DoD Acquisition Nominee Pledges CMMC Review and Support for Small Business Cybersecurity Challenges

In a recent development that could impact thousands of defense contractors, Michael Duffey, President Donald Trump’s nominee for Under Secretary of Defense for Acquisition and Sustainment, has committed to reviewing the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program. As reported by Justin Doubleday of Federal News Network, Duffey acknowledged in his advance policy responses submitted before his Senate nomination hearing on March 27, 2025, that he is sensitive to the compliance challenges faced by small businesses in the defense industrial base. His remarks reflect a potential shift toward greater flexibility and responsiveness in the way the Department of Defense (DoD) enforces cybersecurity requirements.

Duffey emphasized that if confirmed, he would assess the current requirements under the CMMC framework and explore ways to improve its implementation to help industry partners, especially smaller contractors, keep up with cybersecurity best practices affordably. He also noted the importance of evaluating the roles of third-party assessment organizations (3PAOs) and the Cyber Accreditation Body responsible for overseeing them—entities that are vital to verifying contractors’ cybersecurity preparedness. These third-party assessments will become increasingly significant once the DoD finalizes its long-anticipated CMMC rules and begins including them in contract solicitations.

The CMMC program has been in development for over six years and was significantly revised in 2021 with the launch of “CMMC 2.0,” which reduced certain requirements and delayed enforcement timelines. Still, concerns persist across industry, particularly among small and medium-sized businesses, about the cost and administrative burden of compliance. Duffey appeared attuned to these issues, stating that the cybersecurity capabilities of companies across the defense industrial base vary significantly and that a one-size-fits-all approach may not be sustainable.

In a notable response to questions about classified threat intelligence sharing, Duffey addressed a longstanding pain point: the high cost and limited availability of Sensitive Compartmented Information Facilities (SCIFs), which are required for accessing certain types of cyber threat data. Acknowledging the strategic importance of small businesses and their vulnerabilities to cyberattacks, Duffey committed to exploring the feasibility of multi-use SCIFs and shared resource models. These solutions could expand secure information access and improve the cybersecurity posture of smaller contractors without imposing unaffordable infrastructure investments.

Importantly, Duffey’s nomination and proposed reviews come amid a broader deregulatory environment where the administration requires the repeal of 10 rules or guidance documents for every new one introduced. This policy could further complicate the implementation of CMMC, even as the DoD remains under pressure to safeguard sensitive information from foreign cyber threats.

As the nomination process unfolds and the CMMC rule edges closer to finalization, Duffey’s comments suggest a potentially more collaborative and adaptive approach to cybersecurity compliance—one that could alleviate the burdens on small contractors while maintaining national security standards.

Disclaimer:
This blog post is for informational purposes only and is based on publicly available reporting by Justin Doubleday of Federal News Network. While care has been taken to accurately summarize the original article, we make no guarantees regarding the completeness or current accuracy of the information. This post does not constitute legal or regulatory advice.