was to begin in November 2027, and Phase 4 for full implementation are also all suspended.
In the meantime, the department said it would rely on “self-assessments and select government-led assessments.”
DOD’s announcement said Davies made the decision.
“The CIO’s decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain,” said Michael Duffey, defense undersecretary for acquisition and sustainment.
DOD has also formed a CMMC Reform Task Force to conduct a review of the certification program. Part of their role will be to review comments in responses to a request for information, which DOD posted Monday.
The department wants feedback from companies on cost drivers, administrative burdens tied to CMMC compliance, and which NIST 800-171 security controls deliver meaningful risk reduction.
DOD also wants to know know how companies are already using commercial cybersecurity tools and managed services, and how the department might recognize those in a compliance framework instead of requiring separate assessments.
Responses to the RFI are due Aug. 14.
Read the full article here

