On July 13, 2026, the Department of War suspended the November 2026 transition to mandatory third-party CMMC assessments and stood up a sixty-day reform task force. The stated reasoning is that the certification program was pricing small and non-traditional firms out of the defense industrial base, and that we will not beat our adversaries with compliance checklists. Both of those things are true.
So I want to be careful here, because it would be easy to read this as a win and easier still to read it as a defeat, and it is neither. What happened is subtler and, for the honest contractor, worse. The security baseline did not change. What changed is the floor underneath the companies that were never going to take the baseline seriously in the first place.
Where I am writing from
I have spent a career building and running security programs on both sides of this problem. I have been the CISO of a major military command. I taught enterprise risk and cyber operations at the National Defense University. I have been the CISO for a top-five consumer brand, for a major medical insurer, and for a company inside the defense industrial base. I have built the government-community enclaves, sat through the assessments, and carried the affirmation risk personally. This essay is written from that seat, not on behalf of any employer, and it is calibrated for the small and mid-size firm that does not have a compliance department to absorb the burden. When I say a reform reduces cost, I mean cost that a small contractor actually feels, not a line item a large prime never notices.
One thing sits underneath the whole reform debate and usually goes unsaid. The largest primes are not obviously more secure than a well-run mid-size shop. They are better resourced to generate the proof. They can staff the documentation, absorb the assessment scheduling risk, and run the parallel environments without noticing the cost. If the current model rewards the capacity to document security rather than security itself, then the firms it filters out are not the insecure ones. They are the ones that spent their limited dollars on defense instead of on paperwork about defense. Keep that distinction in mind, because it is the thread that runs through every reform that follows.
What actually happened
The controls did not go away. NIST SP 800-171 Rev 2 is still the standard. DFARS 252.204-7012 is still in force, which means the safeguarding requirement and the cyber incident reporting requirement are exactly where they were on July 12. The 32 CFR program rule has been effective since December 2024 and the 48 CFR acquisition rule since November 2025. None of that was touched. A contractor’s legal obligation to protect covered defense information is identical today to what it was last week.
What the memo removed was the November 2026 forcing function, the point at which a qualified assessor would sit across the table and check whether a self-reported score matched the running system. The relief misses what this does. When you suspend the third-party check but leave the self-assessment and the legal attestation in place, you have not lowered the stakes. You have raised them for the people telling the truth and lowered them for the people who were not.
The legal exposure is not abstract. Under DFARS 252.204-7021 and 32 CFR 170.22, a senior official has to affirm continuous compliance every year, and the affirmation language is exactly that, continuous compliance with no change since the assessment date. That affirmation is a personal attestation with False Claims Act exposure behind it. So with third-party assessment suspended, the self-assessment now carries the full weight of assurance and the full weight of legal attestation at once. Every honest contractor is signing a continuous-compliance affirmation with more legal exposure and less external validation than before, and every contractor who was going to phone it in just got told, in a memo from the CIO, that checklists do not win wars.
That is the risk. Not that we lost a good control. The third-party mechanism had real problems and I will get to them. The risk is that we kept the liability, removed the deadline that made scoping honest, and handed out a rhetorical permission slip to the exact population that needed the deadline most. A well-run shop was already living the controls and will keep living them. A shop that was treating certification as a date on a calendar just had the date erased and heard the message that the whole thing was bureaucratic theater. Those two firms are now judged by the same self-attestation, and only one of them is telling the truth about it.
The controls are not the problem
The mistake I want to head off is the one where, because the certification apparatus was broken, people start treating the controls themselves as the thing to throw away. That is backwards.
The controls are not the problem. NIST 800-171 describes sound hygiene and a capable contractor can meet it. The problem is the assurance apparatus built on top of the controls, an apparatus that is unaccountable because the assessor’s work is reviewed only by the assessor’s own staff, adversarial by structure because a contested finding has no clean external forum, incoherent because CMMC and DFARS and ITAR overlap without reconciling, indifferent to real supply chain risk because flowdown is uniform regardless of data sensitivity, and one-sided because it disciplines the contractor while the government side of the data path answers to no equivalent standard.
