What You Need to Know
- Key takeaway #1The Department of War (DoW) is immediately suspending Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026, along with other pending and future CMMC implementation milestones in current contracts.
- Key takeaway #2DoW plans to establish a CMMC Reform Task Force and conduct a 60-day study of CMMC.
- Key takeaway #3DFARS 252.204-7012 and CMMC Phase I self-assessment requirements remain unaffected. Contractors are still required to protect federal data and implement security controls, including NIST SP 800-171, as required by their contracts.
The Department of War (DoW) is immediately suspending Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026.
What is CMMC, and What is Phase II?
DoW’s CMMC program is a certification initiative to verify that the Defense Industrial Base is consistently implementing mandatory cybersecurity controls to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). DoW had planned for CMMC to take effect over a four-phase rollout. Phase I took effect on November 10, 2025, and focused on contractor self-assessment requirements. Phase II, which had been expected to take effect on November 10, 2026, would see the inclusion of third-party assessment requirements in DoW contracts.
What Happened?
Citing prohibitive compliance costs and bureaucratic burdens, the DoW announced the suspension of Phase II in alignment with Secretary Hegseth’s initiatives to streamline the acquisition process. The DoW specified that it is suspending the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts.
The DoW’s Chief Information Officier is establishing a CMMC Reform Task Force to conduct a comprehensive top-to-bottom review of the certification program, synthesizing industry feedback obtained through a public Request for Information and delivering a final report within 60 days.
During this review period, DoW will continue to enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard via self-assessments and select government-led assessments.
What Remains Unchanged?
As DoW notes, this action does not eliminate other contractual requirements to protect federal data. Importantly, all defense contractors and subcontractors remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012. Additionally, DoW noted that CMMC Phase I self-assessment requirements “remain firmly in place.” These include Level 1 self-assessed certifications and attestations to protect FCI, as well as Level 2 self-assessments and attestations to protect CUI. The DoW did not explicitly reference the discretion that Phase 1 provided the DoW to require C3PAO assessments on a case-by-case basis before Phase 2.
UPDATE July 14, 2026. DoW has clarified in a memo accompanying the Phase II suspension press release that any active solicitations and contracts, which already include CMMC Level 2 C3PAO or CMMC Level 3 assessment requirements, must be amended to remove those requirements. Solicitations must be amended “as soon as practicable” while the memo directs contracting officers to amend existing contracts “prior to the exercise of the next option period or during the next scheduled administrative modification.”
What This Means for Contractors?
Defense contractors should continue to maintain robust cybersecurity practices under existing DFARS obligations, monitor for opportunities to submit feedback to the Reform Task Force, and track the 60-day review for guidance on revised CMMC requirements.
Defense contractors should be aware that while the Phase II rollout is paused, existing compliance obligations, particularly DFARS 252.204-7012 and CMMC Phase I requirements, remain in force. Whether or not CMMC certification obligations change, contractors will need to implement NIST SP 800-171 to safeguard DoW CUI and ensure they can defend their practices under government scrutiny. The Department of Justice remains vigilant about leveraging the False Claims Act to investigate alleged noncompliance with DFARS 252.204-7012 and 252.204-7020 under its Civil Cyber-Fraud Initiative, and could expand its focus to false or inaccurate CMMC Phase I self-assessments in the future.

For further information, please contact:
Kate M. Growley, Partner, Crowell & Moring
kgrowley@crowell.com




