The Department of War Suspends CMMC Phase II: A Reset for Contractor Cybersecurity

Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) cybersecurity training. Photo: Defense Contract Management Agency via DVIDS (courtesy). Use does not imply endorsement.

The Department of War Suspends CMMC Phase II: A Reset for Contractor Cybersecurity

On 13 July 2026 the United States Department of War suspended Phase II of its Cybersecurity Maturity Model Certification programme, the stage that would have forced independent third-party audits on roughly 80,000 defence contractors from 10 November 2026. Phase I self-assessment stays. A 60-day review by a new CMMC Reform Task Force will redesign the model.

Technical Summary

The Cybersecurity Maturity Model Certification (CMMC) is the United States mechanism for proving that defence contractors protect sensitive government information before they are allowed to win the work. Its programme rule sits at Title 32 of the Code of Federal Regulations (CFR) part 170 and took effect on 16 December 2024. The contract trigger is a Defense Federal Acquisition Regulation Supplement (DFARS) clause, 252.204-7021, which writes a required certification level into a solicitation. The rollout was staged. Phase I leaned on the contractor's own word through self-assessment. Phase II was the hard edge, the point at which an accredited outside auditor had to sign off before a company could hold data classed as Controlled Unclassified Information (CUI).

That hard edge is gone, for now. On 13 July 2026 the Department of War, the renamed United States Department of Defense (DoD), suspended Phase II with immediate effect, less than four months before its 10 November 2026 start date. Roughly 80,000 firms sat in scope for third-party assessment under the full programme, and they will not face a Certified Third-Party Assessment Organisation (C3PAO) audit while the suspension holds. What survives is the floor. Phase I self-assessment continues, and the existing safeguarding duty under National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2 and DFARS clause 252.204-7012 stays exactly where it was.

The combination of prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines is actively forcing innovative new entrants and small businesses to opt out of Department contracts. Kirsten A. Davies, Department of War Chief Information Officer

Analysis: Effects on the Industrial Base

Read the decision as a collision between a mandate and industrial reality. The Department's own Chief Information Officer (CIO), Kirsten A. Davies, put the problem in blunt terms: cost, capacity and timing were pushing the very firms the Pentagon wants to attract out of the market. Accredited assessors are scarce. A small machine shop or a software start-up faced a bill, a waiting list for an auditor, and a compliance calendar that did not match its cash flow. The Small Business Administration (SBA) had already warned that the scheme risked hollowing out the base it was meant to secure, and its Administrator, Kelly Loeffler, called the certification an untenable barrier for mission-critical small businesses.

The suspension does not erase the rule, and that distinction matters. Under Secretary of War for Acquisition and Sustainment Michael Duffey and Secretary Pete Hegseth have ordered a review, not a repeal. A newly stood-up CMMC Reform Task Force has 60 days to design a lighter model, one the Department says will prioritise speed to capability and swap prohibitive third-party compliance for scalable, realistic security measures. The table below sets out what has changed and what has not.

StageTimingStatus after 13 July 2026
Phase I self-assessment (Levels 1 and 2 self)In effectRetained
Phase II third-party certification (C3PAO audit)Was due 10 November 2026Suspended
NIST SP 800-171 Rev 2 and DFARS 252.204-7012 dutiesIn forceUnchanged
CMMC Reform Task Force reviewOrdered 13 July 202660-day review under way

Security and Assurance Considerations

Suspending the audit does not suspend the threat. Adversary intelligence services have spent years targeting sub-tier suppliers precisely because the prime contractors are harder to breach. The certification step was the assurance that a supplier's controls existed in practice and not merely on a self-scored spreadsheet. Removing it shifts the burden back onto self-attestation and onto the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the government team that already runs the higher-tier assessments. The question for the next 60 days is a plain one. Can a reformed model keep the assurance while shedding the cost, or does the floor quietly drop?

Data Gaps

Several things remain unconfirmed at the time of writing. The Department has published no dollar figure for the compliance costs it calls prohibitive, so the headline burden is asserted in the release rather than quantified. The shape of the replacement model is unknown, and no date is set for any successor to Phase II. It is also unclear how the pause affects allied suppliers, including United Kingdom and European firms that feed United States primes and had been preparing for the same certification. ISC will update this assessment as the Task Force reports.

Key Questions

What is CMMC Phase II and why was it suspended?

Phase II of the Cybersecurity Maturity Model Certification would have required independent third-party audits of defence contractors handling sensitive information. The Department of War suspended it on 13 July 2026, citing high compliance costs and a shortage of accredited assessors that were pushing small firms out of federal work.

Do defence contractors still have to meet cybersecurity rules?

Yes. Phase I self-assessment stays in force, and contractors remain bound by existing safeguards under NIST SP 800-171 Revision 2 and DFARS clause 252.204-7012. The suspension removes the third-party certification step, not the underlying security obligations.

What happens after the 60-day review?

A new CMMC Reform Task Force will spend 60 days designing a lighter model that lowers barriers for small and non-traditional suppliers while keeping a security baseline. No firm date is set for any replacement, and Phase II could return in an altered form.

References

Source-evaluated under NATO STANAG 2022 (Reliability A–F / Accuracy 1–6). Tier 1 = government primary source; Tier 2 = quality news / specialist defence media; Tier 3 = authoritative aggregator / encyclopaedia.

  1. T1U.S. Department of War – Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements, 13 July 2026. (Reliability A / Accuracy 1)
  2. T1Federal Register – Cybersecurity Maturity Model Certification (CMMC) Program, 32 CFR part 170, 15 October 2024. (Reliability A / Accuracy 1)
  3. T2Federal News Network – Pentagon suspends CMMC phase two requirements, launches review of program, 13 July 2026. (Reliability B / Accuracy 2)
  4. T2DefenseScoop – DOD halts cybersecurity requirements for CMMC Phase 2, 13 July 2026. (Reliability B / Accuracy 2)
  5. T2Breaking Defense – Pentagon announces immediate suspension of CMMC Phase II mandates, 13 July 2026. (Reliability B / Accuracy 2)
  6. T2Washington Technology – DOD suspends CMMC Phase 2, launches 60-day reform review, 13 July 2026. (Reliability B / Accuracy 2)

Corrections & updates welcome. If you hold open-source data that refines or corrects any parameter in this article, please contact [email protected] citing the specific claim and your source. Verified corrections will be incorporated and credited in the revision history. AI-assisted technical assessment based on open-source material. Not a formal intelligence product.