Why Is the Department of War Suspending CMMC Phase II?

The sudden and decisive suspension of the Cybersecurity Maturity Model Certification Phase II milestones by the Department of War represents a fundamental pivot in the history of American defense procurement policy. This unexpected decision to halt the progress of the defense compliance juggernaut has sent ripples through the vast industrial base, signaling a momentary end to the rigid implementation of the program as it was previously understood. By pausing the certification schedule, the department has signaled its intent to reevaluate the entire framework, prioritizing a 60-day top-to-bottom strategic review that aims to address long-standing concerns regarding the efficiency and fairness of current cyber regulations. This suspension is not merely an administrative delay but a calculated intervention designed to prevent the fragmentation of the defense supply chain before the full implementation of Phase II becomes a permanent fixture of federal law.

Moving away from prohibitive compliance barriers has become the central theme of this strategic halt, as leadership recognizes that the current trajectory was on the verge of marginalizing essential small and non-traditional contractors. Historically, these smaller entities have served as the backbone of military innovation, yet they were increasingly finding themselves locked out of the market due to the overwhelming administrative demands of the certification process. The 60-day review period is specifically intended to identify where the program has strayed from its core mission of security and morphed into a bureaucratic exercise that threatens the diversity of the “Arsenal of Freedom.” By freezing the Phase II milestones, the department is carving out the necessary space to pivot toward a model that emphasizes operational resilience and speed to capability over the accumulation of administrative red tape.

The impact on the defense industrial base is profound, as the shift from a rigid certification schedule provides immediate breathing room for firms that were struggling to meet the looming 2026 milestones. This pause allows the Department of War to reconsider the balance between the necessity of robust cybersecurity and the practicalities of industrial production in a rapidly changing global environment. Instead of forcing companies to chase a static set of requirements that may not align with modern threats, the new approach seeks to integrate security more organically into the acquisition process. This transition reflects a broader institutional realization that true security is not achieved through a checklist of third-party audits but through a dynamic and scalable defense posture that can evolve as quickly as the adversaries it is designed to deter.

The Shift: Bureaucratic Red Tape to Acquisition Transformation

Integrating cybersecurity requirements with the newly established Acquisition Transformation System represents the next logical step in Secretary Pete Hegseth’s broader plan to modernize how the department buys technology. The Acquisition Transformation System, or ATS, was designed to strip away the layers of inefficient oversight that have historically slowed down the delivery of critical capabilities to the warfighter. By aligning the Cybersecurity Maturity Model Certification with these transformation goals, the department is ensuring that security is no longer a bottleneck but a streamlined component of the procurement lifecycle. The move signals a departure from the traditional mindset where cybersecurity was treated as an isolated compliance hurdle rather than an integrated element of the engineering and acquisition process.

The role of the CMMC Reform Task Force is instrumental in this transition, as this group of experts has been charged with modernizing the defense procurement landscape within a very tight timeframe. This task force is looking at the certification protocols through the lens of efficiency, seeking to identify where high-cost third-party audits have become obsolete in a threat environment that moves faster than an auditor can file a report. The goal is to create a system where the “Arsenal of Freedom” can flourish without being hamstrung by the very regulations intended to protect it. By focusing on the removal of redundant processes, the task force aims to ensure that the department can leverage the best commercial technologies without forcing private sector innovators to adopt bespoke and often unnecessary government-specific security architectures.

Fostering a more agile procurement environment requires the department to acknowledge that the old model of high-friction oversight is incompatible with the demand for rapid capability deployment. This shift is not just about changing the rules of the game but about changing the culture of the department to prioritize results over adherence to archaic procedural norms. The alignment of certification protocols with the broader goals of the ATS underscores a commitment to a commercial-first mindset, where existing industry standards are leveraged to meet defense needs. This strategic realignment is expected to result in a framework that is much more responsive to the needs of the modern warfighter while maintaining a high bar for data protection across the entire supply chain.

Analyzing the Structural Barriers: Costs, Bottlenecks, and the SME Freeze

One of the most significant justifications for the current suspension is the overwhelming financial burden that the Phase II requirements have placed on small and medium-sized enterprises. Data gathered from across the industry suggests that the costs associated with achieving and maintaining advanced certification levels were becoming an insurmountable hurdle for many specialized firms. These businesses often possess unique technical capabilities essential for national defense, yet they lack the deep pockets required to fund extensive third-party audits and the specialized personnel needed to manage complex compliance documentation. This “SME freeze” threatened to decant the defense market, leaving only the largest prime contractors with the resources to compete, which would inevitably lead to a decrease in competition and a stifling of innovation.

