DOD suspends CMMC Phase 2, launches 60-day ‘reform’ review
ByNick Wakeman,
Editor-in-Chief, Washington Technology
July 13, 2026 04:55 PM ET
Citing prohibitive costs for small and mid-size contractors, the Defense Department will keep Phase I self-assessments in place while a new task force studies the cyber and supply chain security program's future.
The Defense Department has essentially ended the Cybersecurity Maturity Model Certification program by suspending its second phase requirements.
DOD is keeping in place Phase 1, which requires self-assessments for how companies protect controlled unclassified information in their systems. But DOD said Monday it is suspending Phase 2, which was to begin on Nov. 10 and requires third-party certifications.
DOD is also launching a review of CMMC to make sure it aligns with Defense Secretary Pete Hegseth’s acquisition initiatives, which prioritizes speed, and lowering barriers for new entrants. The Acquisition Transformation System directives also aim to replace bureaucratic compliance with what DOD calls...
Copyright of this story solely belongs to nextgov.com. To see the full text click HERE