
DoD kicks off nationwide listening tour to reshape CMMC rules
The DoD is reviewing the Cybersecurity Maturity Model Certification (CMMC) program and has suspended third-party assessments to reduce burdens on small defense contractors. It will hold nationwide listening sessions, gather 60 days of feedback, and issue a final report with recommendations by late September; the review could overhaul or tweak CMMC 2.0, possibly via interim rules. The department cites cost and assessor capacity as barriers; self-assessments remain allowed, while DIBCAC/NSA/DC3 services cover only part of the required NIST controls, and there are about 1,000 certified assessors versus a projected 2,000–3,000 needed.