Department of War Halts CMMC Phase II Requirements Amid Compliance Concerns

    The Department of War has suspended CMMC Level 2 requirements while initiating a 60-day review. This decision is significant for small defense contractors, as it aims to alleviate compliance burdens that challenge their ability to compete for contracts.

    Department of War, U.S. Small Business Administration, National Institute of Standards and Technology, Department of Defense

    Key Signals

    • DoW suspends CMMC Level 2 requirements amidst compliance concerns for small contractors
    • 60-day comprehensive review to evaluate future of CMMC program
    • Compliance cost estimates for small contractors reached up to $593,800 per certification

    "In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium-sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program."

    Kirsten Davies, Chief Information Officer

    The recent suspension of the Cybersecurity Maturity Model Certification (CMMC) Level 2 requirements by the Department of War (DoW) marks a pivotal moment for small defense contractors across the United States. This decision comes amidst growing concerns regarding the compliance costs that could restrict smaller businesses from participating in federal procurement opportunities. Originally slated for implementation in November 2026, the suspension initiates a 60-day comprehensive review of the CMMC program, in alignment with the directives from DoW’s Chief Information Officer, Kirsten Davies.

    The CMMC framework was introduced with the intention of ensuring that contractors adequately protect sensitive unclassified federal data. However, the evolving landscape of defense contracting revealed that the financial and operational burdens placed upon smaller companies could hinder their competitiveness. SBA Administrator Kelly Loeffler underscored this sentiment, citing that the financial strain imposed by compliance could have forced mission-critical small businesses out of the defense sector altogether.

    The looming requirement for CMMC Phase II was particularly concerning, as it involved extensive third-party assessments—with costs associated with certification reaching as high as $593,800 for those requiring outside evaluations. Further complicating matters, only about 100 approved assessors were available to handle the volume of certifications required, exacerbating delays in contract awards and potentially locking capable suppliers out of the defense contracting process entirely. As a result, many defense contractors had already invested significant resources in preparation for compliance, leading to further frustration.

    Despite this pause, the urgency of maintaining cybersecurity standards remains. The DoW confirmed that while CMMC Phase II audits are suspended, compliance with essential NIST standards remains mandatory. This means that companies must continue to adhere to NIST SP 800-171 requirements for safeguarding covered defense information, regardless of the status of CMMC certification efforts. Furthermore, self-assessments from Phase I of the CMMC remain in effect, highlighting that regulatory compliance continues to be critical even as the specific audit requirements are revisited.

    The decision to pause the CMMC Phase II requirements reflects a balancing act between the need for rigorous cybersecurity measures and the practical realities faced by small businesses. As the federal government conducts its review, procurement professionals can expect adjustments in future regulatory frameworks concerning cybersecurity compliance. For contractors and vendors, this opens an opportunity to reassess strategies to remain compliant and competitive, while potentially benefitting from new guidance that may arise from the review process.

    This development underscores the DoW's recognition of the vital role that small and medium-sized businesses play in the defense industrial base. As stated by Davies, the temporary halt aims to alleviate unnecessary barriers for these businesses, enabling them to continue contributing to national security without facing overwhelming compliance costs. Given that over 120,000 small defense contractors are affected, the implications of this decision are far-reaching within the defense contracting space.

    Agencies

    • Department of War
    • U.S. Small Business Administration
    • National Institute of Standards and Technology
    • Department of Defense