← All stories
● Covered by 1 source Β· 1 reportMedium impact

Pentagon Suspends CMMC Phase 2 Requirements Pending Review

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

The Pentagon has suspended the implementation of Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, originally scheduled for November, to review the program. This decision aims to facilitate contracting for small businesses while maintaining existing cybersecurity standards for contractors handling government information.

Key points

Overview of CMMC Phase 2 Suspension

The Pentagon has announced the suspension of Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, which were slated to begin in November. This pause is part of a 60-day review aimed at reassessing the entire cybersecurity certification process for contractors.

Rationale Behind the Suspension

Kirsten Davies, CIO at the Department of War, indicated that the suspension is intended to eliminate bureaucratic hurdles while ensuring that contractors continue to adhere to Phase 1 requirements and existing regulations for government data handling. This move is particularly focused on supporting small and non-traditional businesses in the defense sector.

Implications for Contractors

While CMMC Phase 2 has been suspended, contractors must still comply with Phase 1 requirements, which necessitate self-assessments for specific cybersecurity standards. The decision underscores the importance of maintaining robust cybersecurity practices while addressing concerns over compliance costs that may inhibit smaller firms from participating in defense contracts.

Future of CMMC Implementation

The new CMMC review task force will gather industry feedback to propose revised security measures, aiming to facilitate entry for smaller companies. Phase 2 would have introduced third-party certifications for Level 2 by November 2026, but officials noted a shortage of approved assessors for these evaluations.

Next Steps in Defense Cybersecurity Policy

The Pentagon's strategic pause aims to revitalize the defense industrial base without compromising cybersecurity standards. Undersecretary of War for Acquisition and Sustainment Michael Duffey emphasized the need to keep smaller manufacturers engaged in defense work, while robust cybersecurity measures remain a top priority.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The Pentagon has suspended the implementation of Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, originally scheduled for November, to review the program. This decision aims to facilitate contracting for small businesses while maintaining existing cybersecurity standards for contractors handling government information.