The Department of War has suspended the next phase of its Cybersecurity Maturity Model Certification (CMMC) program, a move expected to have significant implications for North Alabama’s defense industry while prompting a broad review of the government’s cybersecurity requirements.
CMMC is a mandatory Department of Defense framework requiring all defense contractors to implement strict cybersecurity standards to safeguard sensitive government data, a compliance process that often involves significant costs and lengthy timelines.
The department announced Monday that CMMC Phase II requirements, originally scheduled to take effect Nov. 10, have been suspended immediately. Officials said they will spend the next 60 days reviewing the program as part of Secretary of War Pete Hegseth’s broader Acquisition Transformation System initiative, which seeks to reduce regulatory burdens and speed the delivery of defense capabilities.
The decision is particularly significant for Huntsville, where hundreds of defense contractors and subcontractors have spent years preparing for CMMC certification. The region’s defense industrial base includes numerous small and mid-sized companies handling Controlled Unclassified Information for Redstone Arsenal, Missile Defense Agency, NASA and other federal customers.
While the suspension delays the requirement for third-party cybersecurity certification, Department of War officials emphasized that existing cybersecurity obligations remain in place.
“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness,” Department of War Chief Information Officer Kirsten A. Davies said. “We believe the DIB can achieve both, while we reduce unnecessary government red tape.”
The department said CMMC Phase I self-assessment requirements remain fully in effect, meaning contractors must continue complying with NIST SP 800-171 cybersecurity standards and reporting their compliance through the Supplier Performance Risk System. Contractors also remain contractually obligated to protect covered defense information under existing Defense Federal Acquisition Regulation Supplement requirements.
Huntsville companies invested heavily
The announcement comes after many defense contractors across North Alabama invested substantial resources preparing for CMMC Level 2 certification.
Industry estimates indicate companies have commonly spent between $75,000 and more than $300,000 preparing for certification, with some investing more than $600,000 in secure cloud environments, consulting services and cybersecurity upgrades.
According to IBSS, roughly 42% of defense contractors were actively preparing for Level 2 certification when the suspension was announced, while an estimated 8% had already completed certification nationally. The Small Business Administration has estimated that more than 100,000 small defense contractors would have been affected by Phase II requirements. Those concerns contributed to calls for the department to revisit the program.
Despite the delay, cybersecurity experts caution that contractors should not interpret the suspension as a rollback of cybersecurity expectations.
Summit 7 CEO Scott Edwards said that despite the suspension, cybersecurity requirements under NIST SP 800-171 and DFARS 7012 remain in effect, emphasizing that the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will continue conducting assessments.
“Small businesses in Huntsville face impacts dictated by prime contractors’ supply chain cybersecurity decisions, yet NIST SP 800-171 and DFARS 7012 compliance requirements remain in force,” said Edwards. “Furthermore, these organizations may still face DIBCAC assessments despite potential adjustments to prime contractor programs.”
Huntsville’s Summit 7 specializes in cybersecurity and compliance services for defense contractors, with expertise in CMMC, NIST 800-171 and DFARS requirements within Microsoft GCC High environments. The cybersecurity and compliance firm was recently named one of the world’s top managed service providers, earning the No. 25 spot on the 2026 MSP 501 list.
Recent enforcement underscores continued compliance
The suspension also follows recent federal enforcement actions demonstrating that contractors remain responsible for protecting government information.
Recently, Huntsville-based LOGZONE Inc. agreed to pay $507,144 to resolve allegations under the False Claims Act that it knowingly failed to comply with required cybersecurity standards while performing Department of the Navy contracts.
That case centered on compliance with NIST SP 800-171 requirements rather than CMMC certification itself, highlighting that contractors remain legally responsible for safeguarding federal data regardless of changes to the certification timeline.
Review underway
The Department of War said it is establishing a CMMC Reform Task Force to conduct a comprehensive review of the program and recommend more scalable cybersecurity measures that reduce compliance costs while maintaining security standards.
During the review period, the department said it will continue enforcing cybersecurity requirements through self-assessments and selected government-led assessments rather than requiring third-party certification.
Officials said the task force is expected to deliver recommendations within 60 days.
“Our strategic imperative is to reduce bureaucracy as we build the world’s strongest Arsenal of Freedom,” said Michael Duffey, under secretary of war for acquisition and sustainment. “The CIO’s decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain.”
Got a tip for OTR? Send your tip to [email protected] with related photo/video, your name, phone number, and e-mail address.
