**Pentagon Reviews Cybersecurity Certification Program: Balancing Security and Small Business Concerns**
The U.S. Department of Defense (DoD) has initiated a comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program, signaling a potential shift in how the military assesses the cybersecurity practices of its contractors. This move comes amid rising concerns that the program’s third-party assessment requirements have created significant financial and operational burdens for small businesses attempting to compete for defense contracts.
Led by Defense Department Chief Information Officer Kirsten Davies, the review team—including Small Business Administrator Kelly Loeffler and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey—began its work on July 16. The team visited Kform, a small defense manufacturer, to gain firsthand insight into the challenges facing small businesses under the current CMMC framework.
The decision to suspend third-party assessment requirements and launch a “top-to-bottom” review was driven by data from the Small Business Administration, which indicated that the planned compliance requirements were creating “prohibitive costs and unacceptable burdens” for the defense industrial base. DoD has since published a request for information and announced listening sessions to gather feedback from defense contractors, particularly small businesses and cybersecurity executives.
**Key Points of the Review**
During the review, DoD has maintained that small business considerations must remain central to any modifications. Davies emphasized that the goal is not “death by a thousand cuts” but rather thoughtful adjustments that reduce barriers to entry while still protecting sensitive defense information. The review team has 60 days to gather feedback and deliver recommendations, with a finalized report expected by late September.
One critical issue is the capacity and cost associated with third-party assessments. While the Cyber AB—the nonprofit overseeing CMMC assessors—reports having over 1,000 certified assessors, some officials argue that between 2,000 and 3,000 will be necessary for full implementation. Additionally, compliance costs have been a point of contention, with some small business leaders citing expenses exceeding $500,000, though others note that costs vary significantly depending on the size and complexity of the contractor’s environment.
**Looking Ahead**
If the review results in significant changes, DoD could implement them quickly through class deviations or interim rules. The department has also clarified that it will continue to enforce NIST cybersecurity controls and allow self-assessments during the review period. In the absence of widespread third-party audits, DoD will rely more heavily on its Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and other enforcement mechanisms.
As the Pentagon works to refine the CMMC program, the balance between robust cybersecurity and small business accessibility remains at the forefront. The outcome of this review will shape the future of defense contracting cybersecurity—and could offer a model for how government programs adapt to meet both security and economic needs.
—
### FAQ
**What is CMMC?**
CMMC stands for Cybersecurity Maturity Model Certification, a framework that assesses and verifies the cybersecurity posture of companies working with the Department of Defense. It was designed to ensure that contractors protect controlled unclassified information (CUI) in line with NIST standards.
**Why is the Pentagon reviewing CMMC now?**
The review was launched to address concerns that the program’s third-party assessment requirements have created cost and compliance barriers for small businesses, limiting their ability to compete for defense contracts.
**Will third-party assessments be eliminated?**
Not necessarily. The review is exploring changes ranging from minor tweaks to more significant reforms, but officials have not ruled out third-party assessments entirely.
**How long will the review take?**
The review is expected to last 60 days for feedback and analysis, followed by 15 days to produce a report with recommendations, likely finalized by late September.
**What happens during the review?**
During the review, DoD has suspended third-party CMMC assessment requirements but continues to enforce self-assessment obligations and NIST-based cybersecurity standards.
**Will contractors still need to comply with NIST controls?**
Yes. DoD emphasizes that requirements to secure data in accordance with NIST controls remain in place regardless of CMMC review outcomes.
—
### Conclusion
The Pentagon’s review of the CMMC program represents a critical opportunity to align cybersecurity requirements with the realities faced by small defense contractors. While the need to protect sensitive defense information remains paramount, the Department of Defense appears committed to fostering an environment where security and accessibility can coexist. The coming weeks will be pivotal in determining how CMMC evolves—and whether it can better support the resilience and innovation of the nation’s defense industrial base.



