Pentagon suspends CMMC phase two requirements, launches review of program

The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.

 

In a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.

 

DoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.

 

But the Pentagon is now launching a 60-day, “top-to-bottom” review of the certification program, according to a July 13 memo signed out by DoD Chief Information Officer Kirsten Davies.  More

 

For the press release on the suspension click:  Here

 

Please reach out to your APEX counselor for any insight into these recent changes.

Leave a Reply

Your email address will not be published. Required fields are marked *