DoD Suspends CMMC Phase 2 Rollout: What Contractors Need to Know

The US Department of Defense (DoD) issued a memorandum yesterday directing immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase 2 roll-out, which previously was scheduled to go into effect November 10.

On

The suspension is attributed to furthering the Department’s goal of “maximizing acquisition flexibility through reduced regulations and process.”

Phase 2 of the CMMC roll-out involves CMMC Level 2 third-party assessments. Due to the suspension, procurement documents may only require a CMMC Level 1 or Level 2 (self) assessment — i.e., the status quo. Government program managers may not require Level 2 (C3PAO) or Level 3 (DIBCAC) assessments. 

The memo indicates that the CMMC effort is under a 60-day review with the Department, with further guidance expected at the conclusion of the review period in mid-September.

This suspension buys industry time while also creating uncertainty as to the potential range of outcomes following the review.

Contacts

Continue Reading