CMMC suspension caught industry off guard, but the reasons did not

Gettyimages.com/mohd izzuan
The Pentagon's move to pause the cybersecurity program was a surprise, but the cost and burden concerns behind it have been known for years.
The Defense Department’s decision to suspend implementation of the Cybesecurity Maturity Model Certification and put the program through a 60-day review caught many off guard.
CMMC was slated to enter Phase 2 on Nov. 10, when third-party assessments would start to be required for the cyber and supply chain security standard. But that is all on hold as DOD collects more feedback from industry through a new request for information.
“It was definitely a surprise,” said Emil Sayegh, CEO of Cyber Sheath, a firm that has been helping companies assess their CMMC compliance. “No one saw this one coming.”
Many underlying concerns raised by DOD around the regulatory burden and the high costs for small businesses were well known. They have been raised since CMMC got its start over eight years ago.
“We faced these issues from the outset when CMMC was first discussed in Trump 1.0,” said Alan Chvotkin, formerly general counsel for the Professional Services Council and now an attorney at Protorea Law.
PSC was deeply involved with the early development of CMMC and the ultimate creation of the Cyber AB, a group sanctioned by DOD to create and manage an ecosystem of assessors and third-party assessment organizations.
These organizations were responsible for certifying companies' compliance with CMMC and the NIST standard underlying it.
Officials at Cyber AB did not respond to a request for commen. Officials at PSC declined to comment.
David Berteau, former president and CEO of PSC, expressed frustration with the suspension.
“We are right where we were before we started, which is compliance with the standard through self-assessments,” he said. “In 10 years, we haven't made any progress.”
Berteau has also written a commentary for us about the suspension and perhaps where things should head next that you can read here.
Several sources emphasized that while this is yet another pause, this does not mean that CMMC itself is dead.
“DOD contractors and subcontractors still have to be compliant with NIST 800-171 if they're handling [controlled unclassified information]," Sayegh said. “They still have to have an SPRS score that they have to submit.”
Sayegh said that if information companies submit to the Supplier Performance Risk System turns out to be incorrect or false, there can be consequences.
In June, the Justice Department reached a settlement with Logzone to resolve allegations that the company submitted a nearly perfect score on its self-assessment. A DOD audit found that score to be wildly inaccurate and Logzone had to pay roughly $500,000.
Companies still need to build the internal compliance systems and go through the self-assessments, but right now it stops short of the third-party assessors.
“Compliance requirements still exist. They haven't been waived,” Chvotkin said.
“You still have to be able to stand the scrutiny of an audit in case the government decides to audit you,” Sayegh said.
The main driver of the suspension appears to be the cost associated with the third-party assessments and the burden that puts on small businesses.
Small Business Administrator Kelly Loeffler released a statement praising DOD for suspending the program. SBA and DOD have been discussing the cost burden for several months.
“Working closely with the Department of War, the Trump SBA has heard directly from mission‑critical small businesses that CMMC compliance was becoming an untenable barrier pushing them out of the Defense Industrial Base, even though these firms are the backbone of national security,” Loeffler said in her statement.
SBA estimates that the cost of a third-party assessment can reach $600,000.
Those costs and administrative burdens were well known in the early days of CMMC.
“There was no doubt about the burden,” Chvotkin said. “But [DOD] weighed that and concluded that cyber protection was more important than those burdens. Now I think maybe the math is flipping.”
For proponents of CMMC and third-party assessments, DOD’s RFI and the desire to collect more feedback is a hopeful sign. Comments on the RFI are due Aug. 15.
“I hope they get a wide range of industry input,” one industry source said. “They need to listen to all segments of industry and get the full picture, and not just listen to the loudest voices in the room.”