Overview
Key Developments
- DoW has suspended CMMC Phase II requirements effective immediately, halting the planned November 10, 2026 rollout requiring broader third-party assessment requirements for defense contractors handling Controlled Unclassified Information (CUI).
- The Department has launched a 60-day review of the CMMC program, establishing a CMMC Reform Task Force to evaluate potential changes to the current framework as part of broader efforts to reduce compliance burdens and barriers to participation.
- The suspension does not alter existing cybersecurity obligations. Contractors remain responsible for protecting federally regulated data and complying with applicable DFARS and NIST SP 800-171 requirements, including Phase I self-assessments.
On Monday, July 13, 2026, the Department of War (DoW) announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were scheduled to take effect on November 10, 2026. The DoW also announced that it is pausing pending and future CMMC implementation milestones across DoW solicitations and contracts while it reviews the program.
The announcement is the most significant change to the CMMC program since its phased implementation began. However, DoW emphasized that contractors remain responsible for protecting sensitive government information and complying with other existing cybersecurity obligations. In other words, the announcement just suspends the third-party audit and certification requirements that would have been rolled out later this year.
Background
The current CMMC framework began its phased implementation on November 10, 2025, and intended to strengthen cybersecurity across the Defense Industrial Base by safeguarding government regulated data known as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Under the phased rollout, Phase I (effective November 10, 2025) focused on contractor self-assessments and affirmation. Phase II, which was scheduled to take effect November 10, 2026, would have expanded third-party assessment requirements for many contractors handling CUI.
Accordingly, contractors have spent years preparing for CMMC Level II certification by investing in cybersecurity controls, documentation, compliance processes, and other protocols to align with NIST SP 800-171, Rev. 2, which specifies security requirements for protecting CUI.
Planned Phase II Rollout on Hold
The DoW stated that the suspension is intended to support broader acquisition reform efforts and to reduce compliance burdens that may discourage broader participation in the Defense Industrial Base. In announcing the suspension, DoW stated that the current framework has imposed significant costs and administrative burdens on contractors, especially small and non-traditional businesses.
Effective immediately, DoW has suspended the transition to Phase II requirements, along with pending and future CMMC implementation milestones in solicitations and contracts. DoW also established a CMMC Reform Task Force to conduct a comprehensive review of the program and to provide recommendations within 60 days.
Cybersecurity Compliance Remains a Core Requirement
Although the announcement pauses the next phase of CMMC implementation, it does not remove contractors’ existing cybersecurity obligations. DoW stated that contractors remain responsible for safeguarding DoW CUI, requiring compliance with all applicable cybersecurity requirements.
DoW also confirmed that existing Phase I requirements remain in place and that cybersecurity compliance will continue to be assessed against NIST SP 800-171. Contractors should view the announcement as a pause in the certification rollout, not a reduction in the government’s cybersecurity expectations.
Implications for Defense Contractors
Contractors that were preparing for the November 2026 certification deadline may welcome the additional flexibility created by the suspension. But companies should be cautious about slowing or abandoning cybersecurity compliance initiatives in light of the Phase II rollout suspension.
Compliance with NIST SP 800-171 remains central to DoW’s cybersecurity requirements and continues to guide existing DFARS obligations. Contractors should continue maintaining documentation supporting cybersecurity assessments and other compliance-related representations. Lastly, companies should closely monitor developments over the coming months, as the CMMC Reform Task Force’s recommendations could result in significant changes to the current CMMC framework.
For now, the key takeaway is straightforward: DoW has paused a certification requirement, but it has not paused cybersecurity compliance. Contractors should continue meeting existing contractual cybersecurity requirements and preparing to demonstrate implementation of required cybersecurity controls while closely watching for further guidance following the DoW’s 60-day review.
In addition, contractors interested in providing comments on alternative approaches to ensuring cybersecurity resiliency in the Defense Industrial Base should submit comments to a recently published request for information by 12:00 p.m. ET on August 14, 2026. Steptoe is tracking these developments closely and has a team that regularly assists contractors with cybersecurity in terms of both technical implementation and policy.
