Defense suppliers gain additional time as the U.S. Department of War (formerly the U.S. Department of Defense) reviews its Cybersecurity Maturity Model Certification (CMMC) program. However, Heather Falcone, founder and principal of Falcone Consulting, LLC and Heat Treat Radio host and producer, cautions manufacturers with in-house heat treating and commercial heat treaters against interpreting the pause as a relaxation of their cybersecurity obligations.
What the Announcement Revealed
The U.S. Department of War has suspended the transition to Cybersecurity Maturity Model Certification (CMMC) Phase II requirements while it conducts a comprehensive review of the program.
The suspension pauses pending and future Phase II implementation milestones across Department of War solicitations and contracts. However, Phase I self-assessment requirements remain in effect, and contractors must continue protecting covered defense information under existing contractual requirements, including DFARS clause 252.204-7012. During the 60-day review period, cybersecurity compliance will continue through NIST SP 800-171 Revision 2 self-assessments and select government-led assessments.

Chief Information Officer
U.S. Department of War
The review is intended to reduce compliance burdens on small, medium-sized, and non-traditional defense suppliers while maintaining cybersecurity protections. A newly established CMMC Reform Task Force will evaluate industry feedback and submit recommendations within 60 days.
“In support of Secretary Pete Hegseth’s directive to reduce compliance barriers for small and medium-sized businesses, we are suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program,” said Kristin A. Davies, chief information officer for the Department of War. “Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the Defense Industrial Base (DIB) can achieve both, while we reduce unnecessary government red tape.”
What This Means for Heat Treaters: An Industry Expert Weighs In
While the announcement delays the rollout of Phase II certification requirements, Falcone said manufacturers should avoid assuming that cybersecurity preparation can be put on hold.

Founder and Principal of Falcone Consulting LLC / Host and Producer of Heat Treat Radio
“The most dangerous interpretation of this announcement would be that cybersecurity preparation can stop,” Falcone said. “Phase II has been suspended, but manufacturers remain responsible for protecting defense information and meeting their existing contractual requirements. Companies should use this period to confirm their scope, close material NIST 800-171 gaps, and strengthen the evidence supporting their compliance.”
Falcone described the announcement as a meaningful reprieve for many small and midsized captive and commercial heat treaters that supply the defense industry. Many companies, she noted, have been preparing for significant compliance costs while lacking dedicated cybersecurity staff or access to enough certified assessors.
“A rushed implementation could consume capital that would otherwise support equipment upgrades, workforce development, capacity expansion, and other investments the defense supply chain needs,” she said.
She added that the review provides an opportunity to address longstanding concerns over how controlled unclassified information (CUI) is identified, marked, and shared throughout the defense supply chain, as well as the availability of qualified assessors and the affordability of compliance for small manufacturers.
“This suspension acknowledges the capacity and cost problems small manufacturers have been raising for years,” she said. “A successful CMMC reset should preserve a serious cybersecurity baseline while giving small defense suppliers requirements they can clearly understand, afford, and execute.”
Although the November implementation deadline has been suspended, Falcone recommends that heat treaters continue strengthening their cybersecurity programs while reviewing spending decisions driven solely by the former deadline. She also encourages companies to consult with prime contractors before changing any contract-specific commitments.
Learn More About CMMC
For readers looking for additional background on cybersecurity requirements for defense suppliers:
- Heat Treat Radio #113: NIST and CMMC — What Heat Treaters Need To Know: An overview of CMMC, NIST SP 800-171, certification timelines, and what they mean for heat treaters.
- Cybersecurity Desk: CMMC vs. NIST SP 800-171 — Understanding the Differences: A practical explanation of how the certification framework differs from the underlying cybersecurity requirements.
- Cybersecurity Desk: Most SMBs Unprepared for CMMC 2.0, Risk Losing Contracts: Why compliance has become a significant challenge for small and midsized manufacturers in the defense supply chain.
Press release is available in its original form here.





