Pentagon Hits Pause on Contractor Cybersecurity Checks, Citing Too Few Auditors and Too Much Red Tape

The Defense Department is suspending the second phase of its main cybersecurity certification programme for a 60-day review, leaving smaller defence suppliers in a holding pattern.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, showing a large server room bathed in cold blue light, rows of dark server racks stretching into the distance
Share

Key points

  • The Pentagon suspended phase two of the Cybersecurity Maturity Model Certification (CMMC) programme on May 2025, pausing requirements that were due to take effect in November 2026.
  • A newly formed task force will spend 60 days collecting industry feedback before recommending changes aimed at reducing costs for small and non-traditional defence suppliers.
  • Officials cited a shortage of approved third-party auditors as a key reason the November 2026 deadline was no longer workable.
  • Phase one requirements, which took effect on 10 November 2025 and rely on companies checking their own security, remain in force.

The Pentagon has put a core part of its defence-supplier cybersecurity programme on hold while it works out whether the rules are doing more harm than good.

The programme in question is the Cybersecurity Maturity Model Certification, or CMMC. Think of it as a checklist that any company wanting a defence contract must pass to prove it handles sensitive government information securely. It covers two categories of data: Federal Contract Information (FCI), which is basic government business data, and Controlled Unclassified Information (CUI), which is sensitive material that is not classified but still needs protection.

The programme has three levels. Level 1 covers basic protection of FCI. Level 2 covers CUI against the security standards set out in NIST 800-171, a widely used federal security guide. Level 3 targets the most sensitive CUI against state-level hackers.

Why is this happening now?

The short answer: there are not enough approved auditors to actually run the checks.

Phase two, originally scheduled to start on 10 November 2026, would have required companies handling CUI to bring in an independent, government-approved third party to audit their security before winning new contracts. Officials confirmed at the announcement that too few of those auditors currently exist to meet the deadline.

Kirsten Davies, the Department's Chief Information Officer, said the pause clears bureaucratic obstacles without lowering the bar. Contractors still have to meet phase one requirements, which have been in force since 10 November 2025 and ask companies to assess their own security and self-certify.

Undersecretary Michael Duffey added that the compliance costs tied to phase two risked pushing smaller manufacturers out of defence work entirely.

The full four-phase rollout runs to 2028. Phase three, due November 2027, would bring Level 3 certification for the most sensitive contracts. Phase four, in 2028, was meant to extend full requirements across all applicable contracts.

For now, a new CMMC review and reform task force will gather feedback from industry before recommending a scaled-back path forward. SecurityWeek first reported the announcement.

The immediate effect on ordinary members of the public is limited. But the pause matters for anyone who works for, or supplies goods to, a company in the defence chain, because it affects whether those companies face formal security audits in the near term.

What contractors should do now

If your company holds a defence contract or wants one, four steps make sense right now. First, confirm you are meeting phase one self-assessment requirements, because those have not changed. Second, track the task force's output over the next 60 days, as the revised phase two requirements could look quite different from the original rules. Third, start mapping any CUI your business handles, since that data category is the core of CMMC Level 2. Fourth, use the breathing room to document your current security controls while costs are lower and deadlines are softer.

© 2026 Threat Vectr