Dominic Jainy offers a sophisticated perspective on the intersection of federal policy and technological resilience, bringing years of experience in high-stakes infrastructure to the current debate over defense standards. As the Department of War shifts its approach to the Cybersecurity Maturity Model Certification, or CMMC, Jainy provides a critical bridge between the technical requirements and the strategic realities facing the modern industrial base. His insights help decode a period of intense transition, where the stakes involve not just regulatory compliance but the fundamental protection of the nation’s most sensitive technological secrets.
In this conversation, we explore the nuances of the 60-day program review and the sudden suspension of the Phase II implementation milestones that were originally slated for late 2026. We examine the economic disruption felt by third-party assessors and the critical legal obligations that remain in place regardless of the certification pause. Finally, the discussion moves beyond the “audit culture” to address the genuine readiness gap within the defense industrial base and the strategic opportunity this delay provides for contractors to address technical debt.
With the 60-day review of the CMMC program now underway, what specific structural shifts within the Department of War are driving this sudden pause in the implementation timeline?
The primary catalyst behind this 60-day pause is a recognition by the Department’s leadership that the current certification framework was becoming a bottleneck for innovation rather than a facilitator of security. Under Secretary Michael Duffey highlighted a critical need to reduce what he called “paralyzing costs” that were beginning to stifle participation across the Defense Industrial Base. When you look at the sheer scale of the mission, with more than 100,000 contractors eventually requiring some form of assessment, the mismatch between the required volume and the available assessment capacity becomes impossible to ignore. Chief Information Officer Kristen Davies pointed out that the existing model was simply too difficult to scale efficiently in its current form. By establishing the CMMC Reform Task Force, the Department is signaling that while the goal of cybersecurity is non-negotiable, the method of validating it must be redesigned to preserve the agility of our most innovative defense partners.
The suspension of the November 2026 milestone has sent shockwaves through the industry, but how do you view the immediate business impact on the various stakeholders within the cybersecurity ecosystem?
This decision has created a palpable sense of disruption, particularly for the thousands of organizations that had been feverishly preparing for mandatory third-party assessments. For Managed Service Providers and CMMC Third-Party Assessment Organizations, this is a moment of significant financial and operational recalculation. These entities had aligned their entire hiring plans, investment strategies, and long-term operating models around the 2026 deadline, and seeing those milestones held in abeyance feels like a sudden loss of gravity. We are seeing software vendors and consultants who built their roadmaps on this regulatory urgency now facing a market where purchasing decisions are slowing down significantly. It is a gut-wrenching period for those who invested heavily in the infrastructure of the old timeline, as they now have to wait for the task force to deliver its recommendations for a redesigned framework.
There is a growing concern that some contractors might see this pause as a “get out of jail free” card regarding their security obligations, so what legal and regulatory realities remain unchanged?
It would be a catastrophic mistake for any defense contractor to interpret this announcement as a suspension of their responsibility to protect Controlled Unclassified Information. The memorandum is explicit: existing contractual obligations, including compliance with NIST Special Publication 800-171 Revision 2, are still very much in effect. This means the 110 security requirements remain the law of the land, and the requirements for System Security Plans and Plans of Action and Milestones have not moved an inch. Furthermore, the Department of Justice’s Civil Cyber-Fraud Initiative is still actively monitoring for any organization that might misrepresent its cybersecurity posture within the Supplier Performance Risk System. CMMC has already moved through the federal rulemaking process and is a part of the regulatory framework; this update is about implementation strategy, not about erasing the underlying expectations for national security.
The debate often focuses on the lack of third-party assessors, but you have suggested that the real issue lies elsewhere—could you elaborate on the maturity of the ecosystem versus the readiness of the contractors?
The narrative that there aren’t enough assessors is actually an incomplete diagnosis of the current challenges. We have already seen more than 1,500 organizations successfully achieve certification under the existing framework, which serves as a powerful proof of concept that the assessment ecosystem was maturing and functioning. The more daunting challenge is the “readiness gap” among the contractors themselves, many of whom treated this as a last-minute audit rather than a holistic transformation of their risk management. Far too many companies underestimated the grueling operational effort required to implement the 110 specific security controls found in the NIST documentation. They viewed the process as a bureaucratic hurdle to be jumped over once, rather than an ongoing commitment to protecting the military advantage that our national security depends on.
How should forward-thinking organizations utilize this unexpected window of time to ensure they are prepared for whatever redesigned framework emerges from the 60-day review?
This period of uncertainty should be viewed as a rare strategic gift—an opportunity to address deep-seated technical debt and strengthen governance without the immediate pressure of a certification deadline. Companies have the chance now to mature their identity management, enhance their monitoring and incident response capabilities, and refine their operational processes. This is the time to ensure that the security controls they have in place are not just “paper compliant” but are functionally protecting sensitive defense information from real-world threats. Those who use this time to build truly mature cybersecurity programs will find themselves in an enviable position regardless of the specific rules the Department eventually settles on. The goal was never to create a “certification for certification’s sake” culture, but to foster a resilient industrial base that can withstand sophisticated cyber attacks.
What is your forecast for the future of the CMMC program?
I believe we will see a redesigned framework that places a much heavier emphasis on self-assessments for the lower levels of sensitivity, reserving the high-intensity third-party audits for the most critical supply chain nodes. The 60-day review will likely lead to a more tiered approach that attempts to balance the Department’s need for verification with the contractor’s need for fiscal sustainability. We should expect a move toward a model that is easier to scale across those 100,000 contractors, perhaps by leveraging automation or more streamlined validation processes for Level 1 and Level 2 requirements. However, the fundamental demand for rigorous protection of unclassified information will only intensify, as the geopolitical landscape makes the safeguarding of our military technology more vital than ever before. Ultimately, the framework will evolve, but the underlying mission of hardening the Defense Industrial Base is a permanent fixture of our national strategy.
