The US Department of Defense (DoD) has decided to suspend the implementation of the cybersecurity maturity model certification (CMMC) second phase on a temporary basis. The DoD will conduct a 60-day review before continuing with the implementation of the new cybersecurity requirements that were supposed to take effect in November 2026.
Chief information officer of the Department of War (DoW), Kirsten Davies, stated that the CMMC pause gives an opportunity to “remove burdensome requirements while still maintaining national security.”
Davies emphasized that DoD’s phase one requirements as well as all the regulations regarding the protection of information, are still in full force until further notice.
Additionally, Davies noted that the creation of the CMMC Review and Reform Task Force charged with soliciting feedback from industry constituencies ahead of any reconsideration of the program will contribute to burden reduction.
Additionally, Davies noted that the creation of the CMMC Review and Reform Task Force charged with soliciting feedback from industry constituencies ahead of any reconsideration of the program will contribute to burden reduction.
In particular, the task force will ensure that small businesses and nontraditional contractors are not overly burdened by certification requirements, thus facilitating their participation in defense contracting. Undersecretary of War for Acquisition and Sustainment Michael Duffey stated that the DoD wants to prevent “small manufacturers from being shut out of the defense market due to the cost and complexity of the CMMC.”
The cybersecurity maturity model certification policy sets out cybersecurity requirements for defense industrial base (DIB) companies and contractors. The CMMC 2.0 requirement is applicable to all DoD contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
The newly implemented CMMC 2.0 cybersecurity requirements came into full force on November 10, 2025, and will be implemented in phases. During phase one, which was completed on November 10, 2025, organizations had to conduct self-assessments for Level 1 and some Level 2 contract work.
Level 1 of the CMMC 2.0 covers the protection of FCI and requires a minimal level of cybersecurity maturity, while Level 2 covers the protection of CUI and includes the security requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Level 1 of the CMMC 2.0 covers the protection of FCI and requires a minimal level of cybersecurity maturity, while Level 2 covers the protection of CUI and includes the security requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
On the other hand, Level 3 includes more stringent measures to protect against advanced persistent threats to sensitive DIB information.
As of November 10, 2026, the beginning of the second phase, organizations will be required to undergo third-party assessment organization (TPO) certification for many Level 2 contracts.
One of the reasons for postponing the second-phase implementation, as stated by officials, is the shortage of TPOs accredited to certify organizations ahead of the November 10, 2026 deadline.
As of November 10, 2026, the beginning of the second phase, organizations will be required to undergo third-party assessment organization (TPO) certification for many Level 2 contracts.
One of the reasons for postponing the second-phase implementation, as stated by officials, is the shortage of TPOs accredited to certify organizations ahead of the November 10, 2026 deadline.
Under the initially established schedule, the third phase of the CMMC 2.0 implementation was set to begin in 2027. It included the introduction of Level 3 requirements for organizations that handle sensitive information and will affect most DoD contracts in Fiscal Year (FY) 2028. Finally, the fourth phase was supposed to ensure complete transition to the new framework in order to meet all CMMC requirements.
As a result of the 60-day review, DoD officials will make recommendations on revising the CMMC 2.0 in order to reduce the burden on industry while addressing warfighters’ and authorizers’ needs in terms of enhanced cybersecurity.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
