Advertisementspot_img
HomeSecurity & JusticeIndustry Reactions to Pentagon Suspending CMMC Phase 2: Feedback Friday

Industry Reactions to Pentagon Suspending CMMC Phase 2: Feedback Friday

The Department of War has suspended CMMC Phase 2’s mandatory third-party assessment requirement, citing concerns that the assessor ecosystem couldn’t scale to meet demand and that compliance costs were pushing small and mid-sized firms out of the defense industrial base. 

A newly formed CMMC Reform Task Force will spend 60 days reviewing the program, gathering industry feedback, and reporting recommendations by mid-September. 

Crucially, the pause only affects independent verification, with Phase 1 self-assessment obligations, SPRS score submissions, and the underlying DFARS 252.204-7012 requirement to protect controlled unclassified information (CUI) remaining fully in effect. 

Industry professionals broadly agree that the suspension pauses third-party CMMC audits but not the underlying legal obligation to protect CUI, warning that self-attestation without verification raises False Claims Act exposure. However, experts are split on whether the fix should be to scope assessments down, automate them, or preserve them largely as-is.

And the feedback begins…

Advertisement. Scroll to continue reading.

Abdie Mohamed, GRC Engineering Lead, NR Labs:

“Phase 1 is still in place. If you handle CUI, you’re still self-assessing against all 110 NIST 800-171 requirements and posting that score to SPRS. DFARS 252.204-7012 is still in your contracts.

And if you report a perfect 110, the government audits you down the road, and it turns out you never did the due diligence, that’s False Claims Act exposure. DOJ has already settled these cases: Aerojet Rocketdyne ($9M), Raytheon ($8.4M), Penn State ($1.25M), and MORSE Corp, which paid $4.6M over the gap between its self-reported score and what assessors actually found.

I understand why the department hit pause. There are roughly 100 authorized C3PAOs for over 100,000 companies, and that math was never going to work. My concern is the interim, because self-attestation on its own hasn’t been enough. Having a third party audit you keeps you accountable, and every settlement I just listed started with a company attesting to its own compliance.

I believe it’s a tough moment for C3PAOs too. They built businesses around assessments going mandatory this November, and now they’re waiting on the same clock as everyone else: the CMMC Reform Task Force reports back in about 60 days.

That’s what we know. What we don’t know is what comes out of that report, due around mid-September. If I had to predict, we see a different form of CMMC take shape, and a complete erasure of the program would surprise me. Everything DoW flagged was the assessor math and the burden on small businesses, and nobody questioned whether verification should exist. My hope is that independent verification stays in the picture.”

Chris Nyhuis, CEO, Vigilant:

Chris Nyhuis

“This may not be popular, however, suspending CMMC Phase II is the right call, and it’s overdue. Speed done securely is a security requirement now, not a nice-to-have. Our adversaries move in days. When it takes a small defense supplier a year and six figures to clear a third-party audit before it can even bid, we’re not protecting the mission, we’re slowing it down. DoD named the real problem: the audit regime was pricing small, fast, innovative shops out of the defense industrial base, and those are the shops a lot of our edge comes from. We have to be faster to market and faster to readiness in this country. Cutting that friction moves us the right way.

Let’s be clear about what changed here. The requirements and the controls are very much the same. It’s the validation part that changed. DoD isn’t saying don’t have controls. It’s saying self-attest and let’s focus on protecting the country. That’s a reasonable trade. But here’s the catch: the audits existed for a reason. Sadly, in my experience over my career a lot of these companies skirt the rules, and that’s exactly why third-party validation showed up in the first place. Suspending the audit doesn’t suspend the threat, and it doesn’t change the legal obligation to protect controlled unclassified information. The bar is the same. Only the person checking your homework went away. If self-attestation turns into a checkbox, we’ve traded a slow process for a fast lie, and the breach will cost way more than any audit would.

Truth is, we shouldn’t need most of these audits in the first place. If a company did what it said it did, there’d be nothing for an assessor to find. So put the accountability where it belongs, on the people who sign the contract. Phase I already makes a senior official affirm compliance every year. Give that affirmation teeth. If you’re a decision maker or a board member and your company takes DoD money while cutting corners on security, that should land on you personally. And if an org lies about its readiness to win a federal contract, the penalty should be steep. Misrepresenting your security posture to grab DoD dollars isn’t a paperwork slip. It puts the whole country at risk, and it should carry consequences serious enough that no board would ever treat it as a gamble worth taking. Personal accountability scales in a way audits never will, and it costs a fraction as much.”

