Pentagon Pauses Cyber Audit Rule for Small Suppliers
More than 100,000 Defence Contractors Affected
The Pentagon has temporarily halted a cyber audit rule that was putting small suppliers at a severe disadvantage. The rule required over 100,000 defence contractors to obtain independent cybersecurity audits, with only around 100 accredited assessors available to conduct them.
"So the math just simply doesn’t add up," said Kirsten Davies, the Pentagon’s chief information officer.
Suspended Program and Task Force Formation
The Department of War suspended Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) program, which was set to introduce mandatory third-party audits for sensitive but unclassified data handling contractors, effective November 10th. A newly formed CMMC Reform Task Force has 60 days to review and report back on the entire program’s future.
Concerns Over Costs and Capacity
A memo from Davies cites compliance costs, assessment capacity shortages, and regulatory complexities as reasons for the pause. She argues that these factors are deterring innovative startups and small businesses from participating in defence contracts. The Small Business Administration has also reported potential annual compliance costs exceeding $7 billion for small and medium-sized firms.
Previous Delays and Industry Concerns
This isn’t the first time CMMC has been paused. The Biden administration halted it in 2021, leading to adjustments that resulted in "CMMC 2.0." Industry concerns have persisted since 2019, with mid-sized firms especially vulnerable to cybercrime, despite their smaller scale.