
Pentagon halts Phase II CMMC audits to cut red tape for defense firms
The DoD is pausing Phase II CMMC requirements, including third-party assessments, to reduce burdens on small and nontraditional defense firms while preserving baseline cybersecurity under NIST SP 800-171 Rev 2 via self-assessments. A 60-day task force will review CMMC and propose practical reforms to speed capability delivery and lower entry barriers; contractors must still protect federal data and current solicitations will be amended accordingly.