Particle.news

Pentagon Suspends CMMC Phase II Third-Party Audit Mandates

A 60-day Pentagon review to rewrite CMMC will rely on NIST SP 800-171 self-assessments to preserve baseline cybersecurity.

Overview

  • The department ordered an immediate halt to third-party assessments required under CMMC Phase II and instructed program managers to amend active solicitations and contracts.
  • During the 60-day review the Pentagon said contractors must continue to meet baseline cyber hygiene using NIST SP 800-171 Rev 2 self-assessments rather than external audits.
  • Officials cited a severe capacity gap between more than 100,000 defense suppliers that need assessments and roughly 100 qualified third-party assessors as a key reason for the suspension.
  • Pentagon leaders said the move aims to cut administrative costs and speed weapons delivery without removing legal obligations to protect federal data.
  • CMMC began in 2019 and was redesigned as CMMC 2.0 in 2021; the task force will gather industry feedback and deliver recommended changes within 60 days.