Ned Butler, Manager, CMMC Services and Lead Assessor, Redspin: 

Ned Butler 1

“Much of the industry’s reaction to this pause conflates two very different costs. DFARS 252.204-7012 is what requires contractors to implement NIST SP 800-171 and that implementation is where the real costs are. CMMC (32 CFR §170) only validates that the work was done. Assessment costs under CMMC are actually in line with, or lower than, other certification regimes like PCI, HITRUST, or ISO. When contractors complain about the high cost of “CMMC compliance,” they are usually describing the cost of doing what DFARS 252.204-7012 already required them to do in the first place which, if it’s expensive to catch up on now, suggests they weren’t fully there to begin with.

That said, there are real structural problems worth fixing during this review. Requiring full recertification after every merger or acquisition is an unreasonable burden. Contractors should be able to leverage their own assessed change-management practices to handle these transitions, saving a full reassessment for the next triennial cycle, or DoW should build a lightweight “delta” assessment for material changes instead. There’s also a persistent, unresolved problem with identifying what is actually CUI. Program offices, prime contractors, and subcontractors all struggle with basic questions like when a derivative technical drawing stops being CUI, or who in the supply chain genuinely needs to receive, store, process, or transmit it. Flowing down 7012 requirements uniformly to subcontractors who never touch CUI just adds cost and headaches without adding protection. 

That scoping problem is also the root of the capacity crisis DoW cited in pausing Phase II. DoW’s own estimate was that 76,598 entities would need Level 2 C3PAO certification (a number the assessment ecosystem was never going to keep pace with) even accounting for capacity growth. I’d argue the right fix isn’t to weaken third-party assessment, but to shrink its scope dramatically, e.g., down to a target range of roughly 15,000 to 20,000 entities, prioritizing contractors that handle genuinely sensitive CUI or work on critical programs. Getting there requires primes and program offices to be far more disciplined about who actually needs CUI disseminated to them in the first place. A tighter scope would also force the process improvements above, because it removes the volume pressure that’s currently driving DoW toward shortcuts.”

Robert Teague, VP of CMMC Services and Lead CCA, Redspin:

Teague Robert

“Redspin has supported almost 200 CMMC assessments across the Defense Industrial Base as a C3PAO, MSS, or readiness consultant giving us direct insight into where the program is working, and where the Department has an opportunity to improve it during this review.

[…]

Small and mid-sized contractors are already succeeding. Of the nearly 150 CMMC assessments Redspin conducted, 79 were for organizations with fewer than 600 employees, and several have already completed successful recertifications. The narrative that CMMC is unattainable for small businesses is not reflected in our assessment experience.

The “only 100 assessors” narrative is inaccurate. There are now 107 Authorized C3PAOs, over 590 Lead Certified CMMC Assessors (LCCAs), more than 1,000 Certified CMMC Assessors (CCAs), and nearly 2,000 Certified CMMC Professionals (CCPs). A more significant constraint is the Tier 3 background investigation required for assessors, which can take six months or longer and delays qualified personnel from performing assessments.

Assessment staffing requirements drive up cost — 32 CFR Part 170 requires C3PAOs to staff assessment teams with a fixed mix of Lead CCAs and CCAs, increasing costs for contractors regardless of the size or complexity of the organization being assessed. Allowing C3PAOs to scale teams based on assessment scope, and permitting CCPs to fill appropriate assessment roles, could reduce costs without compromising assessment quality.”

Chetrice Romero, Senior Cybersecurity Advisor, Ice Miller:

Chetrice Romero

“As the Department of War continues implementing the Cybersecurity Maturity Model Certification (CMMC), much of the conversation has centered on assessment requirements, technical controls, and certification timelines. Those are certainly important. But the organizations that will be most successful are the ones that recognize CMMC is not simply another compliance exercise. At its core, CMMC is about building organizational resilience. Many of the required practices, from incident response planning and testing to workforce training and recovery planning, are capabilities every organization should already be investing in regardless of regulation. As emerging technologies like artificial intelligence continue to accelerate both innovation and cyber threats, resilience has become a business imperative, not just a compliance requirement.

For organizations just beginning their CMMC journey, my advice is simple: don’t start with the controls. Start with your business. Understand where your Controlled Unclassified Information (CUI) resides, how your organization operates, what your greatest risks are, and where you stand today. From there, build a strategic roadmap that prioritizes the highest risks and aligns compliance efforts with business operations. Organizations that take the time to develop a thoughtful strategy almost always reach certification more efficiently, with less disruption, and with a stronger security posture than those rushing to implement disconnected requirements simply to “check the box.”

