On July 13, 2026, the U.S Department of War (DoW) announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II, originally set to take effect November 10, 2026. That deadline is no longer moving forward as planned, and the Department has opened a 60-day review of the program.
For defense contractors, this is a significant development. It eases the immediate pressure tied to third-party certification and creates an opportunity to reassess planned compliance spending. It does not, however, eliminate the cybersecurity requirements that apply to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The right response is neither panic nor complacency. It is to understand exactly what changed, confirm what did not, and adjust readiness plans accordingly.
Why did the Department suspend Phase II?
The decision follows months of engagement between the Department of War (DoW), the Small Business Administration (SBA), and small business stakeholders, who warned that the current CMMC framework imposes costly bureaucratic burdens on the small contractors that are essential to growing the DIB. Those pressures caused many firms to leave, or seriously consider leaving, defense-related work. In response, the DoW launched a comprehensive review intended to recalibrate CMMC so it preserves strong cybersecurity while removing regulatory barriers to the Department’s Acquisition Transformation System.
SBA Administrator Kelly Loeffler said:
“The small businesses that undergird our defense industrial base are committed to protecting our nation’s digital domain, but cybersecurity cannot come at the cost of bureaucracy that shuts out the very companies our war fighters depend on.“
Industry groups and small business advocates have echoed similar concerns, warning that the cost and complexity of CMMC compliance could push smaller suppliers to reconsider their participation in the DIB altogether.
What does the suspension change?
The suspension primarily affects the transition to assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs) under Phase II. During the suspension, program managers and requiring activities may include only CMMC Level 1 Self or CMMC Level 2 Self requirements in procurement and requirements documents. They may not designate CMMC Level 2 C3PAO or CMMC Level 3 DIBCAC assessments.
The implementation guidance also directs the government to remove Level 2 C3PAO and Level 3 requirements from active solicitations and existing contracts. Active solicitations are to be amended as soon as practicable, and existing contracts are to be modified before the next option period or during the next scheduled administrative modification. This is meaningful relief for companies facing the cost, availability constraints, and operational pressure of an approaching third-party assessment.
It does not necessarily mean contract language will change overnight. Contractors should monitor their active solicitations and awards for formal amendments or modifications rather than assuming a public announcement automatically changes their individual contractual requirements.
What remains in force?
The suspension does not remove the obligation to protect government information. The DoW has explicitly stated that Phase I self-assessment requirements remain in place, that NIST SP 800-171 Revision 2 remains the cybersecurity baseline for protecting CUI during the interim period, and that DFARS 252.204-7012 remains in effect. Level 1 and Level 2 self-assessments may continue to appear in applicable procurements, and select government-led assessments may continue as well.
Defense contractors and subcontractors remain responsible for safeguarding covered defense information and complying with the cybersecurity clauses in their contracts. In short, this is a pause in the current certification model, not a pause in the threat environment, contractual responsibility, or the need for defensible cybersecurity.
Our perspective: recalibrate the roadmap, not the security program
As your IT & Cybersecurity team, our job is not to keep clients spending against a stale deadline. It is to help them protect sensitive information, meet current obligations, and adapt without wasting budget. That means holding two realities at once.
First, organizations that were accelerating toward a November 2026 C3PAO assessment should revisit their timelines. Spending driven exclusively by the Phase II deadline may need to be paused, renegotiated, or redirected. Second, stopping cybersecurity remediation altogether would be a mistake. The most valuable CMMC readiness work was never limited to preparing for an assessor.
- Identifying where FCI and CUI enter, move through, and leave the environment
- Reducing the number of systems, users, and vendors that can access sensitive information
- Strengthening identity, endpoint, network, and configuration security
- Improving logging, incident response, backup, and recovery capabilities
- Developing an accurate System Security Plan
- Closing material NIST SP 800-171 gaps
Those outcomes remain valuable and legally required regardless of what the revised CMMC program ultimately looks like. Pause the certification sprint where appropriate. Do not abandon the security program.
What should defense contractors do now?
Review your actual contract requirements. Confirm which DFARS and CMMC clauses apply to each contract, solicitation, and subcontract. For requirements involving a Level 2 C3PAO or Level 3 assessment, monitor for the formal amendment or modification directed by the Pentagon’s implementation guidance. Contract-specific questions should be reviewed with your contracting officer and qualified legal counsel.
Maintain an accurate, defensible self-assessment. A self-assessment is still an assessment. Scores, attestations, security plans, and supporting evidence should reflect your organization’s real operating environment rather than optimistic assumptions or documentation that exists only on paper.
Continue closing meaningful security gaps. Prioritize remediation that reduces actual exposure, including access control, multifactor authentication, secure configuration, vulnerability management, monitoring, incident response, and protection of CUI across users, systems, and third parties. These investments will matter under almost any reasonable version of a reformed CMMC program.
Rebaseline the budget and schedule. Separate planned spending into three categories: work required by current contracts, work that materially improves security, and work tied primarily to the suspended third-party assessment timeline. The third category deserves immediate review. The first two should not be discarded simply because the assessment calendar changed.
Preserve your readiness. Organizations do not need to remain in a costly, perpetual pre-assessment sprint, but they should preserve the documentation, configurations, evidence, and operational practices already developed. Letting those capabilities decay will make the next transition more expensive, whatever form it takes.
Monitor the reform process. The CMMC Reform Task Force is conducting a 60-day, top-to-bottom review and is expected to use industry feedback to recommend a revised approach that lowers barriers for small and mid-sized businesses while maintaining cybersecurity and operational resilience. Plans should remain adjustable until that guidance is released.
The opportunity inside the pause
The CMMC suspension gives the Defense Industrial Base breathing room. Used wisely, that breathing room can produce better outcomes than another deadline-driven compliance rush. Organizations now have an opportunity to simplify their environments, correct weak scoping decisions, focus resources on the controls that matter most, and build cybersecurity programs that are sustainable rather than merely assessable.
Our position is straightforward: do not spend blindly, and do not stop preparing. Reevaluate the schedule. Challenge unnecessary costs. Continue meeting current obligations. Keep improving the protection of FCI and CUI. And make sure the work performed today still holds value once the revised CMMC direction arrives.
The organizations in the strongest position after the 60-day review will not necessarily be the ones that spent the most. They will be the ones that used this window to become more secure, better documented, and less expensive to assess.
Not sure what to continue, pause, or change?
Our team helps defense contractors separate current contractual requirements from suspended certification milestones, prioritize the work that still matters, and build a readiness plan that adapts as CMMC reform guidance evolves. Contact Us to determine what should continue, what should change, and what can wait.


