The Defense Department’s (DOD) suspension of the next phase of the Cybersecurity Maturity Model Certification (CMMC) program has divided cybersecurity experts over whether the pause should produce limited changes to third-party assessments or a broader shift in how the government measures cybersecurity.
Under the Trump administration, the DOD has been rebranded as the War Department.
The DOD chief information officer (CIO) announced on July 13 that the department is immediately suspending CMMC Phase 2 requirements, which had been scheduled to take effect Nov. 10, 2026. DOD plans to conduct a 60-day review of the CMMC program.
Cybersecurity experts told MeriTalk that the pause does not change contractors’ underlying security obligations, but they disagreed over whether the review should result in targeted changes to CMMC or a broader shift toward measuring security outcomes.
Underlying cybersecurity requirements remain in effect
Frank Balonis, field CISO at Kiteworks, said the pause “raises the bar” for controlled unclassified information (CUI) security rather than lowering it because it does not change CMMC’s core purpose: protecting CUI.
Balonis also warned that contractors who treat this suspension as a chance to close technical gaps will be in a “fundamentally stronger position than the ones who read ‘suspended’ as ‘optional.’”
Bill Wright, head of government affairs at Everpure, said contractors should continue implementing underlying controls and “use this window to invest in modern data infrastructure that improves visibility, speeds recovery, and keeps mission-critical data secure and available.”
“CMMC was created in an era when data was treated as a byproduct of applications – something to store and retrieve when needed. Today, data is central to the defense mission itself,” he said. “That responsibility doesn’t pause because the program did.”
Patrick Perry, public sector field chief technology officer (CTO) for Zscaler, said the pause changes the certification process – not contractors’ cybersecurity obligations.
“Defense contractors are still responsible for safeguarding that information and maintaining the security controls required under their contracts. The paperwork paused. The threat continues,” Perry added.
Felipe Fernandez, CTO for Fortinet Federal, said accelerating technology acquisition should not come at the expense of cybersecurity.
“While the CMMC Phase 2 timeline may have shifted, the need to protect CUI and strengthen the defense industrial base has not,” Fernandez said. “Organizations that continue investing in CMMC readiness today will be better positioned to support the DOD’s mission when implementation moves forward.”
Although contractors’ underlying cybersecurity obligations remain unchanged, Gary Barlet, public sector CTO for Illumio, said the decision creates uncertainty across the defense industrial base, with “many contractors making budget, staffing, and technology decisions based on the expectation that these requirements were moving forward.”
He warned that while suspending Phase 2 may provide temporary relief for some organizations, “cyber adversaries aren’t pausing their operations.”
“The danger is that organizations confuse regulatory relief with reduced risk,” Barlet said. “Compliance deadlines come and go; nation-state threats don’t. Defense contractors should continue building the visibility, segmentation, and containment capabilities needed to protect sensitive data regardless of what happens with CMMC timelines.”
Experts defend the value of third-party assessments
Austin Berglas, global head of professional services at BlueVoyant and a former assistant special agent in charge of the FBI’s New York Office Cyber Branch, said the pause may ease compliance pressures for small and mid-size businesses, but warned against weakening independent assessments.
In announcing the suspension, DOD CIO Kirsten Davies said that “the combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of [DOD] contracts and freezing critical suppliers out of the market.”
While the department is responsible for reducing the burden on these companies, reducing compliance requirements to address this cost burden is not the answer, Berglas said.
He does acknowledge that nobody knows what the reformed program will require, but emphasizes that these third-party certifications are the only way to get the DIB companies to change and comply.
He said if DOD wants to lessen the financial burden for small and medium-sized companies, “perhaps the answer is some government-sponsored incentives for compliance.”
Emil Sayegh, CEO of CyberSheath, made a similar case, arguing that through independent assessments, organizations often overestimate their cybersecurity readiness.
Drawing on CyberSheath’s annual DIB report, he said the company has found “a big delta between what is being reported internally and what their actual readiness is,” which he attributed to unfamiliarity with the standard rather than intentional misrepresentation.
Sayegh said potential changes to CMMC could include adjustments to verification requirements, deadlines, or applicability for certain organizations, but said, “It’s all in the realm of speculation at this point.”
He added that because CMMC requirements were codified into law, “there’s going to be modifications within … a pretty narrow margin,” and advised contractors to continue their cybersecurity strategy regardless of changes to the certification program.
Jared Shepard, CEO of Hypori, said the suspension pauses Phase 2’s third-party verification requirement – not contractors’ legal obligations. He warned that while the change may reduce the audit burden, it does not reduce legal exposure.
“Removing the external check doesn’t remove the underlying obligation. It removes the safety net of ‘at least a third party would have caught it before it became fraud,’” he said. “Reducing your CUI boundary is now more valuable, not less. In a self-attestation environment, being able to narrow what you even have to attest to is more valuable, not less.”
Others see an opening for a new approach
Tyler Fordham, director of offensive security at Dark Wolf, said the suspension could allow the department to rethink cybersecurity compliance without weakening security.
“A lot of what CMMC was driving from people was less actual functional security and more, ‘Well, how can we put on paper that we’re kind of doing this to meet the letter of the need,’” Fordham said.
Fordham said he hopes the review results in a more flexible compliance model that rewards measurable cybersecurity outcomes rather than paper-based documentation. He pointed to technical approaches such as penetration testing, continuous monitoring, logging, and Open Security Controls Assessment Language as ways to automate assessments and better align technical evidence with security controls.
Egon Rinderer, senior vice president of federal and enterprise growth at NinjaOne, estimated CMMC Phase 2 compliance to cost the average business about $600,000.
“This is completely untenable for many small businesses and has served as an insurmountable barrier for some time,” he said.
Rinderer said the review also presents an opportunity to rethink how CMMC measures cybersecurity effectiveness, arguing that future evaluations should focus on whether organizations are becoming more secure rather than simply meeting compliance requirements.
“As the program evolves, progress must be evaluated through the lens of measured outcomes to fairly assess impact and justify organizational spend,” he said.