Kirsten Davies and Michael Duffey announce the Pentagon will freeze Phase 2 of the Cybersecurity Maturity Model Certification requirements.

Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey unveiled plans Monday to suspend the Phase 2 requirements of the Cybersecurity Maturity Model Certification (CMMC) program. The move follows research suggesting the policy would drive many businesses out of the defense industrial base due to high costs and complexity. The administration announced the creation of a CMMC Reform Task Force, which will conduct a comprehensive review and submit recommendations within 60 days. While the program was established in 2019 by the first Trump administration to secure sensitive data, many small businesses struggled with the transition to CMMC 2.0. Kirsten Davies noted that the current math does not work for small businesses, as there is a significant mismatch between the 100,000 companies needing assessments and the 100 approved assessors available. By pausing the implementation, the Pentagon aims to reduce red tape and ensure that contractors can continue to provide innovations to the military without being forced out of the market.

Sources