Why Did the Department of War Suspend CMMC Phase 2?

Jul 15, 2026
Interview
Why Did the Department of War Suspend CMMC Phase 2?

Vernon Yai is a distinguished data protection expert whose career has been defined by navigating the complex intersection of national security and private sector compliance. With a deep focus on risk management and the evolution of data governance, he has become a leading voice for organizations struggling to balance the weight of federal regulations with the need for operational agility. In this discussion, we explore the Pentagon’s recent decision to pause the Cybersecurity Maturity Model Certification (CMMC) rollout, a move that signals a strategic pivot in how the government intends to protect sensitive information without stifling the small businesses that form the backbone of the defense industrial base.

The Department of War recently announced a 60-day review of the CMMC program, effectively halting the Phase 2 requirements. From your perspective in data governance, what does this pause signal about the tension between maintaining high-level security and the practicalities of defense contracting?

This pause is a heavy acknowledgement that even the most well-intentioned security frameworks can become a suffocating bottleneck if the infrastructure isn’t ready. When CIO Kirsten Davies speaks about clearing bureaucratic roadblocks, she is addressing a very visceral fear among contractors that these regulations were becoming a barrier to entry rather than a protective shield. By stepping back for 60 days, the Department is attempting to breathe life back into a defense industrial base that was beginning to feel the squeeze of high-cost compliance. It is a delicate dance; they are trying to revitalize Secretary Pete Hegseth’s directive for warfighter readiness while explicitly stating that robust cybersecurity remains a nonnegotiable priority. We are seeing a shift toward a more pragmatic reality where the government realizes it cannot secure the nation if it accidentally bankrupts the very companies providing the technology.

With the second phase originally scheduled to begin in November 2026, officials pointed to a shortage of third-party assessors as a primary reason for the delay. How does this logistical hurdle impact the broader multi-year timeline, and what should contractors be doing with this unexpected breathing room?

The shortage of approved third-party assessors was the “elephant in the room” that finally forced a reality check on the November 10, 2026, deadline. If there aren’t enough professionals to actually conduct the Level 2 certification assessments, the entire procurement process grinds to a halt, leaving vital contracts in limbo. However, it is a mistake for contractors to view this as a total reprieve; Phase 1 requirements, which include Level 1 and Level 2 self-assessments, have already been in effect since November 10, 2025. I advise my clients to use this interval to double down on their NIST 800-171 implementations and refine how they handle Controlled Unclassified Information. The goal should be to treat this period as a gift of time to harden their systems before the more rigorous third-party audits eventually become mandatory in the later phases.

Undersecretary Michael Duffey mentioned that this pause is necessary to prevent smaller manufacturers from being “squeezed out” of defense work. How can the framework be reformed to protect these smaller entities while still defending against advanced persistent threats?

Protecting the “mom-and-pop” machine shops and specialized tech startups is critical because they offer the niche innovation that larger primes often lack. When a small business looks at the price tag for CMMC compliance, it can feel like a crushing weight that threatens their very existence. The reform task force will likely look at scaling back certain security measures to ensure that a 20-person company isn’t held to the same administrative overhead as a global aerospace giant. We need to find a way to maintain the integrity of Level 2 and Level 3 standards—which are essential against sophisticated actors—without making the certification process a “pay-to-play” system. The focus must remain on the actual data being handled; if a small manufacturer is only dealing with basic Federal Contract Information, they shouldn’t be buried under Level 3 requirements meant for high-stakes weapon systems.

What is your forecast for the CMMC program once this 60-day review concludes and the task force presents its findings?

I anticipate we will see a much more flexible rollout that leans heavily on tiered implementation to avoid a “cliff” where companies lose eligibility overnight. The final implementation date of 2028 might remain the ultimate goal, but I expect the transition between Phase 2 and Phase 3 in 2027 to become much more fluid based on assessor availability. We will likely see the Department introduce more “on-ramps” for nontraditional businesses, perhaps through simplified documentation or even government-backed auditing resources for critical sub-tier suppliers. Ultimately, the spirit of CMMC will survive because the threat of data theft is too high to ignore, but the delivery will become more agile and less of a bureaucratic nightmare. The future of defense contracting will be defined by this move toward “dynamic maintenance” of security, rather than a one-time check-the-box exercise.

Trending

Subscribe to Newsletter

Stay informed about the latest news, developments, and solutions in data security and management.

Invalid Email Address
Invalid Email Address

We'll Be Sending You Our Best Soon

You’re all set to receive our content directly in your inbox.

Something went wrong, please try again later

Subscribe to Newsletter

Stay informed about the latest news, developments, and solutions in data security and management.

Invalid Email Address
Invalid Email Address

We'll Be Sending You Our Best Soon

You’re all set to receive our content directly in your inbox.

Something went wrong, please try again later