By Mike Stone
WASHINGTON, July 13 (Reuters) – The Pentagon is suspending the next phase of a cybersecurity certification program for defense contractors, backing off a compliance requirement that industry executives had warned was pushing small suppliers out of military work and narrowing competition in the defense supply chain.
The Defense Department’s long-delayed U.S. Cybersecurity Maturity Model Certification began in November 2025 and aims to protect sensitive information, known as controlled unclassified information.
The Phase 2 rollout of the Cybersecurity Maturity Model Certification, which was to take effect on November 10 of this year, will be paused immediately, the department said. Program offices will for now require only Level 1 or Level 2 self-assessments rather than the third-party audits Phase 2 would have mandated.
The move follows months of complaints from small and mid-sized aerospace and defense suppliers, some of whom told Reuters earlier this year that compliance costs were running into the hundreds of thousands of dollars. They said this, combined with long waits for third-party audits, was prompting them to reconsider defense work altogether.
Industry lawyers had also warned the rules risked squeezing out lower-tier suppliers and complicating business for international companies juggling competing data-privacy standards.
Pentagon Chief Information Officer Kirsten Davies said the suspension responds to those pressures.
The Pentagon said in a statement that “CMMC compliance is forcing innovative companies out of the Defense Industrial Base,” and that the department would launch a 60-day review.
Pentagon Under Secretary of War for Acquisition and Sustainment Michael Duffey tied the decision to the department’s push to speed weapons production, saying the change would remove “paralyzing costs” while keeping “innovators and competition growing in the defense supply chain.”
A newly formed CMMC Reform Task Force will draw on industry feedback collected through a public request for information and deliver recommendations within 60 days.
(Reporting by Mike Stone in WashingtonEditing by Matthew Lewis)




Comments