The memo agrees with the cost half of that. It calls out prohibitive compliance costs, third-party assessment scarcity, and complex regulatory timelines as the things forcing capable firms out. Those are real, and they are structural. Where I part company with the relief in the room is what you do about them.
You do not fix an accountability gap by removing the thing that was supposed to provide accountability. You fix it by making the accountability real. Suspending third-party assessment does not repair a captured review process. It just removes the assessor and leaves the gap, which is now a bigger gap because the self-attestation is doing all the work alone.
The task force is about to walk into a methodological trap. Any data it gathers from firms that completed assessment is drawn from survivors. The firms an assessor removed, and the firms that never started because the cost was prohibitive, are not in the pool. The mechanism under review is the same mechanism that selected the sample. If the task force studies who made it through and asks how to make their path cheaper, it will optimize for the wrong population and never see the capable firms the process filtered out. The absence of those firms is itself the finding. Any reform built on survivor data will be a reform for survivors.
The controls are a baseline, not a verdict
The controls are good. Not perfect, not complete, not the end state, but a genuinely sound floor for a security program. Every security program I have stood up, in the military, in the DIB, in a Fortune 500 brand, in health insurance, started roughly the same way, and it looked a lot like NIST 800-171. You inventory what you have. You fix identity and get real multi-factor authentication in place. You segment the flat network. You turn on logging and actually watch it. You get endpoint detection running. You build a backup you can restore from when, not if, something goes wrong. That is not a compliance regime. That is what competent people do when they walk into a company and find out what they are actually defending.
The Department’s own Brilliant at the Basics guidance says the same thing in the same week it suspended the enforcement of it. Read that top ten list next to NIST 800-171 and it is the same skeleton. Phishing-resistant MFA. Asset inventory. Network segmentation. Risk-based vulnerability management. Immutable backups. Continuous workforce readiness. That is a CISO’s opening move, written by the CIO, and it is correct. The Department knows what the floor is. It published the floor on the way out the door.
But a baseline is a floor, not a finish line, and this is the distinction the whole debate keeps collapsing. The controls tell you where to start. They do not tell you where a mature program ends up, and they were never meant to. The failure was never that the controls asked too much. It was that we built a rigid, expensive, one-time verification ritual on top of a living thing and then acted surprised when a snapshot failed to capture a system that changes every day.
Do not hang the controls out to dry to win an argument about the apparatus. Kill the bad apparatus. Keep the floor. Then build a better way to prove you are standing on it.
Eleven things that would actually make this better
These are the reforms I would put in front of the task force. None of them lowers the security baseline. Every one of them targets the apparatus, the calibration, or the proof, not the hygiene. Where a reform answers an objection that the rule already covers the ground, I say so and cite it, because a reform that has read the regulation and still finds it wanting is worth more than one that pretends the regulation does not exist.
1. Make assurance continuous, evidence-based, and fed by tooling that already exists. This is the reform everything else hangs on, so it absorbs several related points into one principle. Start with the legal mismatch. DFARS 252.204-7021 and 32 CFR 170.22 require a senior official to affirm continuous compliance every year, but the thing that official is swearing to is verified only by a triennial assessment and a signature. The framework demands a continuous outcome and measures it discontinuously, which means the officer attests under legal exposure to a state the mechanism never actually watches. Close that gap by moving the unit of assurance from a point-in-time certification to a live evidence feed from monitored commercial controls, so the continuous compliance the affirmation already claims is the continuous compliance the system actually observes. A certification captures one moment. Continuous telemetry detects and contains real intrusions, which a snapshot cannot.
