The US Department of War (DoW) has suspended implementation of Phase II of the Cybersecurity Maturity Model Certification (CMMC), previously due to come into force in November 2026, after concerns were raised about the burden on small defence contractors.
A key factor in the decision was an assessment by the US Small Business Administration (SBA), which highlighted the potentially prohibitive costs that small firms would face if the certification went ahead as planned.
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
Under Phase II, some small suppliers would have incurred expenses of about $593,800 for third-party verification, while those permitted to self-assess could still expect costs of around $388,600.
SBA indicated that these figures are unsustainable for more than 120,000 small businesses that supply the Defence Industrial Base, particularly with a limited number of only around 100 authorised assessors available to carry out certifications.
DoW chief information officer Kirsten Davies warned that pressing ahead with the original schedule could have excluded many small suppliers, reducing competition and placing additional pressure on manufacturers and supply chains crucial for defence readiness.
“The Department of War is taking decisive action to clear bureaucratic roadblocks and revitalise our defence industrial base in support of Secretary of War Pete Hegseth’s directive to aggressively scale warfighter readiness,” Davies said.
The suspension has led to the formation of a task force to undertake a thorough review of the entire CMMC scheme over the next 60 days.
The new task force, which begins work immediately, has been asked to integrate feedback from industry through a public request for information, released on 13 July.
Davies said: “Using these insights, the task force will recommend realistic, scalable security measures that prioritize speed-to-capability and lower barriers for small and nontraditional businesses, while still providing insights on [defence industrial base] cybersecurity and operational resilience.”
Although Phase II is suspended, existing CMMC Phase I requirements remain in effect.
Davies reiterated that defence contractors must still meet regulatory obligations to protect government information.
“I want to be clear, across the Department of War and our defence industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical, non-negotiable priority,” Davies said.
The CMMC framework, which dates to early 2020, was originally established to set standards for protecting sensitive information in contracts with the DoW.
Over time, the process relied on third-party verification, which Davies has now acknowledged is too slow and costly for widespread implementation within current assessor capacity.
Welcoming the suspension, the SBA stated that small businesses play a crucial role in defence supply chains and that reducing unnecessary bureaucracy is key to expanding the sector’s capabilities.
The DoW said it intends to balance the need for strong information security with the objective of keeping smaller firms involved in the supply base, by removing barriers that have discouraged contractor participation in recent years.
