Business US

DoD plans CMMC listening sessions as questions swirl around review

The Pentagon wants to move quickly with its review of the Cybersecurity Maturity Model Certification program, but plenty of questions swirl around what defense officials can do differently this time to balance compliance concerns for small businesses with the need to enforce cybersecurity requirements.

The CMMC review team met for the first time on Thursday, July 16, Defense Department Chief Information Officer Kirsten Davies told reporters that same day following a tour of the factory floor at Kform, a small defense manufacturer based in Sterling, Va.

Davies was joined on the tour by Small Business Administrator Kelly Loeffler and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey.

Davies said small business considerations were central in the decision to suspend CMMC third-party assessment requirements and launch a “top-to-bottom” review of the program. The goal is to address cost and compliance concerns that Davies, Loeffler and Duffey said are creating barriers for smaller companies to compete for defense contracts.

]]>

“We took this action because data, including the reports from the Small Business Administration, makes one thing very clear: our planned compliance requirements progression was creating prohibitive costs and unacceptable burdens to the defense industrial base,” Davies said.

DoD has published a request for information on the CMMC review. And officials will also hold listening sessions across the country to get feedback from defense contractors, “especially the small businesses, and from the cybersecurity operators and executives who serve your companies,” Davies said.

“We want to hear back from the defense industrial base, we want to hear back even from Cyber [Accreditation Body], from the assessors themselves, to hear what their ideas are for how to again increase and uplift cybersecurity and operational resiliency, but also improve the speed, the innovation, and the delivery of the capabilities to the warfighters,” she said.

Davies said the review team has 60 days to gather feedback and review the program, then 15 days to provide a report with recommendations to herself and Duffey.

That timeline would see the CMMC review finalized by late September.

“We’re hoping shortly thereafter that we’ll be able to make that report public along with the recommendations,” Davies said.

During the review, DoD has suspended CMMC third-party assessment requirements that were on track to become standard in many defense contracts starting Nov. 10.

]]>

Davies and other officials over the past week have been highly critical of CMMC’s third-party assessment approach. She called CMMC assessments a “burdensome, red-tape ridden, check-the-box, point-in-time view of a company’s handling” of sensitive data.

But Davies did not say whether the review would get rid of third-party assessments altogether.

“It could include everything from an overhaul to small tweaks here and there,” she said. “But what we’re not going to do is death by a thousand cuts and just change for the sake of change. We are going to listen to what the defense industrial base has to say, especially small and innovative companies. And we are going to incorporate the voice of small companies to make sure that we are truly reducing barriers to entry for them to do business with [DoD].”

To support the ongoing suspension, Duffey issued a memo directing program officers to remove any CMMC third-party certification requirements from active solicitations.

And if the department does decide to overhaul the program following the review, officials could use class deviations or interim rules to quickly change direction, according to Sandeep Kathuria, a partner at the law firm Saul Ewing.

“We have seen in many areas that this administration can move very quickly to make regulatory changes,” Kathuria said.

Déjà review

DoD first began developing the CMMC program in 2019, during the first Trump administration, to verify compliance with existing cybersecurity requirements. Inspector general audits and other reports had found defense contractors were falsely self-attesting to meeting the requirements.

“The rulemaking is largely based on the fact that the self attestations were not working, and proof of that were the significant cybersecurity incidents that the department has been a victim of through various nation state actors,” Eric Crusius, partner and government contracts practice chair at Hunton Andrews Kurth, told Federal News Network.

The latest CMMC review comes five years after the Biden administration launched its own review of the program, which was also motivated in large part by small business compliance concerns.

]]>

The outcome of that review was to simplify the CMMC standards and reduce the number of companies that would require a third-party certification. DoD officials called the revised program “CMMC 2.0.”

DoD finalized the CMMC 2.0 program rule in 2024 and the associated contracting rules last year. DoD was phasing in the new requirements, starting with CMMC self assessments. But voluntary third-party assessments started picking up steam last year, while some DoD program offices have also elected to include the “level two” CMMC third-party assessment requirements in their solicitations this year.