Beyond the direct costs, the department has identified critical shortages in assessment capacity that have created severe bottlenecks in the defense supply chain. The original plan for Phase II relied heavily on a limited number of Third-Party Assessment Organizations, or C3PAOs, whose availability simply could not keep up with the anticipated demand from the thousands of contractors requiring certification. This imbalance between the supply of assessors and the demand for audits created a situation where even compliant and ready firms faced months of delay before they could be officially certified. Such bottlenecks do more than just frustrate contractors; they jeopardize the timely delivery of hardware and software to military units in the field, turning a security initiative into a logistical liability.

The dichotomy between compliance and security has also come into sharp focus during this review, as officials question whether bureaucratic exercises actually produce tangible cyber hygiene. There is a growing consensus that while a company might pass a point-in-time audit, that success does not necessarily translate to a resilient and secure operational environment that can withstand a sophisticated cyberattack. In recognition of this reality, the department has made the bold move to remove advanced Level 3 DIBCAC and Level 2 C3PAO designations from current solicitations. This decision acknowledges that the current audit model may be more focused on paperwork than on protection, and it paves the way for a more outcome-oriented approach that values real-world defense over administrative compliance.

Expert Insights: Prioritizing Operational Resilience Over Third-Party Audits

The directive from Secretary Pete Hegseth to replace government red tape with scalable and resilient security measures reflects a high-level commitment to rethinking the fundamentals of national security. Leadership has emphasized that the goal is not to lower the bar for security but to raise the bar for efficiency, ensuring that every dollar spent on compliance actually contributes to the safety of sensitive information. By moving away from a one-size-fits-all auditing model, the department is seeking to empower contractors to implement security measures that make sense for their specific technical environments. This perspective treats cybersecurity as a living, breathing part of the operational landscape rather than a static checkbox that must be ticked every few years.

Chief Information Officer Kirsten A. Davies has championed the necessity of a commercial-first mindset as the primary vehicle for leveraging existing technology to secure the defense industrial base. The department is increasingly looking to the private sector for managed services and security solutions that are already proven in the global marketplace, rather than insisting on the creation of isolated, government-specific silos. This approach allows the military to benefit from the massive investments that commercial firms have already made in cybersecurity, effectively outsourcing the technical burden of protection to the organizations most capable of handling it. By adopting these commercial standards, the department can reduce the administrative overhead for its contractors while simultaneously enhancing the overall security of the network.

Under Secretary Michael Duffey has added another layer to this discussion by emphasizing the need for economic inclusivity within the defense market. His perspective highlights that a robust security framework must be accessible to a wide variety of firms, regardless of their size, to ensure that the department has access to the most diverse and innovative solutions possible. Findings from the Small Business Administration have reinforced this view, pointing to a measurable freeze on innovation caused by high-cost certification models that discourage new entrants from even attempting to work with the government. The consensus among these experts is that the 60-day review must produce a framework that balances the urgent need for cybersecurity with the equally urgent need to maintain a competitive and technologically advanced industrial base.

Immediate Action Items: The Defense Industrial Base During the 60-Day Review

The Department of War established clear guidelines for the duration of the 60-day review period, ensuring that the defense industrial base maintained its security posture without the weight of unnecessary bureaucracy. Contractors prioritized the transition to Level 1 and Level 2 self-assessments, which provided a more accessible pathway for innovative firms to stay engaged in the market. The department instructed contracting offices and program managers to restrict their requests to these self-attestation tiers in all active and future procurement documents. This move allowed the industrial base to continue its mission while the broader policy framework was being reconsidered, ensuring that no essential contracts were stalled by the absence of third-party assessors.

Industry participants recognized the need to engage with the Request for Information process by the mid-August deadline to identify specific cost drivers that hindered past progress. The department sought granular feedback on which regulatory requirements imposed the highest financial burdens while offering the least amount of actual security benefit. This collaborative effort was designed to pinpoint the technical and administrative friction points that had previously made compliance so difficult for smaller firms. By gathering this data, the leadership aimed to build a reformed model that focused resources on the most effective security controls rather than on the most expensive auditing procedures.

Contractors maintained strict adherence to the existing security standards, specifically the NIST SP 800-171 Rev 2 and the mandatory DFARS 252.204-7012 clauses. The leadership clarified that the suspension of the Phase II milestones did not constitute a “pass” on cybersecurity; instead, it shifted the focus toward tangible cyber hygiene and internal accountability. Companies were encouraged to leverage commercial managed services and existing technologies to safeguard covered defense information without the need for bespoke, high-cost systems. Ultimately, the decision-makers fostered a more resilient and inclusive environment that prioritized speed and capability over administrative checkboxes, ensuring that the defense supply chain remained both secure and agile in the face of evolving global threats.

Advertisement

You Might Also Like

Advertisement
shape

Get our content freshly delivered to your inbox. Subscribe now ->

Receive the latest, most important information on cybersecurity.
shape shape