Department of Defense Suspends CMMC Phase II Requirements

The Department of Defense has announced an immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were originally slated to take effect on November 10, 2026. This strategic pivot is part of Secretary of Defense Pete Hegseth’s Acquisition Transformation System (ATS), aimed at accelerating procurement and reducing compliance barriers for small and non-traditional contractors. While the move offers temporary relief from third-party certification costs, it signals a fundamental reevaluation of the program that will reshape how the defense industrial base approaches cybersecurity compliance.
The Department of Defense's decision to halt CMMC Phase II implementation on July 13, 2026, includes an immediate pause on all pending and future implementation milestones across department solicitations and contracts. To guide the program's future, the DoD has established a 60-day CMMC Reform Task Force charged with reviewing the certification framework and considering industry feedback regarding implementation challenges and costs. This task force is expected to recommend a revised framework that maintains security for sensitive government information while significantly reducing the administrative burdens that have historically limited competition within the defense marketplace.
Chief Information Officer Kirsten A. Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey emphasized that the suspension is driven by the need to prioritize acquisition speed and expand the industrial base. Data from the Small Business Administration indicated that the high costs of third-party CMMC certification were discouraging innovative companies from participating in defense contracting, leading officials to conclude that the existing model increased costs without providing proportionate operational benefits. The department now intends to explore cybersecurity frameworks that emphasize measurable security outcomes and operational resilience rather than extensive, bureaucratic certification requirements.
Despite the suspension of Phase II, defense contractors remain subject to significant cybersecurity obligations, including all existing Phase I self-assessment requirements. The DoD confirmed it will continue to enforce compliance with NIST Special Publication 800-171 Revision 2 and that all contractors are still contractually bound by DFARS 252.204-7012 to safeguard Covered Defense Information. Companies are warned that failure to maintain these standards or misrepresenting compliance status continues to carry risks of contractual penalties, administrative actions, and potential exposure under the False Claims Act.
The policy shift creates immediate questions for ongoing procurements that had already incorporated CMMC Phase II language. Contracting agencies are now tasked with determining if existing solicitations require amendments or revised evaluation criteria to reflect the pause. Defense firms are advised to monitor active solicitations closely and maintain robust NIST SP 800-171 compliance programs, as the eventual recommendations from the CMMC Reform Task Force may introduce a restructured compliance model focused on different security metrics.
Summary generated by RabbitReport AI from public reporting. The full article and original reporting belong to The National Law Review.