2. Give assessors an auditor and enforce inter-rater consistency. The current rule provides ISO/IEC 17020 accreditation of the assessor firm and an internal quality assurance function under 32 CFR 170.9(b)(13) and (14), and a critic will point to those as oversight. They are not the oversight I mean. The quality assurance function checks that one assessment was complete and that the team followed process. Nothing compares how two different assessors score the same posture, and nothing audits an assessor’s determinations for consistency across engagements. The same posture can pass with one assessor and fail with another, and there is no mechanism to detect it. Require inter-rater consistency standards and an external review of determinations, so assessment becomes a professional evaluation rather than an adversarial verdict, and so capable firms stop carrying a risk premium for the luck of the draw.
3. Build a real, independent appeal. The rule does contain an appeal, and someone will say so, which is exactly why this one needs answering head on. Under 32 CFR 170.9(b)(19), a contractor can appeal a Level 2 finding, and if unsatisfied, elevate to the Accreditation Body. Read who runs it. The appeal is addressed by the C3PAO that produced the finding, handled by that same firm’s own quality assurance staffer under 170.9(b)(13), and escalated to the Accreditation Body that authorized and accredited the C3PAO in the first place. Your reviewer works for the company that graded you, and your appeal goes to the body that credentialed them. Meanwhile the courts and the boards of contract appeals have no clear jurisdiction over a dispute between a contractor and a private assessor, so there is no clean external forum either. The appeal is not missing. It is captured. Replace it with independent review by a party that neither performed the assessment nor credentialed the assessor, so a contested finding has a real path that does not run through the people with an interest in the original result. This is also the direct fix for survivor bias, because it makes the exits visible and correctable.
4. Reconcile the overlapping rule sets into a single assessed baseline. Map CMMC, DFARS, ITAR, and the related requirements so a contractor evidences each underlying control once. Today the same underlying safeguard gets documented separately to satisfy CMMC, then again to satisfy an ITAR obligation, then referenced again under a DFARS flowdown, three evidence packages describing one control. That is pure cost with zero security return, and reconciliation removes it without pulling a single control out of the baseline. Small teams feel the duplication worst and benefit from the fix most.
5. Calibrate to actual risk instead of applying every requirement uniformly. The same mistake runs through two different parts of the program, supply chain flowdown and third-party assessment, and both get better the same way. Start with flowdown. Obligations should attach to the sensitivity of the data and the risk of the specific product, not flow down uniformly because uniform is easier for the contracting shop. A machine shop turning a non-sensitive aluminum bracket to a public drawing receives the same flowdown as a firm holding weapons design data, because the clause does not distinguish them. One of those suppliers warrants the full weight and one does not, and the current model cannot tell them apart. Blanket flowdown makes every low-risk supplier dance for no targeted risk reduction, and those low-risk suppliers are exactly the population the Department says it wants to keep.
The same uncalibrated logic drives the assessment bottleneck. Assessor supply is far below demand, so requiring third-party assessment across the board guarantees a backlog that removes capable firms for scheduling reasons alone. Anyone who has tried to book an assessment knows the timeline sits outside the contractor’s control while contract eligibility depends on it, and that securing a slot has become a matter of active pursuit and price negotiation. Concentrate scarce expert assessment on the highest-risk CUI, lean on continuously monitored evidence for the lower-risk cases, and you relieve the backlog while pointing expertise where the risk actually is. Calibration is the single principle underneath both fixes. Match the obligation to the risk, in the flowdown and in the assessment, and the burden falls off the firms that never warranted it in the first place.
6. Discipline the whole data path, including the government side. Assurance is only as strong as its weakest segment. A regime that hardens the contractor while the originating agency routes covered information without equivalent discipline is certifying a segment, not securing the path. The data does not become safe because a contractor’s enclave is sound if the program office that sent it handles it on an uncontrolled system. Pair contractor requirements with reciprocal data-handling standards on the government end, or admit the protection is partial.
7. Accept existing authorizations by reciprocity. Where a contractor already holds a relevant independent authorization, accept that assurance instead of rebuilding it through a parallel regime. A firm operating in a FedRAMP High environment, which is the authorization level GCC High itself carries, has already been assessed against a control set that overlaps heavily with what CMMC demands, yet is asked to evidence the same ground again from scratch. The Department should not pay twice for the same assurance, and capable firms should not be punished for having already invested in an authorization the government itself recognizes elsewhere.
