The figure that seems to have finished the programme off is not a cost. It is a ratio: more than 100,000 companies in the American defence supply chain needing an independent cybersecurity audit, against roughly 100 accredited assessors licensed to carry one out.
“So the math just simply doesn’t math,” Kirsten Davies, the Pentagon’s chief information officer, told reporters, in what may be the most quotable sentence ever produced by a federal certification review.
On Monday, the Department of War suspended Phase 2 of the Cybersecurity Maturity Model Certification programme, the compliance regime that would have required contractors handling sensitive but unclassified information to pass an audit by a certified third-party assessor before winning contract awards.
Those requirements were due to take effect on 10 November. They are now frozen, along with every other pending CMMC milestone, until further notice.
A newly created CMMC Reform Task Force has 60 days to review the entire programme and report back. Davies and Michael Duffey, the under secretary for acquisition and sustainment, both declined to rule out scrapping CMMC altogether when the review concludes.
The reasoning is laid out in a memo signed by Davies on 13 July, which describes the programme as a “compliance checklist” that is “structurally incompatible” with the department’s need to expand its supplier base.
The combination of compliance costs, a shortage of assessment capacity, and complex regulatory timelines, she wrote, is “actively forcing innovative new entrants and small businesses to opt out” of defence contracts.
Davies said data gathered by the Small Business Administration suggested the later phases of CMMC could cost small and medium-sized firms more than $7bn a year in compliance approvals.
Kelly Loeffler, the SBA administrator, said her agency had heard directly from “mission-critical small businesses” that certification was becoming an untenable barrier to defence work.
None of this was a surprise to anyone watching. The Government Accountability Office warned in March that the standards might prove too difficult and expensive for smaller suppliers to meet, and that some would leave the defence industrial base rather than try. Industry has said the same since 2019, though the exposure is real: mid-sized firms lose more to cybercrime than the giants do.
CMMC has now been paused twice. The Biden administration halted it in 2021 for a review that stripped the requirements down and produced “CMMC 2.0”, which took years of rulemaking to become enforceable.
Phase 1 arrived in November 2025, requiring self-assessments. Phase 2 was to have introduced the audits that were the entire point of the exercise, replacing self-attestation, which inspector general reports had repeatedly found contractors were failing to honour.
Phase 1 self-assessments remain in force. During the suspension, the Pentagon says it will police compliance through those self-assessments and selected government-led checks against the NIST 800-171 standard, which is to say through the honour system CMMC was built to replace.
Federal cyber housekeeping has not lately inspired confidence on this point, given that CISA, the agency charged with defending civilian networks, had no incident response playbook of its own when it was breached.
Davies was careful to say that money already spent on certification was not wasted. “Every dollar spent on security is a wise dollar spent,” she said, addressing the contractors who had spent a year and considerable sums preparing for a deadline that evaporated on a Monday afternoon. “We are not reducing cybersecurity through this measure. We are reducing the red tape.”
The move suits a department that has grown relaxed about its own rules when they slow down buying, having blacklisted Anthropic as a security threat while its intelligence agencies carried on using Claude, and having spent years inviting outsiders to hack its networks on the theory that friendly attackers beat paperwork.
The Cyber AB, the body that accredits CMMC assessors, was not told in advance. Davies confirmed on Monday that her office had not yet informed it of the suspension or the review.
A request for information now goes out to the defence industrial base. The task force will read the responses before recommending what replaces the programme, if anything does, and reports in mid-September.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
