Nearly $600,000 to prove you can protect a government spreadsheet. That was the price tag the Small Business Administration put on CMMC compliance for small defense contractors who needed third-party certification. On July 13, the Pentagon pulled the plug on the requirement before it could take effect.
The Department of Defense announced the immediate suspension of the Cybersecurity Maturity Model Certification Phase II requirements, which were originally scheduled to come into effect on Nov. 10, 2026. The Pentagon is now launching a 60-day, “top-to-bottom” review of the certification program, according to a July 13 memo signed by DoD Chief Information Officer Kirsten Davies.
CMMC, or Cybersecurity Maturity Model Certification, is the Pentagon’s framework for verifying that contractors properly safeguard sensitive but unclassified government data. Phase I, which started in November 2025, required contractors to do their own self-assessments. Phase 2 would have forced companies to achieve CMMC Level 2 by passing an assessment from a Certified Third-Party Assessor Organization (C3PAO) in order to receive contract awards.
The numbers that killed Phase II
SBA analysis estimates that total compliance costs can reach approximately $593,800 per CMMC certification for small firms requiring third-party assessment. If implemented on its planned launch date, CMMC Phase II would have required more than 120,000 small businesses in the defense industrial base to seek compliance through a cost-prohibitive system supported by only about 100 approved assessors.
DoD CIO Davies put it bluntly, noting there were “over 100,000 DIB businesses” that still needed third-party assessments and roughly 100 assessors available to do the work. “The math just simply doesn’t math,” she said.
SBA Administrator Kelly Loeffler backed the decision, stating that “cybersecurity cannot come at the cost of bureaucracy that shuts out the very companies our warfighters depend on.”
What stays in place, and what to do now
This is not a free pass. The information safeguarding requirements in DFARS 252.204-7012 remain in effect, as do the CMMC Level 1 and Level 2 self-assessment Phase I requirements. DoD contractors must continue to comply with NIST SP 800-171 Rev 2, cloud security requirements, and cyber incident reporting obligations.
DoD will continue to enforce cybersecurity compliance through self-assessments and select government-led assessments, focusing on “tangible cyber hygiene.” For active contracts that require CMMC Level 2 (C3PAO) or CMMC Level 3 status, DoD must modify the contracts to remove those requirements.
Small contractors should keep investing in their security posture at a sustainable pace. The underlying controls in NIST SP 800-171 are still required by contract, and prime contractors may continue demanding proof of compliance from their supply chains regardless of the federal pause.
Davies and Under Secretary Michael Duffey notably did not rule out the department completely cancelling the CMMC program altogether at the end of this pause and review period. The Reform Task Force will issue its final report within 60 days, and industry members interested in providing input can submit responses to the RFI by August 14, 2026. Whether the Pentagon rebuilds CMMC or replaces it with something lighter, small contractors who let their cybersecurity programs lapse during the pause risk being caught flat-footed when the next set of rules arrives. Respond to the RFI if you want a seat at the table.
