Industry Reactions to Pentagon Suspending CMMC Phase 2: Feedback Friday

https://www.securityweek.com/wp-content/uploads/2026/06/Feedback-Friday.jpeg

The Department of War has suspended CMMC Phase 2’s mandatory third-party assessment requirement, citing concerns that the assessor ecosystem couldn’t scale to meet demand and that compliance costs were pushing small and mid-sized firms out of the defense industrial base.

A newly formed CMMC Reform Task Force will spend 60 days reviewing the program, gathering industry feedback, and reporting recommendations by mid-September.

Crucially, the pause only affects independent verification, with Phase 1 self-assessment obligations, SPRS score submissions, and the underlying DFARS 252.204-7012 requirement to protect controlled unclassified information (CUI) remaining fully in effect.

Industry professionals broadly agree that the suspension pauses third-party CMMC audits but not the underlying legal obligation to protect CUI, warning that self-attestation without verification raises False Claims Act exposure. However, experts are split on whether the fix should be to scope assessments down, automate them, or preserve them largely as-is.

And the feedback begins…

Advertisement....

Copyright of this story solely belongs to securityweek.com. To see the full text click HERE

Read more