Malik Haidar is a seasoned veteran in the cybersecurity landscape, having spent decades defending multinational corporations against sophisticated global threats. His unique approach combines deep technical analytics with a pragmatic business perspective, ensuring that security measures empower organizations rather than hinder them. As a leading voice in threat intelligence and strategic defense, he provides a critical bridge between high-level government policy and the practical realities faced by contractors on the front lines of the defense industrial base.
This conversation explores the strategic implications of the Department of War’s decision to pause the Cybersecurity Maturity Model Certification (CMMC) rollout. We delve into the motivations behind the sixty-day review period, the challenges of protecting controlled unclassified information, and the department’s efforts to simplify compliance for small businesses. The discussion also highlights the logistical hurdles of the phased implementation timeline and the critical shortage of third-party assessors that prompted this shift in policy.
How do you interpret the Pentagon’s decision to halt the second phase of CMMC, and what does this 60-day review signify for the broader defense industry?
The decision to pause the November 10, 2026, deadline for Phase 2 is a pragmatic admission that the current trajectory was hitting a wall of bureaucratic friction. By initiating this 60-day review, the Department of War is signaling a willingness to listen to the industry rather than simply imposing rigid mandates that could paralyze the supply chain. It is important to note that this is not a retreat from security, as Phase 1 requirements—which took effect on November 10, 2025—remain firmly in place, requiring Level 1 and Level 2 self-assessments. This review period acts as a strategic reset to ensure that when we finally do move toward third-party certifications, the infrastructure is actually ready to support the thousands of companies involved.
With the Department of War aiming to revitalize the defense industrial base, how can they simplify these security measures without compromising the safety of sensitive government data?
The challenge lies in the fact that robust cybersecurity is described by officials like Kirsten Davies as a nonnegotiable priority, yet the cost of entry can be devastating for a small manufacturer. To balance this, the newly formed reform task force is looking at scaling back specific security measures to make the process more accessible for nontraditional and small businesses. We are moving toward a framework where the level of scrutiny matches the sensitivity of the data, such as the three-level system in CMMC 2.0 where Level 1 handles basic federal contract information and Level 3 tackles advanced persistent threats. By streamlining these requirements, the department hopes to scale warfighter readiness aggressively without forcing essential smaller players out of the defense market due to high compliance costs.
What specific challenges does the shortage of third-party assessors present for contractors who were preparing for the Phase 2 rollout?
The shortage of approved third-party assessors is perhaps the most significant logistical bottleneck in the entire CMMC ecosystem. Under the original plan for Phase 2, contractors would have been required to obtain external certifications for new contracts starting in late 2026, but the math simply didn’t add up given the current number of available auditors. For a contractor, this creates a state of “compliance limbo” where they might have the internal security controls ready but cannot find an authorized body to verify them. This scarcity would have likely led to a massive backlog, potentially preventing qualified companies from winning new work and ultimately stalling the very defense projects the government is trying to accelerate.
As we look toward the full implementation scheduled for 2028, how should the phased rollout of Levels 1 through 3 evolve to better protect against advanced persistent threats?
The roadmap currently leads us through several critical milestones, including the introduction of Level 3 requirements in Phase 3 by November 2027. This level is specifically designed to guard controlled unclassified information against the most sophisticated actors, and its success depends on the foundation laid in the earlier phases. By the time we reach the fourth and final phase in 2028, the goal is to have full implementation across all applicable contracts, creating a uniform shield across the entire industrial base. The evolution of this rollout must remain dynamic, ensuring that while we simplify the process for Level 1, we remain uncompromisingly rigorous for Level 3 where the most critical national secrets reside.
What is your forecast for CMMC?
I anticipate that the 60-day review will result in a “CMMC 2.1” of sorts, where the self-assessment options for Level 2 are expanded to include a wider range of low-risk contracts. While the 2028 deadline for full implementation remains the ultimate goal, we will likely see a much more flexible, “risk-based” approach rather than a one-size-fits-all certification model. The Department of War will likely lean more heavily on automated scanning and agentic AI tools to supplement the human assessor shortage, ensuring that security stays “dynamic” and “robust” as Kirsten Davies promised, even as the bureaucratic hurdles are lowered. Ultimately, the framework will survive because the threat to government information is too great to ignore, but it will emerge as a leaner, more business-friendly version of its original self.

