Articles

CMMC Phase II is Suspended: Don’t Drop Your Guard 

The U.S. Department of War (DOW) dropped a bombshell Monday morning announcing the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements. Small and mid-sized manufacturers in the throes of CMMC compliance all simultaneously asked themselves: 

“Can I stop spending all my time and money on this compliance business now?” 

It is completely understandable to want to hit the brakes; achieving CMMC Level 2 compliance is notoriously expensive, resource-intensive, and exhausting particularly for the bulk of the DIB. But the looming November 10, 2026 deadline for mandatory third-party assessments hasn’t gone away, and pulling the plug on your cybersecurity efforts right now would be the wrong move. 

The Memo 

The official memo Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” describes a pivot in how the government intends to secure the Defense Industrial Base (DIB). 

Driven by Secretary of War Pete Hegseth’s new Acquisition Transformation System (ATS) directives, the Pentagon is acknowledging a painful truth that small business advocates have been saying for years: the current iteration of CMMC has created prohibitive compliance costs and administrative burdens that are forcing innovative small and medium-sized manufacturers out of the defense supply chain. 

To fix this, DOW Chief Information Officer Kirsten A. Davies has suspended all pending and future CMMC Phase II implementation milestones across all solicitations and contracts. The DOW has established a CMMC Reform Task Force to conduct a 60-day review of the certification program. 

What Changes (and What Doesn’t) 

Before you throw your compliance documents in the shredder, we need to read the fine print. This is a suspension of Phase II (Third-Party Assessments), not the elimination of cybersecurity requirements. For example, all CMMC Phase I self-assessment requirements remain firmly in place. If you handle Federal Contract Information (FCI), you still have to verify basic cyber hygiene. Likewise, DFARS 252.204-7012 is still the law. The memo explicitly states that all defense contractors and subcontractors remain contractually obligated to safeguard Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). 

The bottom line is that the government still expects you to protect sensitive data; they have simply hit the pause button on the requirement to pay a Certified Third-Party Assessment Organization (C3PAO) to prove it. 

Why Stopping Your Compliance Efforts is Dangerous 

It is tempting to reallocate your CMMC budget back into production, new machinery, or headcount. But halting your momentum right now would be a mistake for several reasons. 

The Legal Liability of False Claims. Because DFARS 252.204-7012 self-assessments remain mandatory, you still have to upload your score to the Supplier Performance Risk System (SPRS). If you pause your compliance efforts, stop implementing controls, or make changes without updating your SSP, your SPRS score becomes inaccurate. Knowingly misrepresenting your cybersecurity posture on government systems can trigger massive False Claims Act penalties.  

Threat Actors Do Not Care About Pentagon Politics. China and Russia will not pause their cyber espionage campaigns because the Department of War decides to reconsider its compliance programs. Small and mid-sized manufacturers remain the soft underbelly of the defense supply chain, and a ransomware attack will cripple your business faster than a CMMC assessor ever would.  

Forecasting the Future 

The CMMC Reform Task Force has 60 days to deliver its final report to the DoW CIO. What happens next? Based on the tone of the ATS directives, we can make some educated projections about the most likely and most risky scenarios to evolve from this effort. 

Most Likely: A Shift to Continuous, Validated Cyber Hygiene 

The DOW is unlikely to abandon CMMC entirely. The most probable outcome is that the CMMC program will be modified to reduce C3PAO involvement. We will likely see an approach that favors automated, continuous monitoring over mountains of documentation. The framework will almost certainly stick with NIST SP 800-171 but will include scalable implementations giving smaller shops lower administrative burdens than prime contractors.  

Most Risky: A “Wild West” Vulnerability Surge 

The riskiest decision the DOW could make is to permanently lower the security baseline or rely on unverified self-assessments out of a desire to reduce cost, complexity, and friction. While this would successfully keep innovators in the supply chain, it creates a massive structural risk. If the Pentagon removes the teeth from enforcement, it puts the supply chain at risk. 

The Bottom Line  

This announcement may be a temporary win for your cash flow and your sanity, but it is not adequate justification to walk away from the table. Think of this suspension as breathing room to get your security strategy right rather than just getting it done

More News

Articles

When MFA Isn’t Enough: How Adversaries Are Bypassing Identity Controls

Read More
Articles

MxD Welcomes Kathleen S. Miller to Board of Directors

Read More
Articles

MxD Releases Casting & Forging Digital Fabric Roadmap to Strengthen U.S. Defense Manufacturing

Read More