www.securityweek.com 7/17/2026, 11:11:35 AM · external

Pentagon halts CMMC third party audits citing scalability, cost

Pentagon halts CMMC third party audits citing scalability, cost
CyberSIXT Evidence Panel Source marked as original reporting

THE Pentagon has temporarily suspended the mandatory third-party assessments for CMMC Phase 2 due to concerns about the scalability of the assessor ecosystem and high compliance costs affecting small and mid-sized defense contractors. The CMMC Reform Task Force has been tasked with reviewing the program for 60 days and will submit recommendations. Although this pause affects third-party audits, the underlying self-assessment obligations remain in place.

Industry experts express mixed reactions to the suspension, voicing worries about legal liabilities related to self-attestation and the need for robust cybersecurity practices. They emphasize that compliance with existing DFARS requirements and the protection of controlled unclassified information are still crucial.

The overarching sentiment is a call for improved accountability and a reassessment of the compliance process to ensure that cybersecurity standards are both achievable for smaller entities and effective for national security.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline