Pentagon freezes defence cyber audits over capacity crunch
The US Department of Defense has suspended its flagship cybersecurity audit requirement for contractors, a move that removes a major compliance burden for transatlantic suppliers but raises fresh doubts about the security of the American defence supply chain.
The Pentagon has suspended Phase 2 of its Cybersecurity Maturity Model Certification programme, abruptly halting a major regulatory shift. The requirements, which were due to take effect on 10 November, are now frozen alongside all other pending CMMC milestones.
The regulation would have forced contractors handling sensitive but unclassified information to pass an independent third-party audit. For European firms operating within the American defence supply chain, this sudden freeze prevents billions in anticipated compliance costs but leaves them operating under a weakened self-assessment regime.
The suspension stems from a fundamental capacity failure. “So the math just simply doesn’t math,” said Kirsten Davies, the Pentagon’s chief information officer, pointing to roughly 100 accredited assessors trying to service more than 100,000 companies.
A July 13 memo signed by Davies described the programme as a “compliance checklist” that is “structurally incompatible” with expanding the supplier base. Data from the Small Business Administration indicated the later phases could cost small and medium-sized enterprises over $7bn annually, forcing innovative firms to abandon defence contracts.
SBA administrator Kelly Loeffler noted that certification had become an untenable barrier for “mission-critical small businesses.” Davies sought to reassure companies that had already spent heavily preparing for the now-evaporated deadline. “Every dollar spent on security is a wise dollar spent,” she said. “We are not reducing cybersecurity through this measure. We are reducing the red tape.”
During the suspension, compliance will revert to Phase 1 self-assessments and selected government checks against existing standards. This returns the system to the honour-based approach that inspector general reports found contractors routinely ignored. The Government Accountability Office had previously warned the strict rules would drive smaller suppliers out of the market entirely.
A newly created CMMC Reform Task Force now has 60 days to review the programme, with a report due in mid-September. Michael Duffey, the under secretary for acquisition and sustainment, declined to rule out scrapping the framework entirely. For European investors and defence partners, the pause signals ongoing instability in US procurement rules, where cybersecurity enforcement remains secondary to keeping the supplier pool intact.