The Pentagon
Defence contractors must still meet strict NIST security standards while a Pentagon task force reviews the programme's future U.S. Air Force Staff Sgt. Brittany A. Chase/Wikimedia

The Pentagon suspended its Cybersecurity Maturity Model Certification (CMMC) Phase II audit mandate on 13 July, freeing more than 120,000 small US defence contractors from third-party assessments that federal analysis priced at up to $593,800 (£444,000) each.

The Department of War halted the requirements immediately, nearly four months before their 10 November 2026 start date, along with all pending and future CMMC milestones across its solicitations and contracts. Chief Information Officer Kirsten Davies ordered a 60-day study of the programme's future.

The department said compliance costs were forcing innovative companies out of the Defense Industrial Base and delaying the delivery of critical capabilities to warfighters. The programme, launched during the first Trump administration and reworked under President Biden, was built to verify that contractors protect sensitive but unclassified federal data.

Why the Maths Killed the Mandate

Small Business Administration (SBA) analysis found Phase II would have pushed those firms through a certification pipeline supported by only about 100 approved assessors. The agency estimated compliance costs of roughly $593,800 per certification for companies needing third-party assessment and about $388,600 (£291,000) for those eligible to self-assess.

SBA Administrator Kelly Loeffler said compliance had become 'an untenable barrier' pushing mission-critical small businesses out of defence work. The agency warned that forcing certifications through so few assessors would have inflated costs, delayed awards, and locked qualified suppliers out of defence contracting altogether.

What Changes and What Does Not

'In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium-sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program,' Davies said.

Undersecretary of War for Acquisition and Sustainment Michael Duffey told reporters the department is halting complex audits, stopping the third-party assessor requirement, and cleaning up active solicitations immediately.

Officials stressed that security standards are not being relaxed. Phase I self-assessments remain in force, and contractors must still meet National Institute of Standards and Technology (NIST) SP 800-171 requirements while safeguarding covered defence information under Defence Federal Acquisition Regulation Supplement clause 252.204-7012.

Phase III requirements scheduled for November 2027 are suspended as well.

The Money Already Sunk Into Audit Prep

For the family-owned machine shops, welders, and software suppliers that anchor the defence supply chain, the pause lands after months or years of spending on consultants, gap assessments, and mock audits for certifications that may never be required.

Some firms had already abandoned defence work rather than shoulder the costs, according to SBA reports cited by the department.

A new CMMC Reform Task Force will now examine that burden directly, and a public request for information asks contractors to detail their cost drivers. Responses are due 14 August.

The Legal Trap That Has Not Gone Away

Law firm Crowell & Moring cautioned that the Department of Justice continues to pursue cybersecurity noncompliance under the False Claims Act through its Civil Cyber-Fraud Initiative, and could widen that focus to false or inaccurate CMMC Phase I self-assessments. Owners who overstate their security scores now, believing the audit era is over, could still face federal enforcement years later.

For the small firms whose contracts, payrolls, and local jobs hinged on passing an audit gate the maths made impossible, the next 60 days will decide whether the six-figure bill stays dodged for good.