The Pentagon has begun a formal review of its Cybersecurity Maturity Model Certification program, known as CMMC, with a newly formed task force holding its first meeting on Thursday.
According to DefenseScoop, the task force convened just days after Department of Defense Chief Information Officer Kirsten Davies moved to pause the program's phase 2 requirements and open a review of the entire effort.
CMMC is the Pentagon's framework for verifying that defense contractors meet baseline cybersecurity standards before handling sensitive government information. It is designed to reduce the risk that adversaries can steal military data or intellectual property by targeting the vast network of companies that supply the U.S. defense industry.
The program has been rolled out in phases, and phase 2 represents a later stage of those certification requirements. By pausing that phase and standing up a task force to examine the program as a whole, Davies is signaling that the department wants to reassess how CMMC is working before pressing ahead.
DefenseScoop characterized the task force as having "hit the ground running," noting the short gap between Davies initiating the pause and review and the group's first meeting.
The source item does not detail what specific changes the review might produce, who sits on the task force, or how long the review will take. Those questions remain open based on the information available.
Why it matters: CMMC governs the cybersecurity obligations of the many private contractors that build weapons, software, and services for the U.S. military, so any pause or overhaul could reshape the rules that thousands of companies must follow to keep doing business with the Pentagon.