On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements and launched a comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program. Phase I self-assessment requirements remain in place, but the Department has halted the November 2026 transition to mandatory third-party Level 2 certifications while it evaluates how CMMC aligns with the Secretary of War's Acquisition Transformation System (ATS) initiative [1].
For many organizations across the Defense Industrial Base (DIB), this announcement comes as a welcome and overdue correction.
The suspension should not be interpreted as a retreat from cybersecurity. On the contrary, it represents an opportunity to preserve the security objectives of CMMC while removing layers of unnecessary bureaucracy, excessive cost, and administrative overhead that have increasingly threatened the participation of innovative companies in the defense ecosystem.
What ATS Means for the Defense Industrial Base
The Acquisition Transformation System (ATS) is fundamentally about speed, flexibility, competition, and access to innovation. The broader acquisition reform effort emphasizes reducing barriers to entry, increasing use of commercial technologies, expanding participation from non-traditional suppliers, and accelerating capability delivery to the warfighter [2], [3].
This philosophy recognizes an uncomfortable reality: every compliance burden imposed on a contractor is a cost that ultimately affects innovation, competition, and mission execution.
The Department's announcement explicitly states that CMMC, while well-intentioned, has created "prohibitive compliance costs and bureaucratic burdens" and that reports indicate innovative companies have been leaving the DIB because of compliance requirements [1], [5].
The ATS framework is therefore asking an important question: can we maintain strong cybersecurity outcomes without forcing organizations through an expensive and highly centralized certification process? The answer should be yes.
The Problem Was Never the Controls
One of the greatest misconceptions surrounding the recent announcement is the assumption that suspending Phase II means abandoning cybersecurity standards. Nothing in the Department's announcement suggests that. In fact, the Department has reaffirmed its commitment to maintaining cybersecurity baselines through NIST SP 800-171 self-assessments and continued enforcement of existing DFARS cybersecurity obligations [6].
The issue was never the controls. Most cybersecurity professionals would agree that the NIST SP 800-171 security requirements remain a reasonable foundation for safeguarding Controlled Unclassified Information (CUI). The challenge was the mechanism used to validate those controls [6].
Over time, the certification process evolved into a highly structured and increasingly expensive ecosystem requiring a relatively small pool of approved assessors, specialized consulting support, extensive documentation exercises, and significant administrative overhead.
Many organizations found themselves spending more time preparing for the audit than improving actual security.
When compliance becomes the objective rather than security outcomes, the framework has drifted from its original purpose.
Why a Market-Driven Approach Is Better
A more effective model would focus on demonstrable security outcomes rather than rigid certification pathways.
The commercial market already contains numerous mature audit, attestation, and assurance mechanisms:
- SOC 2 audits
- MSP Verify reports
- Cyber Verify certifications
- CPA-led assurance engagements
- Government inspections and reviews
These mechanisms have operated successfully for years across highly regulated industries including finance, healthcare, insurance, telecommunications, and cloud computing [4].
Rather than creating a separate compliance universe, the Department should consider leveraging the broader ecosystem of existing assurance providers and frameworks.
Organizations should receive credit for controls that are already being evaluated through established audit programs.
If access control, vulnerability management, incident response, multifactor authentication, logging, or risk management controls are tested under another recognized framework, the evidence should be reusable wherever appropriate.
A company should not have to test the same control three or four times simply because multiple frameworks use different labels for substantially similar requirements.
Policy Recommendations for the Next Generation of Defense Cybersecurity
The Department's newly announced review creates an opportunity to modernize how cybersecurity assurance is conducted across the DIB.
1. Adopt a Flexible Audit and Testing Model
The government should focus on validating outcomes rather than prescribing a single assessment methodology.
Organizations should be allowed to demonstrate compliance through a variety of recognized audit mechanisms provided the required NIST controls are adequately tested and documented.
This approach encourages innovation while preserving security objectives.
2. Expand the Eligible Auditor Community
The current ecosystem relies heavily on a narrowly defined assessment community.
