On July 13, 2026, the Department of Defense (now referred to as the Department of War, or DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were scheduled to take effect on November 10, 2026. The action was accomplished through a memorandum from the DoW Chief Information Officer, a companion implementation memorandum from the Under Secretary of War for Acquisition and Sustainment, with accompanying procedures, and a public release framing the suspension as part of Secretary Hegseth’s Acquisition Transformation System. The stated objective is to reduce compliance barriers for small, medium, and non-traditional businesses in the Defense Industrial Base while the Department conducts a 60-day review of the program.

The suspension is a meaningful development for contractors and subcontractors across the defense supply chain, including Alaska Native Corporations, tribal enterprises, and other entrants for whom third-party certification costs and timelines have been a significant concern. It is equally important, however, to understand the limits of what the Department has done. This alert summarizes the change and identifies the issues contractors may wish to evaluate. It is intended as general information and not as legal advice; the appropriate response will depend on each contractor’s specific contracts, circumstances, and risk posture.

What the Suspension Does

During the suspension, Program Managers and requiring activities may only include the need for a CMMC Level 1 (Self) or CMMC Level 2 (Self) assessment in procurement requests and requirement documents. They are prohibited from designating CMMC Level 2 (C3PAO) third-party assessments or CMMC Level 3 (DIBCAC) assessments. In practical terms, the third-party and government-led certification requirements that formed the core of Phase II are switched off for the duration of the review.

For active solicitations that included a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, the procedures direct requiring activities to initiate amendments removing those requirements, with contracting officers issuing corresponding solicitation amendments as soon as practicable. For existing contracts containing such requirements, contracting officers are directed to remove them by modification prior to the next option exercise or during the next scheduled administrative modification. The Department has also suspended the associated waiver procedures during the review period.

What the Suspension Does Not Change

The Department is explicit that this is a pause on the Phase II certification mechanism, not a rollback of underlying cybersecurity obligations. Several requirements remain fully in force:

    • DFARS clause 252.204-7012 remains in effect. The obligations to safeguard covered defense information, to report cyber incidents within 72 hours, to preserve media, and to flow the clause down to subcontractors are unchanged.
    • Compliance with NIST SP 800-171 Rev. 2 continues to be enforced — now through self-assessment and, notably, through “select government-led assessments.” The reservation of a government-led assessment mechanism means self-attestation is not the equivalent of no oversight.
    • Existing contractual cybersecurity clauses remain intact, and contractors remain obligated to protect federal contract information and controlled unclassified information consistent with FAR 52.204-21 and NIST SP 800-171.

Issues Contractors May Want to Consider

The suspension changes the near-term compliance picture, but it also concentrates attention on areas that warrant careful thought. Among the questions contractors may find worth evaluating:

The status of pending bids and active contracts. Contractors with proposals in progress, or with awarded contracts that already contain C3PAO or DIBCAC language, may wish to understand whether and when the anticipated amendments or modifications will issue, and how the timing interacts with their own certification planning and expenditures.

The reliability of self-assessment representations. With self-assessment now the primary vehicle, the accuracy of scores submitted to the Supplier Performance Risk System takes on heightened significance. Because those representations continue to be made to the Government, contractors may want to consider how the enforcement environment — including under the civil False Claims Act — bears on the diligence behind their self-assessments.

The durability of the suspension. The change was effected by memoranda suspending implementation rather than by amendment to the governing regulations, which remain on the books. Contractors may wish to weigh how much long-term planning to build around an interim posture that is subject to a 60-day review and could be modified, replaced, or reinstated.

The interim security baseline. Because government-led assessments remain available and the 7012 obligations persist, contractors may want to consider whether relaxing internal compliance efforts during the suspension aligns with their overall risk tolerance, particularly given incident-reporting exposure that does not depend on CMMC at all.

Subcontractor and supply-chain flowdowns. Prime contractors may wish to evaluate how the suspension affects the cybersecurity terms they flow down, and whether existing subcontract language should be revisited in light of the change.

Engagement with the review. The Department has established a CMMC Reform Task Force and signaled a public Request for Information as a channel for industry input. Contractors with a stake in the shape of the successor framework may want to consider whether participation is worthwhile.

Looking Ahead

The Department has framed this as an interim measure pending the conclusion of a 60-day review, with further guidance to follow. The trajectory of the program — whether Phase II returns in modified form, is replaced by a different framework, or is deferred further — remains open.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice with regard to your situation, you should contact an attorney.

Sign up

Ideas & Insights