Pentagon suspends CMMC phase two requirements, launches review of program

Pentagon suspends CMMC phase two requirements, launches review of program

Pentagon suspends CMMC phase two requirements, launches review of program

https://federalnewsnetwork.com/cybersecurity/2026/07/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program/

Publish Date: 2026-07-13 16:41:00

Source Domain: federalnewsnetwork.com

DoD CIO Kirsten Davies is suspending plans to ramp up CMMC third-party assessments, as part of a review that casts doubt on the future of the current program.

Justin Doubleday

2 min read

The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.

In a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.

DoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.

But the Pentagon is now launching a 60-day, “top-to-bottom” review of the certification program, according to a July 13 memo signed out by DoD Chief Information Officer Kirsten Davies.

]]

The memo suggests that the CMMC program, as currently planned, conflicts with Defense Secretary Pete Hegseth’s Acquisition Transformation System initiative’s focus on eliminating bureaucracy and enabling innovation.

“The current iteration of the Cybersecurity Maturity Model Certification (CMMC) program,…

Source