ClareNow
Search
ClareNow
Toggle sidebar
Security → Neutral

The Pentagon Just Paused Its Cybersecurity Certification Program. Here's What Everyone Is Missing.

The Pentagon paused CMMC Phase II, but cybersecurity requirements remain. Here's what the decision really means for defense contractors.

Forbes 2 min read 7/10 Washington, D.C.
The Pentagon Just Paused Its Cybersecurity Certification Program. Here's What Everyone Is Missing.
Key Takeaways
  • The Pentagon paused CMMC Phase II on July 14, 2026, halting certification requirements for contractors handling Controlled Unclassified Information.
  • Over 300,000 defense contractors in the supply chain are affected, with existing DFARS and NIST SP 800-171 mandates still in force.
  • The DoD's decision follows industry pushback over high compliance costs and perceived complexity of the multi-tier certification model.
  • CMMC Level 2 certification, which requires third-party assessments, remains the most contentious element and is now paused indefinitely.
  • Contractors that halt cybersecurity initiatives risk losing eligibility for new contracts when the pause lifts—expected within 6–12 months.
The Pentagon's sudden pause of its cybersecurity certification program has left defense contractors confused, but the real story is that requirements haven't actually changed. The Department of Defense paused Phase II of the Cybersecurity Maturity Model Certification (CMMC) program on July 14, 2026, yet mandated cybersecurity standards remain in full effect, meaning contractors must still comply or risk losing contracts.

CMMC was designed to protect sensitive defense information from escalating cyber threats, requiring contractors to achieve specific certification levels based on the data they handle. The program, rolled out in stages, faced criticism from industry groups who warned of high costs and bureaucratic hurdles. Phase I, which covers basic cybersecurity practices, was already underway, but Phase II—requiring more advanced controls for Controlled Unclassified Information (CUI)—is now paused indefinitely.

This decision does not eliminate compliance obligations. Contractors must continue adhering to existing DFARS clauses and NIST SP 800-171 standards. The pause appears to be a recalibration, allowing the DoD to address feedback and streamline the certification process. Officials have not set a timeline for resumption, but they emphasize that requirements are non-negotiable.

The broader implication is that the Pentagon is balancing security imperatives with industry capacity. With over 300,000 contractors in the defense supply chain, a more flexible approach could reduce bottlenecks while maintaining protections. Observers note that this mirrors earlier shifts in federal cybersecurity policy, such as the slow rollout of CUI safeguarding rules.

Looking ahead, defense contractors should expect revised CMMC rules within months, possibly with simplified tiers or extended deadlines. Those who pause their own cybersecurity upgrades risk non-compliance when certification resumes. The message is clear: tighten security now, because the pause is a timeout, not a surrender.

Frequently Asked Questions

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program that requires defense contractors to achieve certification at specific levels based on the sensitivity of data they handle. It aims to protect Controlled Unclassified Information (CUI) from cyber threats.

The Pentagon paused Phase II to address industry feedback on complexity and costs. The pause allows the DoD to refine the certification process while maintaining existing cybersecurity requirements under DFARS and NIST standards.

No. The pause only affects new certification mandates under Phase II. All existing cybersecurity obligations, including DFARS clauses and NIST SP 800-171 controls, remain in effect for defense contractors.

Contractors should continue implementing NIST SP 800-171 controls and preparing for eventual certification. Halting cybersecurity improvements could lead to disqualification from future contracts when the pause ends.

The DoD has not announced a specific timeline, but industry experts expect revised rules within 6 to 12 months. Contractors should monitor Federal Register notices and defense procurement updates.

Original source

www.forbes.com

Read original

Discussion

Join the discussion

Sign in to post a comment or reply.

No comments yet. Be the first to share your thoughts!

Sign in
Enter your email to receive a one-time sign-in code. No password needed.
Email address