Key Takeaways:
- Pentagon suspends CMMC Phase 2 third-party certification requirements
- 60-day reform task force to review compliance costs for small suppliers
- Phase 1 self-assessments remain in place during the review period
Key Takeaways:

The Pentagon halted the next phase of its cybersecurity certification program for defense contractors, responding to industry warnings that compliance costs were pushing small suppliers out of the defense supply chain.
The Defense Department on Monday suspended Phase 2 of the Cybersecurity Maturity Model Certification program, which was set to take effect Nov. 10 and would have required third-party audits for how contractors protect controlled unclassified information. Phase 1 self-assessments remain in place while a newly formed CMMC Reform Task Force conducts a 60-day review of the program's future, according to a department statement.
"The CIO's decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain," said Michael Duffey, undersecretary for acquisition and sustainment at the Defense Department.
The suspension follows complaints that CMMC compliance was adding bureaucratic burdens and increasing costs for small and medium-sized businesses. The Small Business Administration reported that some companies had already left the defense industrial base because of the requirements, which the Pentagon said was delaying deliveries of critical capabilities to operators. Phase 3, scheduled for November 2027, and Phase 4 for full implementation are also suspended.
The CMMC program, first introduced during the initial Trump administration and revised under President Joe Biden, was designed to secure controlled unclassified information across an estimated 60,000 companies in the defense supply chain. The Pentagon will now rely on self-assessments and select government-led assessments in the interim, rather than the third-party certification model that Phase 2 would have mandated.
Compliance Costs and the Small-Business Squeeze
Industry executives had warned for months that the certification requirements were disproportionately affecting smaller contractors, which typically operate on thinner margins and lack dedicated cybersecurity compliance teams. The Defense Department's own data showed that compliance costs for a small manufacturer could reach hundreds of thousands of dollars — a prohibitive sum for firms with annual revenue below $10 million.
The Small Business Administration's finding that CMMC compliance had driven some companies to exit the defense industrial base echoed a pattern seen in earlier federal procurement reforms. After the Pentagon tightened IT security requirements for contractors in 2018 under DFARS 252.204-7012, a Government Accountability Office report found that 22% of small defense contractors reported considering withdrawal from contracts due to compliance costs.
The CMMC Reform Task Force will review responses to a request for information posted Monday, seeking feedback on cost drivers, administrative burdens, and which NIST 800-171 security controls deliver meaningful risk reduction. The department also wants to know how companies are using commercial cybersecurity tools and managed services, and whether those could substitute for separate assessments.
What's at Stake for the Defense Industrial Base
The suspension represents a significant policy reversal for a program that had been years in development. The Pentagon's decision aligns with Defense Secretary Pete Hegseth's acquisition directives, which prioritize speed and lowering barriers for new entrants while replacing what the department called "bureaucratic compliance" with "scalable, resilient cybersecurity measures."
For the defense supply chain, the pause could reverse the trend of supplier exits and improve competition. Large prime contractors such as Lockheed Martin Corp., RTX Corp. and Northrop Grumman Corp. rely on networks of thousands of smaller suppliers for components ranging from machined parts to specialized electronics. A narrowing supplier base had raised concerns about cost inflation and delivery delays across major weapons programs.
Responses to the Pentagon's request for information are due Aug. 14, after which the task force will make recommendations on the program's future structure.
This article is for informational purposes only and does not constitute investment advice.