Back To Blog

CMMC Phase II Requirements Suspended: What Defense Contractors Need to Know

Overview

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, a significant development for organizations throughout the Defense Industrial Base (DIB).

The suspension comes just months before Phase II requirements were scheduled to take effect on November 10, 2026. While the Department conducts a comprehensive review of the program, defense contractors are evaluating what the decision means for compliance planning, cybersecurity investments, and future contract readiness.

The key takeaway is straightforward: CMMC Phase II requirements are suspended, but cybersecurity obligations remain in effect.

Department Suspends CMMC Phase II Implementation

According to the Department’s announcement, the transition to CMMC Phase II requirements has been suspended, along with pending and future CMMC implementation milestones tied to Department of War solicitations and contracts.

The decision is part of a broader review aligned with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS), which emphasizes speed to capability, increased competition, and reduced barriers for small, medium-sized, and non-traditional businesses.

Department officials stated that the current certification framework may have created compliance costs and administrative burdens that discouraged innovative companies from participating in defense programs. The Department has established a CMMC Reform Task Force that will conduct a 60-day review and provide recommendations to the DoW Chief Information Officer.

What Has Not Changed

While much of the attention has focused on the suspension of Phase II, several important requirements remain in place.

Most importantly, the Department stated that all Phase I self-assessment requirements remain firmly in place.

Defense contractors and subcontractors also remain contractually obligated to safeguard covered defense information in accordance with DFARS 252.204-7012. The announcement specifically emphasizes that companies remain responsible for protecting federal data.

During the review period, the Department will continue enforcing cybersecurity requirements through:

For organizations supporting federal contracts, cybersecurity compliance remains a business requirement, not an optional initiative.

Why This Matters Beyond Certification

Many contractors have invested significant time and resources preparing for CMMC compliance. Those efforts often included cybersecurity controls, policies, documentation, employee training, incident response planning, and internal assessments aligned with NIST SP 800-171.

Those investments are still likely to provide substantial value.

The Department’s announcement focuses on reassessing how cybersecurity compliance is evaluated, not on eliminating the underlying expectation that contractors maintain effective security programs. The continued emphasis on NIST SP 800-171 suggests that foundational cybersecurity safeguards will remain central to defense contracting regardless of what changes ultimately emerge from the review process.

Organizations that have strengthened access controls, cybersecurity awareness programs, incident response capabilities, and data protection practices are likely to remain better positioned than organizations that pause cybersecurity efforts while awaiting new guidance.

Why the Government Is Reassessing CMMC

According to the Department, the review is intended to identify cybersecurity approaches that better support innovation, competition, and participation across the Defense Industrial Base.

The Department cited concerns that compliance costs and administrative requirements may discourage smaller businesses and commercial technology firms from pursuing defense opportunities. Officials argue that reducing unnecessary barriers could improve competition and accelerate delivery of critical capabilities to the warfighter.

To support this effort, the CMMC Reform Task Force will gather industry feedback and evaluate potential alternatives or modifications to the current certification approach. According to the announcement, the review will focus on:

  • Scalable cybersecurity measures
  • Reduced compliance overhead
  • Increased participation from small businesses
  • Faster delivery of defense capabilities
  • Strong cybersecurity outcomes without excessive bureaucracy

The task force’s recommendations are expected to be delivered to the DoW Chief Information Officer within 60 days.

What Defense Contractors Should Be Doing Now

The suspension creates a planning window, but it should not be interpreted as a signal to pause cybersecurity initiatives.

Contractors should use this period to:

  • Reviewing NIST SP 800-171 implementation status
  • Addressing known cybersecurity gaps
  • Updating security documentation and procedures
  • Continuing employee cybersecurity awareness training
  • Monitoring future guidance from the Department regarding CMMC reform

Organizations that were planning for third-party certification assessments may need to revisit timelines and spending assumptions. However, cybersecurity investments aligned with NIST SP 800-171 and defense information protection requirements are likely to remain relevant regardless of how the review concludes.

The organizations best prepared for future changes will be those that continue strengthening their cybersecurity foundations rather than waiting for new regulatory direction.

Why Should You Care?

Even organizations that are not actively pursuing defense contracts should pay attention to this development.

Over the past several years, CMMC has become one of the most influential cybersecurity compliance initiatives affecting federal contractors and their supply chains. Decisions resulting from the ongoing review could influence how cybersecurity maturity and compliance are evaluated throughout government contracting in the years ahead.

For organizations already operating within the Defense Industrial Base, the suspension provides an opportunity to strengthen cyber hygiene, improve internal controls, and address known compliance gaps while the Department evaluates future policy options.

For smaller contractors, the review could potentially reduce some barriers to participation if the Department ultimately adopts a more flexible approach to demonstrating cybersecurity maturity. However, organizations should continue to meet existing safeguarding and self-assessment obligations unless and until new guidance is issued by the Department.

Looking Ahead

The Department’s 60-day review represents an important moment in the evolution of defense contractor cybersecurity compliance.

While the future structure of CMMC remains uncertain, the Department’s message is clear: the suspension of Phase II requirements does not eliminate the responsibility to protect sensitive government information. It is a pause in certification requirements—not a pause in cybersecurity expectations.

Contractors should continue aligning with NIST SP 800-171 requirements, maintaining cybersecurity documentation, addressing known gaps, and monitoring developments from the CMMC Reform Task Force.

The Department has not announced a permanent cancellation or replacement of CMMC. However, organizations that continue strengthening their cybersecurity programs during this review period will likely be better positioned to adapt to whatever compliance framework emerges next.

Be sure to subscribe to the CITI Program’s newsletter for future content related to CMMC.

Frequently Asked Questions

Is CMMC Phase II canceled?
No. The Department of War announced the suspension of CMMC Phase II requirements while it conducts a comprehensive review of the program. The Department has not announced the permanent cancellation of CMMC.

Do defense contractors still need to comply with NIST SP 800-171?
Yes. According to the announcement, cybersecurity compliance will continue to be enforced through NIST SP 800-171 Rev. 2 self-assessments and select government-led assessments.

Are contractors still required to protect covered defense information?
Yes. Defense contractors and subcontractors remain contractually obligated to protect covered defense information in accordance with DFARS 252.204-7012.

How long will the CMMC review take?
The Department stated that the newly established CMMC Reform Task Force will conduct a 60-day review and provide recommendations to Department leadership.

What should contractors do during the suspension?
Organizations should continue maintaining cybersecurity controls, addressing gaps in NIST SP 800-171 implementation, updating security documentation, and monitoring future guidance regarding the evolution of CMMC requirements.