The Department should recognize a broader range of qualified professionals, including:
- Licensed CPA firms
- Accredited cybersecurity assessors
- Internal audit organizations
- Independent security consulting firms
- Existing certification bodies
- Sector-specific audit providers
The accounting profession, in particular, has decades of experience operating under strict independence requirements, peer review processes, quality standards, and regulatory oversight.
There is no compelling reason that cybersecurity assurance should be limited to a single auditor community when proven assurance mechanisms already exist.
3. Accept Reciprocal Testing Across Frameworks
A control should not need to be tested repeatedly simply because it appears in multiple standards.
Where NIST 800-171 or CMMC requirements overlap with controls evaluated as part of:
- SOC 2
- MSP Verify
- Cyber Verify
- Other recognized assurance frameworks
The Department should accept those results as evidence of compliance.
Reciprocity would dramatically reduce cost while encouraging organizations to invest in comprehensive security programs rather than framework-specific paperwork.
4. Encourage Continuous Assurance
The cybersecurity industry increasingly recognizes that annual point-in-time audits provide only limited assurance because organizations change continuously, threats evolve continuously, and controls drift continuously.
The future should emphasize continuous validation, ongoing monitoring, and recurring evidence collection rather than a once-every-three-year certification exercise.
This shift is already underway across the broader cybersecurity community, where assurance models are moving away from annual or periodic testing and toward continuous validation, ongoing monitoring, and recurring evidence collection. MSPAlliance is part of this broader movement, along with commercial assurance programs and compliance-as-a-service models that increasingly recognize continuous readiness as a more accurate measure of real-world security [7].
5. Preserve a Government Oversight Backstop
Flexibility should not mean a lack of accountability. The Department of War should retain authority to initiate a cybersecurity review, audit, or assessment of any DIB participant where significant risk indicators exist, national security concerns arise, contract performance issues emerge, or incident reporting suggests elevated risk.
This authority would function similarly to regulatory examinations in the financial sector.
Organizations would gain flexibility in how compliance is demonstrated, while the government maintains the ability to verify security where necessary.
Such a model balances innovation, accountability, and national security.
Conclusion
The suspension of CMMC Phase II is not a weakening of cybersecurity.
It is an acknowledgment that the previous implementation path may have become too costly, too complex, and too restrictive for the very companies America depends on to deliver innovation and capability to the warfighter.
The goals of CMMC remain sound: protecting CUI remains essential, strengthening cybersecurity across the DIB remains critical, and what should change is the method.
A modernized framework built around reciprocity, outcome-based testing, broader auditor participation, continuous assurance, and government oversight can achieve stronger security with less bureaucracy.
If ATS is truly about speed, competition, and capability, then cybersecurity compliance must evolve accordingly.
The ultimate objective should not be to create more auditors, more paperwork, or more certification bodies. The objective should be a more secure Defense Industrial Base, and that goal can be achieved without sacrificing innovation, competition, or common sense.
References
- Department of War. (2026, July 13). CMMC Phase II suspension and review of Cybersecurity Maturity Model Certification alignment with the Acquisition Transformation System. war.gov.
- Department of War. (n.d.). Acquisition Transformation System and defense acquisition reform materials. media.defense.gov.
- Department of War. (n.d.). Acquisition transformation anddefense industrial base policy materials . war.gov.
- U.S. Small Business Administration. (n.d.). Federal compliance burdens and small business participation in government contracting. sba.gov.
- National Defense Magazine. (n.d.). CMMC implementation, defense industrial base participation, and industry concernsregarding cost and compliance burden . nationaldefensemagazine.org.
- U.S. Department of Defense Chief Information Officer. (n.d.). Cybersecurity Maturity Model Certification and NIST SP 800-171 guidance. dodcio.defense.gov.
- MSPAlliance. (n.d.). CMMCwebinar materials: Continuous readiness, evidence collection, and compliance-as-a-service concepts [Internal presentation and briefing materials].
