THE Pentagon has temporarily suspended the mandatory third-party assessments for CMMC Phase 2 due to concerns about the scalability of the assessor ecosystem and high compliance costs affecting small and mid-sized defense contractors. The CMMC Reform Task Force has been tasked with reviewing the program for 60 days and will submit recommendations. Although this pause affects third-party audits, the underlying self-assessment obligations remain in place.
Industry experts express mixed reactions to the suspension, voicing worries about legal liabilities related to self-attestation and the need for robust cybersecurity practices. They emphasize that compliance with existing DFARS requirements and the protection of controlled unclassified information are still crucial.
The overarching sentiment is a call for improved accountability and a reassessment of the compliance process to ensure that cybersecurity standards are both achievable for smaller entities and effective for national security.