
The Pentagon has frozen strict CMMC Phase 2 cybersecurity checks, keeping Obama/Biden-era red tape off defense contractors while a new Trump-era task force decides how to rebuild the program.
Story Snapshot
- The Department of War suspended **CMMC Phase II** third-party certification requirements that were set to start November 10, 2026.
- A new 60-day CMMC Reform Task Force will review the program to cut red tape and protect small and non-traditional businesses in the defense base.
- Phase I self-assessment rules still apply, but contractors will not face new outside audits while the review is underway.
- The move fits Trump-era goals to lower barriers to entry, speed up acquisition, and replace bureaucratic checklists with real cyber security.
Trump-era Pentagon Stops Phase 2 Before It Hits Small Businesses
The Department of War has stopped the next wave of Cybersecurity Maturity Model Certification rules just months before they were set to bite down on thousands of American suppliers. Phase II would have pushed many companies into costly third-party audits simply to keep doing work they already do for our warfighters. Officials say research showed these rules could drive smaller and non-traditional firms out of the defense industrial base at the very moment the military needs more innovation, not less. Instead of piling on new mandates, the Trump administration’s Pentagon chose to hit pause and ask a basic question: does this program protect networks, or just feed bureaucracy?
According to the Department’s own public CMMC page, the Phase II requirements that were supposed to start on November 10, 2026 are now “suspended effective immediately.” That date was the kickoff for contracts that involve controlled unclassified information to begin requiring a formal Level 2 certification from outside assessors. Under the earlier plan, many new solicitations would have demanded a Cybersecurity Maturity Model Certification at award, turning compliance into a ticket to even bid. Now, Trump-era leaders have stepped in to stop that switch until they are sure the system is fair and workable for smaller shops that cannot afford armies of compliance lawyers.
What Still Applies: Self-Assessments Stay, Third-Party Audits Stop
Despite the headlines, this is not a blanket retreat from cyber security. The Pentagon is keeping Phase I rules in place, which require contractors to perform self-assessments on how they protect controlled unclassified information and report scores. Companies still must follow National Institute of Standards and Technology Special Publication 800-171 controls and the Defense Federal Acquisition Regulation Supplement clause 252.204-7012 to handle federal data. What changes is who “checks the homework.” The Department has suspended the rollout of Phase II’s third-party assessments by certified assessors, which were seen as expensive and hard to schedule, especially for small and mid-sized firms across the country.
Earlier, the Defense Contract Management Agency had already paused audits of assessment organizations so it could adjust to program changes driven by CMMC 2.0. That pause signaled that the third-party assessment infrastructure needed for Phase II was not ready for prime time. At the same time, the 32 Code of Federal Regulations Part 170 program rule that defines the CMMC framework is still on the books. The standard for cyber hygiene has not been rolled back; companies must still secure their systems. The current review focuses on the delivery mechanism: how often assessments happen, who performs them, and whether the process is practical for the broad defense industrial base. For now, the Department says it will rely on contractor self-assessments backed by some government-led spot checks, instead of locking everyone into one rigid, costly certification model.
New Reform Task Force Targets Red Tape, Not Security
To guide the next steps, the Department of War is launching a new CMMC Reform Task Force with a 60-day deadline to deliver recommendations on the future of the program. Chief Information Officer Kirsten Davies explained that the review must line up with Secretary of War Pete Hegseth’s Acquisition Transformation System, which puts speed to capability and lower barriers for small and non-traditional businesses at the center of defense buying. The Department says the goal is to replace “bureaucratic compliance” with “scalable, resilient cybersecurity measures” that match real-world threats instead of only checking boxes. In other words, they want security that works on the ground, not more paperwork for patriotic small businesses already struggling with inflation and high energy costs.
Legal and industry analysts note this move builds on earlier changes when the Pentagon scrapped the original five-level CMMC scheme and announced “CMMC 2.0” to streamline controls and rely more on existing National Institute of Standards and Technology standards. Under CMMC 2.0, many Level 1 contracts allow self-attestation, and Level 2 splits between “prioritized” deals that need independent assessment and others that rely on annual self-checks. The Department also added tools like waivers for mission-critical needs and plans of actions and milestones so companies can finish some requirements after award. Today’s suspension of Phase II continues that trend: it keeps cyber standards in place but questions whether forcing every contractor through the same outside audit pipeline is worth the cost and delay. For conservative readers, this is a clear example of Trump-era leaders trying to secure the nation without crushing the very businesses that keep our military supplied.
Sources:
insidedefense.com, nextgov.com, csoonline.com, digital.nationaldefensemagazine.org, pillsburylaw.com, lw.com, mayerbrown.com, govinfo.gov, secureframe.com