[…]

[While] many organizations understandably view CMMC as a technology initiative, I believe its long-term success depends far more on people than products. Policies only matter if they are understood and followed. Incident response plans only matter if they have been exercised. Security awareness training only matters if it changes behavior. Technology is an essential enabler, but resilience is built through leadership, culture, preparation, and practice. Organizations that embrace CMMC as an opportunity to strengthen those fundamentals will discover that compliance is simply the byproduct of becoming a more resilient organization, one that is better prepared for whatever challenge comes next.”

Emil Sayegh, CEO, CyberSheath:

Emil Sayegh

“It’s important for defense contractors to understand that the Pentagon didn’t repeal a law with a press conference. While third-party CMMC assessments are paused during the 60-day review, the underlying cybersecurity obligations have not changed. NIST SP 800-171, DFARS requirements and truthful SPRS reporting remain in effect. Contractors are still responsible for implementing the required security controls and accurately representing their cybersecurity posture.

The Department of Justice’s Civil Cyber-Fraud Initiative and the False Claims Act are still active, and contractors are still on the hook for what they attest to. Without a C3PAO in the loop, a government investigation can become the moment of truth. If a contractor claimed 110 controls were in place, and a forensic review says otherwise, that gap has serious financial and reputational consequences. The same principle applies to an investigation that happens after a breach. Self-attestation without verification simply moves the reckoning later in the process.

The timing is also worth noting. The same week this suspension was announced, agencies across 14 countries issued a joint advisory warning about state-sponsored actors targeting critical infrastructure and defense supply chains. While the Department reviews the implementation of third-party assessments, the broader threat landscape will continue to evolve, raising important questions about how best to strengthen confidence in the cybersecurity of organizations entrusted with Controlled Unclassified Information (CUI).”

Frank Balonis, Field CISO, Kiteworks:

frank balonis

“CMMC Phase II being paused doesn’t touch the reason it existed in the first place. Controlled unclassified information still needs to be protected, and DFARS 252.204 7012 hasn’t gone anywhere; the safeguarding clause is still sitting in every affected contract […].

What’s actually changed is narrower and, in some ways, sharper than people are giving it credit for: self attestation is no longer checked by a third party before it becomes something the government can hold you to. For the length of this review, your SPRS score is the verification mechanism. There’s no C3PAO between what you submit and what a Department of Justice attorney can cite under the Civil Cyber Fraud Initiative if that score turns out to be wrong. That’s not a lighter compliance burden; it’s the same legal exposure with one fewer checkpoint standing between an inflated self assessment and a qui tam suit.

I’d argue this raises the bar rather than lowering it. Every access control, audit log, and encryption standard you can actually demonstrate today is what turns a self assessed SPRS score from a number on a form into something defensible. A C3PAO wasn’t the only thing standing behind that score; the controls themselves were always supposed to be the substance, and the assessment was just the check. Suspending the check doesn’t suspend the standard. It just means the first person to test whether your controls match your attestation might now be a prosecutor instead of an assessor, and that’s a conversation you want to be ready for on your terms, not on a compressed timeline once the review ends.

The contractors who treat this 60 day window as a chance to close technical gaps (tightening access controls, hardening audit logging, verifying encryption actually matches what’s written in the SSP) are going to be in a fundamentally stronger position than the ones who read “suspended” as “optional”.”

Michael G. Gruden, Partner, Head of Cybersecurity & Incident Response, Steptoe:

gruden michael

“Secretary Hegseth’s decision to figuratively pump the brakes on Phase 2 reflects the reality that a significant portion of the defense industrial base was not prepared for the rigor of a formal C3PAO assessment. An independent certification assessment is substantially more demanding than a self-assessment, even though the underlying requirements themselves have not materially changed. The suspension highlights an ongoing tension between cybersecurity expectations and the financial and operational burdens many contractors face in implementing required controls. While those challenges are real, the fundamental objective of CMMC—to improve protection of CUI and other sensitive defense information throughout the supply chain—remains as important as ever. There is a balance to be struck between reducing compliance burdens and ensuring that government regulated data is adequately protected in support of national security and mission objectives.

