Overview
- The department ordered an immediate halt to third-party assessments required under CMMC Phase II and instructed program managers to amend active solicitations and contracts.
- During the 60-day review the Pentagon said contractors must continue to meet baseline cyber hygiene using NIST SP 800-171 Rev 2 self-assessments rather than external audits.
- Officials cited a severe capacity gap between more than 100,000 defense suppliers that need assessments and roughly 100 qualified third-party assessors as a key reason for the suspension.
- Pentagon leaders said the move aims to cut administrative costs and speed weapons delivery without removing legal obligations to protect federal data.
- CMMC began in 2019 and was redesigned as CMMC 2.0 in 2021; the task force will gather industry feedback and deliver recommended changes within 60 days.