Governance, Risk and Compliance, Industry Regulations, Government Regulations, MSSP, MSP

The CMMC 60-day pause: A strategic reset or something much bigger?

COMMENTARY: The CMMC 60-day pause is one thing, but the real driver here appears to be cost, duplication, and the burden on smaller suppliers. That opens the door to a much broader rethink of how cybersecurity assurance works across the defense supply chain. CMMC could come back largely intact, or the Department could change the assessment model and the evidence contractors are expected to provide. Either way, the next 60 days could reshape what contractors, MSPs, and MSSPs are actually preparing for.


CMMC is back in the headlines.

On 13 July, the Department of War (DoW) announced the immediate suspension of Phase II Cybersecurity Maturity Model Certification (CMMC) third-party assessment requirements for an initial 60-day period. At the same time, DoW Chief Information Officer Kirsten Davies announced the formation of a CMMC Reform Task Force alongside a Request for Information (RFI) to gather direct feedback from industry.

The announcement has been widely reported as a delay.

It may prove to be considerably more significant than that.

But before considering what this means, it is worth remembering why CMMC exists in the first place.

For years, the Department relied largely on contractor self-attestation against NIST SP 800-171 to protect Controlled Unclassified Information (CUI). While many organizations invested heavily in cybersecurity, self-certification provided little assurance that required controls had actually been implemented consistently across the Defence Industrial Base (DIB).

CMMC was designed to close that assurance gap. Rather than relying on organizations declaring they met the standard, the framework introduced independent verification through accredited third-party assessments. The objective was straightforward: improve confidence that contractors handling sensitive defence information could demonstrate, rather than simply claim, that appropriate security controls were operating effectively.

That objective has not changed.

The Department has made it clear that robust cybersecurity and operational resilience remain non-negotiable priorities. Phase I self-assessment requirements remain in place. Enforcement of NIST SP 800-171 Rev. 2 continues. DFARS obligations to safeguard covered defence information have not changed.

The threat landscape certainly hasn't paused.

For MSPs, MSSPs, and their clients, the immediate practical implications are therefore relatively limited. This is a 60-day pause, not the cancellation of CMMC. Organizations should resist the temptation to interpret the announcement as a compliance holiday. The requirement to protect Controlled Unclassified Information remains exactly where it was before the announcement.

The more interesting question is why the Department felt compelled to pause implementation at all. And the obvious explanation is that this simply gives organizations more time to catch up before mandatory third-party assessments resume.

That may be true.

However, the Department's own announcement suggests something far more significant may be taking place.

Rather than criticizing cybersecurity itself, the Department criticizes the way cybersecurity assurance is being delivered. It points to prohibitive costs, duplicated administrative effort, and compliance processes that are discouraging small, medium-sized, and non-traditional suppliers from participating in the Defence Industrial Base. According to the Department, some innovative companies are now choosing between investing in bureaucracy or leaving the defence sector altogether.

That is a remarkable admission. And one that raises an uncomfortable question.

Has CMMC become so difficult and expensive to implement that the assurance process is beginning to undermine the capability it was originally designed to protect?

There is an important distinction between cybersecurity and compliance.

Cybersecurity reduces risk. Compliance demonstrates that risk has been reduced.

Those objectives should reinforce one another. Yet every mature assurance framework carries the same danger. Guidance expands. Assessment expectations evolve. Documentation grows. Evidence requirements multiply. Gradually, organizations can find themselves devoting more effort to proving they are secure than strengthening the security controls themselves.

When that happens, compliance becomes an end in itself.

If suppliers are spending disproportionate time preparing evidence for assessors rather than improving their operational resilience, something has gone wrong. If innovative businesses conclude that the compliance burden outweighs the commercial opportunity of participating in defence programs, the Department loses capability, competition, and innovation. That is no longer simply a cybersecurity issue. It becomes an acquisition, industrial policy, and national resilience issue.

Whether this pause is intended to help organizations catch up, support Secretary Hegseth's wider acquisition reforms, or fundamentally rethink the balance between assurance and bureaucracy remains to be seen.

What is already clear, however, is that the Department itself now appears willing to question whether the current implementation of CMMC is delivering the outcome it originally set out to achieve. This is why the creation of the CMMC Reform Task Force may prove to be the most important part of the announcement.

Departments do not establish reform task forces simply to make cosmetic adjustments. They do so because they believe fundamental questions need answering.

That inevitably leads to another question. Is this the end of CMMC as we know it?

Perhaps. Perhaps not.

At this stage, nobody outside the Department knows.

The announcement establishes a CMMC Reform Task Force and promises a top-to-bottom review over the next 60 days, but beyond that, very little has been disclosed. There are no published Terms of Reference. We do not yet know the Task Force's membership, the scope of its review, how success will be measured, or what options are genuinely under consideration. Is the objective to simplify CMMC? Reduce the cost of certification? Change the assessment model? Introduce a more risk-based approach? Or fundamentally redesign the framework altogether?

Does this mean the revival of self-assessment?

Right now, nobody can answer those questions with any confidence.

What we do know is that the Department has publicly acknowledged something many organizations have quietly argued for years: assurance mechanisms can become so administratively burdensome that they begin working against the operational outcomes they were designed to achieve.

That is a significant admission. It suggests this review is not simply about reducing paperwork. It is about asking whether the current balance between assurance, compliance, and operational capability is still the right one.

If that is the question, then every assumption underpinning today's CMMC framework is potentially open for challenge.

That makes the next 60 days worth watching closely.

For MSPs and MSSPs, however, the advice to clients should remain unchanged. Continue implementing sound cybersecurity practices. Continue working towards compliance. Continue protecting Controlled Unclassified Information. Existing contractual obligations remain. NIST SP 800-171 Rev. 2 remains in force. DFARS requirements have not changed. The threat has not paused simply because the programme has.

The biggest story may not be that CMMC has been paused. It may be that the Department is reconsidering what effective cybersecurity assurance should look like across the Defence Industrial Base.

If that proves to be the case, the CMMC that emerges from this review may bear little resemblance to the framework the industry has spent years preparing for.


MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].

Brian Couzens

Brian Couzens is the Founder and CEO of SITG-Consulting.

You can skip this ad in 5 seconds