8. Fix the attestation now that it carries the full legal load. With third-party assessment suspended, the self-assessment holds all of the assurance and all of the legal exposure, and the memo’s own language gives cover to firms that want to treat the baseline as optional. Any streamlining has to make an accurate self-assessment easier and a shallow one harder. Tie the attestation to the continuous evidence in reform one so that signing it means something verifiable, rather than becoming a liability trap for honest contractors and a free pass for everyone else.
9. Publish scoping guidance that ends the enclave arms race. The largest single cost most mid-size firms face is not any individual control. It is the architecture obligation to stand up and run a segregated government-community cloud enclave with its own identity, endpoint, and monitoring stack. This is not a rounding error. A small contractor of twenty to twenty-five users can spend six figures in the first year alone getting onto GCC High, and enclave operation runs on the order of a few hundred dollars per user per month before the assessment itself, against a roughly two-times premium over the commercial cloud everyone else uses. The dominant driver is architecture and boundary ambiguity, not any single onerous control. Clear, consistent scoping guidance on what genuinely falls in the boundary, and how to minimize the CUI footprint honestly, would cut that cost without weakening a single control. Ambiguity here is what forces firms to over-scope defensively and pay for it forever.
10. Fund and staff the assessment ecosystem the reform assumes. Concentrating third-party assessment on the highest-risk cases, as reform five urges, still depends on there being enough qualified assessors to do that work well and on the review and appeal functions actually being resourced. An accountability mechanism with no staff is a memo. If the task force recommends assessor auditing, inter-rater review, and an independent appeal, it has to recommend the capacity to run them, or it is designing a system that cannot function on day one.
11. Measure the reform against outcomes, not against relief. The temptation over the next sixty days will be to measure success by how much burden came off. That is the wrong yardstick, and it is how you end up optimizing for survivors. Measure it against whether the base got more resilient and whether the firms that had exited came back. Track the exits. Seek out the companies the old mechanism removed and ask them what would bring them in. A reform that makes survivors more comfortable while the base stays exactly as exposed has solved the political problem and left the security problem sitting where it was.
What I actually want
I want the Department to stop swinging between two bad poles. One pole is the rigid, expensive, unaccountable certification ritual that was genuinely pushing capable firms out. The other pole, the one we just stepped toward, is the quiet suggestion that because the ritual was broken the discipline underneath it was never real.
Both poles are wrong. The controls are a sound floor, the same floor a competent CISO builds from on day one at any company, defense or not. The Brilliant at the Basics list proves the Department knows exactly what that floor is, because it published it. The apparatus we built on top of the floor was the failure, and the fix is not to demolish the floor. It is to prove you are standing on it in a way that reflects how security actually works, which is continuously, with evidence, using tools that already exist and that serious firms already run.
The task force has sixty days. It can spend them making the survivors comfortable, or it can spend them building an assurance model that is accountable, coherent, risk-calibrated, continuous, and end to end. Only one of those actually protects the data and keeps capable firms able to do the work. The floor is fine. The job is to fix the thing we built on top of it.
That job needs a seat at the table that the current process is structurally set up to miss. A task force studying the firms that finished assessment will hear from survivors, integrators, and the assessment industry that has an interest in the model staying roughly as it is. What it will not hear, unless someone deliberately puts that voice in the room, is the vantage point that has built the government-community enclave from the inside, carried the affirmation risk personally, and can still see the whole system, government side included, because it has also run security for a military command, a Fortune 500 brand, and a national insurer. That is the seat I am asking to fill. Put me on the CMMC Reform Task Force as a DIB representative. I have built the thing under review, I have taught the risk discipline behind it, and I have spent this entire essay showing my work. Sixty days is enough time to get this right, and getting it right needs someone in the room who has lived on both sides of the data path.