Pentagon announces ‘immediate suspension’ of CMMC Phase II mandates
Top Pentagon officials said as currently executed, CMMC is too prohibitively burdensome on the Defense Industrial Base.
Top Pentagon officials said as currently executed, CMMC is too prohibitively burdensome on the Defense Industrial Base.
"I don't need China, Russia, Iran, Afghanistan, North Korea, knowing any more about us than they already do," Katie Arrington, who is performing the duties of the DoD CIO, said.
Drawing on Breaking Defense's TechNet Cyber 2026 coverage, this eBook examines how the Pentagon is advancing AI, cybersecurity, and cyber strategy to strengthen the future force.
“The CMMC certification will be proof — trust, verify that those companies have the cyber posture needed to secure the data that is critical to national security, like on programs like the F-47,” Katie Arrington, who is performing the duties of the DoD CIO told Breaking Defense.
2025 may be a telling year for the fate of the Pentagon's new CMMC 2.0 program.
Even for a political party that campaigns on cutting regulations, Pentagon and industry figures say the next Republican administration will likely weigh security over deregulation.
Beginning as a $26 million, two-year pilot project, the NCODE enclave will offer CMMC-compliant “cybersecurity as a service” for smaller firms that can’t protect themselves against advanced threats, said Army Undersecretary Gabe Camarillo.
CMMC 2.0 introduced a third-party assessment dependent on contractor's CUI capacity.
"We have a really a kind of crisis of cybersecurity or lack of within the defense industrial base," CyberSheath CEO Eric Noonan told Breaking Defense.
The new proposal includes new requirements for contracting officers, ensuring that parties bidding on Pentagon contracts are properly protecting sensitive information.
In this op-ed, William Greenwalt of the American Enterprise Institute lays out reasons why the DoD and Congress should move away from CMMC 2.0.
“We are moving forward, we're hoping by the first quarter of calendar year [2025] we'll be able to start enforcing this and putting this in contracts," Dave McKeown, Deputy CIO for the DoD, said.
At its most basic level, under CMMC 2.0, defense contractors and subcontractors that have access to controlled unclassified information (CUI) will be required to demonstrate the “maturity” of their cybersecurity programs against a set of increasingly advanced capabilities.
"In my mind, these are some of these avenues that we're looking at at an idea phase now to see if we can put resources behind it," said Robert Vietmeyer, director for cloud and software modernization.
“For instance, in the CMMC realm, rather than go out and assess each and every network of our industry partners, I’m kind of keen on establishing some sort of cloud services [...]” said David McKeown, DoD deputy chief information officer and senior information security officer