Top stories.
- Pentagon suspends CMMC Phase II requirements.
- US Treasury Department sanctions VPN provider that allegedly assisted criminals.
- Lidl discloses breach affecting customer information.
Pentagon suspends CMMC Phase II requirements.
The Pentagon has suspended the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements that were slated to go into effect this November, stating in a memo that the current version of the program imposes "significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation."
The Pentagon's CIO, Kirsten Davies, told reporters yesterday, "I want to be clear across the Department of War and our defense industrial base: investing in and dynamically maintaining robust cybersecurity remains a critical non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data." Davies added, "We are not reducing cybersecurity through this measure. We are reducing the red tape."
Michael Duffey, Undersecretary of Defense for Acquisition and Sustainment, stated, "We are halting complex audits. We are stopping the requirement for third-party assessors and audits. We are cleaning up active solicitations immediately. If a current defense solicitation or contract contains those suspended phase two requirements, I have directed our program managers and contracting officers to amend or modify them as soon as possible."

