Particle.news
Download on the App Store

Pentagon Suspends CMMC Phase II and Launches 60-Day Reform Review

The move seeks to cut compliance costs that pushed small suppliers from defense work while preserving core NIST-based cybersecurity obligations.

Overview

  • The Defense Department announced the immediate suspension of CMMC Phase II on Monday and directed a 60-day CMMC Reform Task Force to recommend changes to the program.
  • During the review, program offices will accept Level 1 and Level 2 self-assessments instead of mandatory third-party Level 2 audits, but contractors must still follow existing rules such as NIST SP 800-171 and DFARS clauses.
  • Officials cited a severe shortage of qualified third-party assessors and government and Small Business Administration reports that compliance costs were driving some companies out of the Defense Industrial Base as key reasons for the pause.
  • DOD has posted a public request for information to gather industry feedback with responses due August 14 and has asked program offices to amend solicitations that included the suspended Phase II mandates.
  • The decision creates short-term uncertainty for assessors, consultants, software vendors and contractors that planned around the November 2026 audit deadline and could slow procurement decisions while the department retools how it verifies contractor cybersecurity.