I have spent my career at the intersection of advanced manufacturing and national defense. When the Department of War suspended CMMC Phase II requirements on July 13, 2026, I read it as more than regulatory relief.
I read it as an admission that the way we certify security had drifted away from the way security actually gets built.
The Math Never Worked
Here is the arithmetic that forced this decision. More than 100,000 businesses in the Defense Industrial Base needed third-party assessments. Roughly 100 assessors existed to perform them.
The cost side was equally severe. SBA analysis put total compliance near $593,800 per certification for small firms requiring third-party assessment. For many precision manufacturers, that figure exceeded the annual profit from their defense contracts.
Industry analysts projected that 33,000 to 44,000 companies, roughly 15 to 20 percent of the industrial base, might exit defense work between 2025 and 2027.
Our adversaries have spent years trying to hollow out American manufacturing capacity. A compliance mandate that pushes out a fifth of the industrial base does that work for them.
Security Obligations Remain, and That Is the Point
This is commonly misread as deregulation. It is anything but.
Every contractor remains bound by DFARS 252.204-7012 and NIST SP 800-171 Rev 2. You still have to protect covered defense information. The suspension removes the certification apparatus while keeping the underlying standard intact.
DoD will focus on “tangible cyber hygiene rather than third-party certifications and bureaucratic, high cost-imposing red tape,” Davies wrote, adding that “our approach must be centered on achieving tangible supply chain and cybersecurity resilience, not one at the expense of the other.”
That single sentence describes a shift from checkbox compliance to demonstrated capability. I believe it is overdue.
Why Digital Manufacturing Was Already Ahead of This
At DDM Systems, we run a Digital Foundry. A design file moves directly from CAD to a printed ceramic shell to cast metal. There are no wax tooling handoffs, no pattern shops, no month-long chains of custody where sensitive geometry sits on someone’s desk.
When I think about what “inherently secure” manufacturing looks like, it looks like fewer touchpoints, fewer intermediaries, and a fully digital thread from design to part.
Architecture beats retrofit. Companies that built security into their digital infrastructure from day one treat NIST 800-171 as an operational baseline. Companies that bolted compliance onto legacy processes carry the burden as a permanent tax.
💡 If you serve defense customers, audit your process for manual handoffs of technical data. Each one is both a security exposure and a schedule delay. Fixing them addresses both problems at once.
The 60-Day Window Matters More Than the Suspension
The Department opened a Request for Information asking industry which controls actually reduce risk, what drives compliance cost, and how commercial cybersecurity tools already in use might be recognized instead of requiring separate assessments.
This is the part I would urge every manufacturer to take seriously. Policy written from theoretical frameworks produced the problem. Policy informed by operational reality can fix it.
If you run a shop that serves aerospace or defense programs, tell the Department three things:
-
Which controls genuinely protect your data flows
-
Which requirements consume budget without reducing risk
-
How your existing tools and cloud infrastructure already meet the intent
Small businesses make up 73 percent of the Defense Industrial Base. Their absence from this comment period would leave the next framework shaped, once again, by the largest primes.
Speed and Security Grow From the Same Root
We compress casting lead times from over 100 days to as few as 39. That speed comes from digitizing the process end to end. The security benefit came along with it, because a digital thread is auditable, traceable, and hard to intercept.
The suspension acknowledges what many of us in advanced manufacturing have observed for years. Speed to capability and cybersecurity resilience reinforce each other when the underlying process is designed well.
My hope for the review is simple. Measure outcomes. Recognize modern architecture. Keep the standard, drop the toll booth.
The warfighter needs parts, and the industrial base needs to be able to afford making them. A security framework that serves both is within reach, and the next 60 days will shape it.