Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Pentagon suspends CMMC phase two requirements, launches review of program

U.S. Army Sgt. Shaquille Bullock, an information technology specialist with the J6 Command, Control, Communications, and Computers Directorate, D.C. National Guard, works in Washington, D.C., on Nov. 29, 2025. (U.S. Air National Guard photo by Staff Sgt. Renee Crugnale)

By Justin Doubleday

The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime.

In a July 13 announcement, the Defense Department said it is suspending plans to introduce phase two of the CMMC requirements. That would have involved DoD requiring third-party cybersecurity assessments across all contracts involving sensitive but unclassified information starting Nov. 10, 2026.

DoD says the phase one requirements for applicable contracts to require a CMMC self-assessment, which went into effect last November, remain in force.

Read more at Federal News Network

Click to listen highlighted text!