[…]

Rather than slowing compliance efforts, contractors should use this period to strengthen their readiness. A critical first step is accurately identifying CUI, determining where it resides within the enterprise, and properly scoping the systems that store, process, or transmit that information. Attorney-client privileged readiness assessments conducted under the direction of outside cybersecurity counsel can provide organizations with a realistic understanding of their compliance posture while helping identify gaps and prioritize remediation efforts in a legally protected manner. These assessments can also help companies implement technical and administrative controls in a way that is more likely to be viewed as sufficient by the DoD. The certification requirement may be paused, but cybersecurity compliance is not. Contractors that use this window to improve CUI governance, validate self-assessments, and prepare for future certification requirements will be far better positioned when the next phase of CMMC implementation resumes.”

Kate M. Growley, Partner, Crowell & Moring:

Growley Kate

“The DoW’s suspension of CMMC’s Phase II rollout does not fundamentally change what it expects of its contractors.  Those who were preparing for now-paused C3PAO assessments were almost certainly already subject to contract terms similar to but separate from those driving CMMC.  These pre-existing terms already required the implementation of NIST SP 800-171 and the submission of self-assessed scores to the DoW’s Supplier Performance Risk System (hence the oft-cited term “SPRS scores”).  The difference is that these terms do not define a clear timeline for when contractors must have a “perfect” NIST implementation score.  But recent government investigations into contractors attempting to comply with these terms suggest that the timeline to perfection cannot be indefinite. 

[…]

The suspension of C3PAO assessments alleviates some of the immediate resource needs around the perceived “audit theatre” of C3PAO assessments.  Contractors expended tremendous effort to prepare for every possible example of assessor discretion to ensure they would pass, often going far beyond what they reasonably felt was sufficient.  At least for now, contractors can redirect those resources to meaningfully closing implementation gaps – because the requirement to do so has likely already been sitting in their contracts, just not with the same clear deadline that CMMC Phase II provided.”

Tyler Fordham, Director of Offensive Security, Dark Wolf:

Tyler Dark Wolf

“The Pentagon is right to pause CMMC to cut red tape, but reverting to paper-based self-attestations is not the answer. The future of DIB security lies in technical security validation; penetration testing and red teaming to emulate adversaries, machine-readable compliance (like OSCAL) and automated validation of Infrastructure-as-Code (IaC). By automating compliance checks, the DoW can verify security at scale without forcing small businesses to pay exorbitant fees to manual compliance gatekeepers. 

However, reducing administrative burden cannot come at the expense of meaningful oversight. While the pause relieves administrative pressure, the DoD must ensure it doesn’t create a security vacuum. Self-attestation without a robust, randomized government audit mechanism has historically failed to protect sensitive information. Whatever replaces third-party assessments must include active enforcement to preserve trust in the system. 

Contractors also need predictability. The sudden suspension of CMMC milestones penalizes the forward-leaning companies that invested heavily in compliance early on, while rewarding those that lagged. The DoW’s 60-day review must establish a durable, transparent framework that protects national security and the economic viability of small defense contractors.”

Austin Berglas, Global Head of Professional Services, BlueVoyant:

AustinBerglas headshot

“The requirement to remain compliant with NIST 800-171 is not new. While NIST defines the “what”, CMMC provides the “how,” or the formal process to verify those controls. Organizations that have invested time and resources preparing for Phase 2 are doing exactly what all Defense Industrial Base (DIB) companies should have been doing already. Compliance is a continuous process, not a one-time effort. While compliant companies will always have an edge in winning RFPs and new contracts, the ground truth is that protecting our country’s sensitive information is a requirement; those not properly prepared to receive, store, and process this information should not be permitted to do so.

With the pause of the CMMC roll-out, there is a potential rise in violations of the False Claims Act if companies treat this as an opportunity to reduce their security posture and enter incorrect or inflated scores into the Supplier Performance Risk System (SPRS). It is imperative that DIB organizations remain compliant. Third-party certification is the only way to drive meaningful change; if the DoW wants to lessen the financial burden for small and medium-sized companies, the answer lies in government-sponsored incentives, not the reduction of standards.

Uncertainty is never good for business. While nobody knows what the reformed program will require or if CMMC might be cancelled entirely, the requirement to be compliant with Phase 1, conduct self-assessments, submit accurate scores into SPRS, and provide annual affirmations remains unchanged.”

Related: Industry Reactions to New Trump AI Cybersecurity Executive Order: Feedback Friday

Related: Industry Reactions to Claude Fable 5: Feedback Friday


Source:

www.securityweek.com