IN Brief:
- CMMC Phase II third-party certification requirements due in November 2026 have been suspended.
- Phase I self-assessment and existing NIST and DFARS safeguarding obligations remain active.
- A 60-day review will examine assessor capacity, small-business burden, consistency, and programme reform.
The Pentagon has suspended the planned second phase of Cybersecurity Maturity Model Certification implementation, delaying third-party assessment requirements that were due to take effect on 10 November 2026.
A 60-day review will examine the programme’s structure, the availability of authorised assessors, and the burden placed on small and non-traditional defence suppliers. Phase I self-assessment remains active, together with existing obligations to protect controlled unclassified information.
Companies subject to DFARS safeguarding clauses must continue implementing NIST SP 800-171 controls, recording assessment results, reporting cyber incidents, and protecting government data. The certification calendar has changed, but the contractual security requirement has not.
CMMC was introduced to replace a system that relied heavily on supplier self-attestation. Independent assessment was intended to provide greater confidence that contractors handling controlled information had implemented the required measures.
Scale has become the programme’s immediate difficulty. More than 100,000 businesses may require assessment across the defence industrial base, while the number of authorised assessment organisations remains comparatively small.
An imbalance of that size could produce long queues, higher fees, delayed awards, and the exclusion of suppliers that are unable to obtain an assessment before a contract deadline.
Smaller manufacturers are particularly exposed. A precision-machining company may hold sensitive drawings and process information while employing no full-time cyber team, leaving managers to coordinate technical work, documentation, and production simultaneously.
Meeting the controls can involve network redesign, multifactor authentication, logging, secure backups, staff training, controlled media, incident response, and replacement of unsupported systems. Those measures require capital as well as specialist knowledge.
Operational technology complicates compliance further. Machine tools, coordinate-measuring equipment, test rigs, and production controllers may depend on old operating systems or vendor software that cannot be patched routinely.
Disconnecting such equipment can interrupt work, while replacement may trigger expensive requalification of the manufacturing process. Secure enclaves, controlled transfer stations, and network segmentation offer alternatives, although they create their own administrative burden.
The review gives officials an opportunity to distinguish effective security from excessive paperwork. Hundreds of documents provide little protection when systems remain poorly configured, while weakening controls to preserve supplier participation would leave valuable data exposed.
Assessment consistency will require particular attention. Companies need confidence that different qualified assessors will interpret evidence and technical controls in broadly comparable ways.
Wide variation encourages suppliers either to seek the least demanding assessor or prepare for the strictest possible interpretation, increasing cost without improving security proportionately.
The Pentagon must also define how certification flows through prime contracts and lower-tier suppliers. Large contractors need reliable methods to determine which businesses handle controlled information, which level applies, and how status changes affect continuing production.
A supplier may support several programmes using different customer portals, data environments, and contract clauses. Treating the entire company as one protected network can become unnecessarily expensive, while separate enclaves require careful control of staff, files, and workflows.
Companies that have already invested in certification retain useful capability. Identity management, network segmentation, vulnerability handling, secure configuration, backups, and recovery remain relevant regardless of the assessment timetable.
Major contractors have begun moving through formal assessments, including CMMC Level 2 certification within large programme environments, while technology providers are offering managed compliance environments for smaller suppliers.
Those services may reduce the need for each company to design its own architecture, although responsibility for staff behaviour, production equipment, physical access, and data handling cannot be outsourced completely.
Cyber compliance has become part of physical production capacity. A supplier can possess rare tooling, approved processes, and specialist engineering knowledge yet become unavailable when it cannot demonstrate adequate information protection.
Replacing that company may require new first-article work, material qualification, tooling, audits, and customer approval, turning a cyber requirement into a manufacturing delay.
Programme reform must therefore preserve security without removing capable suppliers abruptly. Clearer guidance, proportionate controls, reusable evidence, government support, and mutual recognition between customers could reduce duplicated effort.
The industrial base includes global primes, software developers, universities, cloud providers, family-owned machine shops, and specialist consultants. Applying one framework across that range requires enough flexibility to reflect different risks without reducing certification to a nominal badge.
State-linked actors and criminal groups will continue targeting suppliers during the review. Smaller businesses frequently hold programme information with weaker protection than the prime, making them attractive routes for espionage or disruptive intrusion.
Companies that stop remediation during the pause may face the same technical deficiencies when revised rules appear. The review period is better used to remove unsupported systems, improve inventories, test backups, and establish clearer responsibility.
Officials now have a limited window to produce a workable route into independent assurance. Suppliers making investment, staffing, and network decisions need early clarity, particularly when contract competitions extend beyond the 60-day review.
CMMC Phase II was paused because implementation capacity risked falling behind the requirement. The revised programme must preserve credible verification while avoiding an assessment bottleneck that removes secure and technically capable manufacturers from defence work.


