Few cybersecurity initiatives have generated as much debate across the Defense Industrial Base as the Cybersecurity Maturity Model Certification. Yesterday, that debate took another unexpected turn when Secretary of War Pete Hegseth’s Department of War suspended implementation of CMMC Phase II, established a 60-day CMMC Reform Task Force, and directed the Department to redesign the certification framework while maintaining existing cybersecurity obligations. The decision immediately raised questions about the future of CMMC, the role of third-party assessments, and whether defense contractors should continue investing in cybersecurity readiness.
What Secretary Hegseth’s Team Actually Announced
According to the memorandum signed by the DOD’s Chief Information Officer Kristen Davies, the Department will suspend the November 2026 transition to mandatory Phase II implementation, hold pending implementation milestones in abeyance, limit new procurements to Level 1 and Level 2 self-assessments during the review period, and deliver recommendations for a redesigned framework within sixty days. At the same time, the memorandum explicitly states that existing contractual cybersecurity requirements remain in effect, including compliance with National Institute of Standards and Technology Special Publication 800-171 Revision 2 and applicable Defense Federal Acquisition Regulation Supplement clauses.
In announcing the decision, Under Secretary of War for Acquisition and Sustainment Michael Duffey described the Department’s objective as reducing “paralyzing costs” while preserving innovation and expanding participation throughout the Defense Industrial Base. Chief Information Officer Davies similarly argued that the existing implementation model had become difficult to scale, noting that more than 100,000 contractors would ultimately require assessments while only a fraction of that assessment capacity currently exists. Those comments make clear that the Department’s concern is not whether cybersecurity matters. The concern is whether the current implementation model is the most effective way to achieve it.
Within hours, predictable narratives began emerging across the cybersecurity community. Some declared that CMMC was effectively dead. Others insisted that nothing had changed because contractors are still required to protect Controlled Unclassified Information.
Neither conclusion accurately reflects what the Department actually announced.
The Immediate Business Impact
The Department’s decision represents a significant near-term disruption to the cybersecurity market.
The November 2026 implementation milestone had become the primary catalyst driving customer urgency. Thousands of defense contractors were preparing for mandatory third-party assessments, while managed service providers, CMMC Third-Party Assessment Organizations, software vendors, and consultants had aligned hiring plans, investment strategies, and operating models around that timeline.
Removing that milestone may slow purchasing decisions, delay some certification activities, and create uncertainty throughout the ecosystem. Organizations whose business models depend primarily on performing third-party assessments may likely experience the greatest immediate disruption. Defense contractors will understandably reassess budgets and implementation schedules until the Department provides additional guidance.
What Contractors Should Not Misinterpret
The greater risk is not the Department’s announcement. The greater risk is that defense contractors misinterpret what the announcement actually changed.
The memorandum does not suspend the responsibility to protect Controlled Unclassified Information. It does not suspend National Institute of Standards and Technology Special Publication 800-171. It does not eliminate Defense Federal Acquisition Regulation Supplement clause 252.204-7012. It does not eliminate System Security Plan requirements, Plans of Action and Milestones, or the obligation to accurately represent cybersecurity posture through Supplier Performance Risk System self-assessments. It certainly does not suspend the Department of Justice’s Civil Cyber-Fraud Initiative.
Perhaps most importantly, CMMC itself is no longer merely a proposed framework. It completed the federal rulemaking process and became part of the Department’s regulatory framework. Today’s announcement changes implementation. It does not erase the underlying cybersecurity expectations that defense contractors have spent years preparing to satisfy.
The Wrong Debate
Much of the industry’s discussion over the past year centered on whether the government had enough CMMC Third-Party Assessment Organizations to certify the Defense Industrial Base. That was always an incomplete diagnosis.
More than 1,200 organizations have already achieved certification under the existing framework. That demonstrates meaningful progress was occurring and that the assessment ecosystem was continuing to mature.
The larger challenge was contractor cyber readiness. Too many organizations postponed cybersecurity investments until regulatory deadlines approached. Others underestimated the operational effort required to implement the 110 security requirements contained within National Institute of Standards and Technology Special Publication 800-171. Still others viewed CMMC primarily as an audit rather than a transformation of how they manage cybersecurity risk. Yesterdays’s announcement does not eliminate that readiness gap.
Looking Beyond Compliance
The most important lesson from this week’s announcement extends well beyond CMMC compliance. Cybersecurity was never supposed to be driven solely by compliance deadlines. Third-party certification was intended to validate cybersecurity maturity, not create it. The objective has always been a stronger Defense Industrial Base capable of protecting America’s most sensitive technologies, safeguarding Controlled Unclassified Information, and maintaining the military advantage upon which national security depends.
Implementation strategies may evolve. Certification frameworks may change. Political administrations will come and go. But, the responsibility to protect the Defense Industrial Base remains exactly the same. That mission did not pause this week, and neither should the industry’s commitment to achieving it.

