The U.S. Department of Defense has suspended the implementation of CMMC Phase 2 requirements and paused third-party cybersecurity audits [1, 2, 3].
This move represents a significant shift in how the Pentagon manages the security of its supply chain. By halting the planned ramp-up of assessments, the government is acknowledging that the current certification process may be too rigid for many of the smaller companies that provide critical components for national defense.
DoD CIO Kirsten Davies said, "We are suspending the planned ramp-up of third-party assessments while we conduct a comprehensive review of the program" [3]. The suspension affects a framework that was scheduled to take effect in November 2026 [1].
Pentagon officials said the current CMMC Phase 2 framework is prohibitively burdensome for the Defense Industrial Base [2]. A senior Pentagon official said, "CMMC as currently executed is too prohibitively burdensome on the Defense Industrial Base" [2]. The agency intends to use the review period to develop cybersecurity approaches that are more scalable for contractors of various sizes.
Despite the pause on audits, the legal requirements for data protection remain active. Industry experts said, "The suspension pauses audits but does not relieve contractors of their legal duty to protect Controlled Unclassified Information" [1]. This means that while companies may not face an immediate third-party audit, they are still legally obligated to secure Controlled Unclassified Information, or CUI [1].
The decision follows growing concerns that the cost and complexity of CMMC compliance could drive smaller, innovative firms out of the defense market. The Pentagon will now evaluate how to balance the need for rigorous security with the practical realities of industrial operations.
“"CMMC as currently executed is too prohibitively burdensome on the Defense Industrial Base."”
The suspension indicates a tension between the Pentagon's need for high-level cybersecurity and the economic viability of its supply chain. By pausing the audits, the DoD is attempting to prevent a 'compliance cliff' where smaller vendors are disqualified from contracts due to the cost of certification. However, the insistence that CUI protection remains a legal duty suggests the government will still hold firms accountable for data breaches, even without a formal CMMC certificate.



