The Department of Defense (now War under President Trump) announced this week they’re suspending all Cybersecurity Maturity Model Certification (CMMC) Phase II requirements effectively immediately. The requirements were originally scheduled to come into effect November 10th, 2026, these requirements would have required the DoD to be involved in third-party cybersecurity assessments involving sensitive but classified data. Phase requirements that require a CMMC self-assessment and began last November will stay in place as of the time being.

The Pentagon announced they will be doing a “top-to-bottom” review of the CMMC certification program over the next 60 days, the memo released by DoD Chief Information Officer Kristin Davies suggests that the program has come into conflict with Defense Secretary Pete Hegseth’s initiatives to eliminate government bureaucracy and enable more innovation by removing guardrails.

“The current iteration of the Cybersecurity Maturity Model Certification (CMMC) program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation,” Davies wrote. “While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.” – DoD Chief Information Officer Kristin Davies

In addition to removing the November deadline for third-party assessments the memo suspends all pending and future CMMC milestones “until further notice”.  Before this announcement some DoD offices had already began conducting third-party assessments in advance. It’s clear from the memo that this move is intended to remove hindrances from DIB contractors and speed up innovation and capacity within that base to further the goals of the current administration.

However, this change has left many defense contractors uncertain how to proceed. The CMMC program in general has experienced a host of changes since it’s inception in 2010 under an executive order from President Obama. It’s goal was to provide a standard for cyber security for defense contractors who handle controlled unclassified data (CUI) and it wasn’t until 2019 that development on the program actually began.

Self-attestation was originally only meant for very small contractors handling limited CUI while larger contractors and more complete DoD contracts would eventually require third-party assessments and more rigorous levels of cyber security hygiene. Even the DoD itself failed to measure up to the tough requirements outlined in the program.

The CMMC assessment industry has also been booming since the program was implemented and this news will leave many of those outfits in limbo, DoD contractors were using the C3PAO assessment to be officially CMMC certified and for CMMC audits. CMMC C3PAO assessors have received specialized training to be authorized to conduct CMMC assessments and guide organizations through their CMMC journey.

CMMC shares overlap with NIST 800-171 compliance (NIST is also the inspiration for many other cybersecurity frameworks such as CIS) and while the third-party audit portion may be paused at the moment, we still recommend businesses strive to meet compliance with their chosen cyber security framework just as a matter of good practice.

Cyber security framework compliance helps your business:

  1. Reduces the chance of a successful cyberattack
    A framework like the NIST Cybersecurity Framework helps a business identify weak passwords, missing updates, excessive permissions, unsecured devices, and other common gaps before attackers exploit them.
  2. Limits damage when an incident occurs
    Clear access controls, network protections, backups, endpoint security, and incident-response procedures can keep a compromised account or computer from turning into a business-wide disaster.
  3. Improves detection and response time
    Logging, monitoring, alerting, and documented escalation procedures help the business recognize suspicious activity sooner and respond consistently instead of improvising during a crisis.
  4. Protects business operations and customer data
    The framework encourages reliable backups, recovery testing, data classification, vendor oversight, and continuity planning. These controls help the company continue operating after ransomware, equipment failure, or account compromise.
  5. Builds trust and supports compliance requirements
    Following a recognized framework demonstrates that cybersecurity is being managed systematically. This can help with cyber-insurance applications, customer security questionnaires, contractual requirements, audits, and regulated-data obligations.

As a managed service provider, we help our clients meet compliance requirements for NIST, CMMC, CIS, HIPAA, WISP and more. It can be difficult for a small or medium-sized business to tackle and maintain the security features implemented alone, we suggest working with a trusted partner in this process.

For CMMC contractors, at this point it is too early to know what will happen in the future or with the program in general but the protections that have been put in place to meet the requirements are still a net positive for your business’s security posture. If scaling up your business’s security goals and addressing compliance requirements is on your radar for 2026, Valley Techlogic can be your trusted partner in the process. Learn more today through a consultation.

This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on X at https://x.com/valleytechlogic