The Pentagon has placed an immediate freeze on forthcoming cybersecurity requirements, suspending the Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements that were set to take effect Nov. 10. This decision comes after government research suggested the policy would drive many businesses out of the defense industrial base at a time when the U.S. military urgently needs their innovations, with further coverage provided by Defensescoop.The suspension of CMMC Phase 2 was announced by Defense Department Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey. A new CMMC Reform Task Force will review the entire program and submit recommendations within 60 days. The Pentagon plans to release a request for information to gather stakeholder feedback. CMMC is a tiered cybersecurity framework requiring defense contractors to implement specific cyber controls. The program, established in 2019, faced backlash for its complexity and cost burden, particularly on small businesses.The Defense Department is currently enforcing cybersecurity compliance through NIST Special Publication 800-171 Revision 2. Officials stated this pause aims to keep companies in the defense industrial base and reduce red tape, not to reduce cybersecurity. Concerns about industry readiness, misconceptions, and the significant cost for small businesses to achieve compliance, estimated at over $7 billion annually, influenced this decision. A mismatch between the number of companies needing assessments and the limited number of approved assessors also contributed to the suspension.Source: Defensescoop
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




