The Pentagon just hit Ctrl-Z on CMMC Phase II. Meanwhile, nation-state APTs are still ./scanning your supply chain.
The defence supply chain has always had a soft underbelly. Thousands of small contractors stitched together with hope and unpatched servers, hanging off primes who’d rather not think about what’s downstream. CMMC was the right idea born from the right instinct. The execution left something to be desired.
Good Intentions, Bad Implementation
CMMC tried to harden the DIB’s seams. Flawed from the start:
- Prescriptive over outcome-based. A contractor could pass an audit and still be wide open to the lateral movement that made Cloud Hopper devastating.
- Cost-prohibitive for the wrong reasons. C3PAO assessments spawned an overnight consultancy industry. Six-figure costs for the privilege of being audited—not for better security.
- Wrong threat model. Certifying a prime does nothing when their tier-4 supplier still runs a default-password PBX.
The SBA reported CMMC costs were driving small firms out of the DIB. Shrinking the supplier base at a time the military needs those capabilities. The math didn’t math.
The Precedent
None of this is theoretical.
2009. Chinese state actors breached the F-35 programme through Lockheed Martin and its contractors. BUCKSHOT YANKEE gave China radar systems and engine schematics that almost certainly informed the J-20 and J-31 stealth fighters.
2016–2018. APT10 ran Operation Cloud Hopper. Compromised MSPs across 14 countries to pivot into defence contractor networks—BAE Systems, IBM, HPE. APT10 never touched the actual targets. They went through the companies that had trusted access to all of them.
Adversaries target the seams. The seams live at the bottom of the chain.
The Pause
DoD CIO Kirsten Davies suspended CMMC Phase II on 13 July—mandatory third-party assessments for Level 2, originally set for 10 November. A 60-day review is underway via a new CMMC Reform Task Force.
Phase I self-assessments remain. The obligation to protect CUI hasn’t gone anywhere. Only the expensive audit mechanism is on hold.
Urgency drops for orgs that were only hardening to pass the test. That’s the danger. Assessment budgets can pivot to actual controls—that’s the opportunity. Enforcement is in limbo. Contract language persists, but the teeth are dulled.
The Bottom Line
The gap between pause and whatever comes next is where exposure lives. 60 days of policy review is 60 days the adversary keeps operating uninterrupted.
If you were preparing for Phase II, don’t stop. Hardened baselines, segmenting CUI, boring tech, verifying your supply chain posture—those are the things that would have stopped BUCKSHOT YANKEE and Cloud Hopper. Not a certificate on a wall.
Good intentions don’t stop nation-state actors. Implementation does. Full stop.
Official announcement: Department of War Suspends CMMC Phase II Requirements