Pentagon pauses cyber audit rule blamed for supplier exits

By
Follow google news

Suspends next ⁠phase of cyber security certification program.

The Pentagon is suspending ⁠the next ⁠phase of a cyber security certification program for defence contractors, backing off a compliance requirement that industry executives had warned was pushing small suppliers out of military work ‌and narrowing competition in the defence supply ‌chain.

Pentagon pauses cyber audit rule blamed for supplier exits

The ‌Defense Department's long-delayed US Cybersecurity Maturity ‌Model Certification began in November 2025 ⁠and aims to protect sensitive information, known as controlled unclassified information.

The Phase 2 rollout of the Cybersecurity Maturity Model Certification, which was to take effect on November ​10 of this year, will be paused immediately, the department said.

Program offices will for now ⁠require only Level 1 or Level 2 self-assessments rather than the third-party audits Phase 2 would have mandated.

The move follows months of complaints from small and mid-sized aerospace and defence suppliers, some of whom told Reuters earlier this year that compliance costs were running into the hundreds of thousands of dollars.

They said this, combined with long ​waits for third-party audits, was prompting ⁠them to reconsider defence work altogether. 

Industry lawyers ⁠had also warned the rules risked squeezing out lower-tier suppliers and complicating business ​for international companies juggling competing data-privacy standards.

Pentagon CIO Kirsten Davies ⁠said the suspension responds to those pressures.

The Pentagon said in a statement that "CMMC compliance is forcing innovative companies out of the Defense Industrial ‌Base," and that the department would launch a 60-day review.

Pentagon Under Secretary of War for Acquisition and Sustainment Michael Duffey tied the decision to the department's push to ​speed weapons production, saying the change would remove "paralysing costs" while keeping "innovators and competition growing in the defence supply chain."

A newly formed CMMC Reform Task ‌Force will ⁠draw on industry feedback ​collected through a public request for information and deliver recommendations within 60 days.

Add iTnews as your trusted source

Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases

JB Hi-Fi Group finds new cyber security leader

JB Hi-Fi Group finds new cyber security leader

Toll Group puts third-party risk at centre of AI-era data security

Toll Group puts third-party risk at centre of AI-era data security

How Monash University is tackling the AI-driven app security gap

How Monash University is tackling the AI-driven app security gap

Log In

  |  Forgot your password?