DoD launches 60-day review to reduce CMMC compliance barriers

On Monday, the Department of Defense announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements while it conducts a full-scale review of the program. Originally scheduled to go into effect on November 10, 2026, third-party Level 2 certification requirements are paused along with pending and future CMMC implementation milestones.
While Phase II certification requirements are on hold, existing cybersecurity obligations remain unchanged. CMMC Phase I self-assessment requirements remain in effect, and the Department will continue using self-assessments and select government-led assessments to evaluate compliance with the NIST SP 800-171 Rev. 2 cybersecurity requirements. Defense contractors and subcontractors must also continue protecting covered defense information as required under DFARS clause 252.204-7012.
The pause changes the timeline and process for third-party certification—it does not eliminate the responsibility to maintain cybersecurity protections and safeguard federal information.
The move is “In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium-sized businesses,” said DoD Chief Information Officer Kirsten A. Davies.
Figures from the Small Business Administration (SBA) show that had the Phase II November launch date held, 120,000 DIB small businesses would have been required to seek compliance through a system with about only 100 approved assessors. Initially developed to strengthen cybersecurity across the Defense Industrial Base (DIB), the DoD says the CMMC program has also introduced significant compliance costs and administrative complexity.
According to the Department, recent data, including findings from the SBA, suggests that these compliance challenges have forced some companies out of the DIB entirely, slowing the delivery of critical capabilities.
For many manufacturers, especially small and medium-sized companies, meeting the requirements has proven challenging and cost-prohibitive.
Total compliance costs can reach upwards of $593,800 per CMMC certification for small firms requiring third‑party assessment, and about $388,600 for firms eligible for self‑assessment according to SBA analysis.
Hon. Michael Duffey, Under Secretary of Defense for Acquisition and Sustainment, said the decision to suspend Phase II “ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain."
The DoD’s newly formed CMMC Reform Task Force will immediately begin a comprehensive study of the CMMC certification program. According to the DoD, the goal is to make the program less burdensome for small, medium-sized, and non-traditional businesses while shifting the focus to practical, scalable cybersecurity that supports faster delivery of defense capabilities.
As part of the review, the task force will gather industry feedback through a public Request for Information (RFI) to better understand compliance challenges and use that input to develop recommendations. The final report is expected to be delivered to Davies within 60 days.
"Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness,” said Davies. “We believe the DIB can achieve both, while we reduce unnecessary government red tape.”
Connecticut has a long history as a leader in aerospace, defense, and advanced manufacturing. The state’s defense industrial base includes roughly 1,000 contractors and suppliers that play a vital role in supporting national security while contributing to the strength of the local economy through innovation, investment, and skilled jobs".
“Small and mid-sized manufacturers are critical to Connecticut’s defense supply chain, and many are navigating increasingly complex cybersecurity requirements,” said Beatriz Gutierrez, CONNSTEP President & CEO. "Reducing compliance barriers like prohibitive costs can help ensure that our state's manufacturers remain part of the defense supply chain."
"The pause in CMMC Phase II gives companies additional time to prepare, strengthen their cybersecurity posture, and address gaps before future requirements take effect. CONNSTEP remains committed to helping manufacturers navigate these changes and build the capabilities needed to compete in the Defense Industrial Base.”
Beatriz Gutierrez, CONNSTEP President & CEO
Through cybersecurity readiness assessments, NIST SP 800-171 implementation support, and CMMC preparation assistance, CONNSTEP helps Connecticut manufacturers identify areas for improvement and develop practical strategies to strengthen their cybersecurity programs.
While the timeline has shifted, cybersecurity remains a critical requirement for manufacturers doing business in the defense sector. Organizations that continue improving their cybersecurity posture now will be better positioned regardless of how the revised CMMC program evolves.
More information can be found here: https://dowcio.war.gov/brilliantbasics
Recent Posts