According to the Cyber AB, “nearly 2,000” defense contractors have been certified at CMMC level two.

During the ongoing review, DoD is still enforcing the requirements for CMMC self-assessments. And DoD is not changing associated requirements for contractors to secure data in line with National Institute of Standards and Technology controls for protecting controlled unclassified information (CUI).

Davies also emphasized that DoD can still step in and evaluate a contractor’s cyber compliance through its Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

She also pointed to the cybersecurity services that are available to defense contractors through the National Security Agency’s Cybersecurity Director, as well as services provided by DoD’s Cyber Crime Center

“We need to be thinking much more creatively, cleverly, and holistically at how we support vendors, contractors, and DIB companies who supply for us, who produce for us,” Davies said.

But the services provided today by the NSA and DC3, respectively, only meet a small portion of the required NIST controls.

And DoD established the Cyber AB and its network of CMMC third-party assessment organizations (C3PAOs) because the department itself doesn’t have the capacity to audit tens of thousands of defense contractors.

“If DoD concluded that it was in the DIB’s best interest to rely more heavily on self-assessments than the original CMMC 2.0 had envisioned, it would be a notable return to the original system that the department said was insufficient, and that necessitated the creation of CMMC 1.0 under the first Trump administration,” Kate Growley, a partner at the law firm Crowell & Moring, told Federal News Network.

In the absence of third-party assessments, DoD has relied on a limited number of reviews by DIBCAC and the Justice Department’s expanding enforcement of cyber standards using the False Claims Act (FCA).

As DoD forges ahead with the self-assessment requirement, Growley said contractors should be aware of the legal risks.

“Any time where you are relying on your own assessment and representation instead of one of an accredited third party — which the DoD has stood up an entire ecosystem to create assurances around the evaluation and the reliability of that third party — that will create FCA risk for contractors who are misrepresenting what that score should be because they are relying on the self-assessment methodology,” Growley said.

Costs, assessor capacity

Pentagon officials are pointing to CMMC compliance costs and assessor capacity as key barriers for small businesses. But those figures are likely to be debated as DoD’s review unfolds.

For instance, Davies said the program is constrained by a “severe shortage of third-party assessors.”

But the Cyber AB, the nonprofit organization that has a DoD contract to oversee C3PAOs and other parts of the CMMC “ecosystem,” has been working to build assessor capacity for years.

In a statement released by the Cyber AB this week, chief executive Matthew Travis said the group is “both surprised and disappointed in yet another momentary pause to this original and vital Trump administration program.”

But he added that the Cyber AB is “confident that the continued and measurable progress of CMMC, the immense investment that companies throughout the DIB and within the CMMC ecosystem have already made in its future, and the absolute criticality of third-party verification of cybersecurity conformity will prove itself indispensable under a rigorous review.”

According to the Cyber AB, the program now has “over 1,000” CMMC certified assessors, who are responsible for carrying out the third-party audits.

Last year, Travis said the program likely needs between 2,000 and 3,0000 certified assessors to meet the demand for CMMC to be fully implemented across all applicable defense contracts, which DoD projected would not happen until late 2028.

Trump administration officials have also pointed to burdensome costs on small businesses. For instance, Loeffler said CMMC compliance costs “exceeding half a million dollars” were driving small firms out of the defense industrial base.

But Crusius said many people have conflated the costs of implementing the required NIST cybersecurity controls with CMMC certification costs. He pointed to DoD’s estimate that a level two C3PAO assessment would cost $105,000.

“The industry has been gearing up for this for quite a few years now, and while there have been complaints about cost and capacity, those complaints have largely been satisfied with how this program has performed over the last nine months or so,” Crusius said. “There have been more assessments completed than were anticipated in the rulemaking, and there are a lot of C3PAOs that offer fairly cost-effective assessments, especially in instances where small businesses have small environments where they don’t really need to have an expansive assessment done across their whole organization.”

Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button