On July 13th, 2026, the Department of War’s (DOW) Chief Information Office (CIO) announced a 60-day suspension of Phase II implementation of the Cybersecurity Maturity Model Certification (CMMC).
This is not a suspension of cybersecurity compliance. It is a pause of implementation requirements, stipulating that contractors with access to covered defense information would be subject to a third-party audit certification process every three years, in addition to annual self-affirmation of compliance. Phase II implementation was originally scheduled to come into effect on November 10th, 2026.
What is CMMC?
CMMC is a pre-contractual award assessment to determine whether a contractor has implemented cybersecurity protections necessary to adequately safeguard defense information. CMMC seeks to increase the cybersecurity posture of defense contractors to better protect federal contract information (FCI)[1] and controlled unclassified information (CUI)[2]. This is required by all defense contractors and subcontractors prior to being awarded a contract and conducting work. For a more detailed introduction to CMMC, see S-RM’s earlier webinar, Tips for CMMC Success.
A brief CMMC timeline
The July 13 2026 suspension of CMMC Phase II is the second major program-level reset in CMMC’s history, following the 2021 transition from CMMC 1.0 to CMMC 2.0. Between those resets, CMMC also experienced several implementation delays, regulatory rewrites, scope clarifications, and accommodations that moved it away from its original premise: universal third-party certification, no unresolved deficiencies, and a maturity-based security model for the Defense Industrial Base (DIB)[3].

What's new
- The DOW’s CIO has ordered a 60-day suspension of CMMC Phase II and future requirements to establish a CMMC Reform Task Force.
- The CMMC Reform Task Force is scheduled to conduct a comprehensive top-to-bottom review of the certification program. This task force will serve as the central hub for synthesizing industry feedback via a public Request for Information (RFI) regarding compliance challenges.
- Within 60 days, the task force will deliver a final report recommending realistic, scalable security measures, to "prioritize speed" and "lower barriers for small and non-traditional businesses."
- During this interim period, the DOW will continue to enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments (Level III requirements).
What has not changed
- The DOW retained Defense Federal Acquisition Regulation Supplement (DFARS) compliance requirements, including adherence to NIST 800-17r2, conducting a self-assessment, and preserving government assessment mechanisms. Phase I self-assessment requirements remain in place, and contractors must maintain compliance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
- Level 1 Safeguarding of Federal Contract Information (FCI): Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR 52.204-21 and the submission of a Supplier Performance Risk System (SPRS) is still required.
- Level 2 Broad Protection Controlled Unclassified Information (CUI): A self-assessment every three years, with annual affirmation of compliance with the 110 security requirements in NIST SP 800-171 Revision 2 and the submission of a Supplier Performance Risk System (SPRS) score is still required.
- False Claims Act liability remains when submitting an SPRS score. The Department of Justice has increasingly identified and pursued fraudulent defense contractor cybersecurity risk scoring, resulting in potential fines ranging from thousands of dollars to several million dollars depending upon the severity of the violation.
What does this mean for defense contractors
- Organizations are still required to adhere to DFARS 252.204-7012 ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’ which mandates compliance with NIST 800-171r2.
- Given DFARS 252.239.7010 Cloud Computing and DFARS 252.204-7012 requirements, we advise that managed service providers (MSP) and managed security service providers (MSSP) should be leveraged to protect CUI via managed enclaves[4] when traditional commercial environments are not equipped to do so.
- Prime defense contractors with preexisting CMMC requirements may still require a third-party audit and certification for subcontractors within the supply chain; this will ultimately be at the prime's discretion.
Now what? Three key predictions
While we cannot know for certain at this stage how the Department of War plans to reform CMMC following their 60-day task force review, we assess there are three possibilities based on historical events and the trajectory of the program:
1. A revised CMMC
A revised CMMC for all contractors remains likely given the fact that multiple DOW CIOs have paused, assessed, and revised CMMC since its inception.
- The Department of War is unlikely to abandon the need for a common cybersecurity baseline across the Defense Industrial Base (DIB). A revised model may reduce third-party assessment burden, expand the use of self-assessments and government-led assessments, and/or deprioritize the emphasis of policies and documentation; this could result in lower cost and compliance barrier of entry.
- A revised CMMC could reduce the threat of shrinking defense contractor capacity by reducing the requirement of a third-party audit for a more significant portion of the DIB than was originally subject to the Phase II implementation; this would free up certified third-party audit organizations to assess fewer defense contractors and eliminate the associated audit expense, which can be more than $50,000. This could result in additional cost savings from a technology and compliance documentation perspective for defense contractors, especially small businesses, that previously may have been forced to be acquired by a larger organization to remain in business or exit the DIB entirely.
- Key areas of concern remain in a refined CMMC environment:
- Evolving cybersecurity requirements lead to further complexity: Organizations are currently required to adhere to NIST 800-171 revision 2, with an Interim Final Rule for NIST 800-171 revision 3 compliance anticipated this summer. As cybersecurity requirements continue to change, defense contractors are required to reinvest in, and change, their cybersecurity programs.
- Increased risk of false claims: As defense contractors submit self-adherence, there is an increased likelihood of fraudulent cybersecurity claims that would expose the DIB to heightened cybersecurity risk and financial penalties for noncompliance.
2. Introduction of small and medium-sized business (SMB) and non-traditional contractor CMMC requirements
- The DOW has prioritized accelerating the speed to capability and acquisition by “lowering barriers for small, medium, and non-traditional businesses.” To lower barriers, additional procurement measures have been leveraged, including Other Transition Authorities (OTAs), to support research activities and prototype projects, before statutory requirements are met.
- A SMB and non-traditional CMMC requirement could expand the defense contractors’ capacity by limiting compliance requirements for specific subsectors of the DIB, including small, medium, and non-traditional defense contractors.
Examples that could reduce compliance requirements include the enforcement of only (i) CMMC Level I instead of Level II, (ii) self-attestation only, and/or (iii) enforcing the requirements on a prime contractor instead of a subcontractor. This also offers an opportunity for the DOW to introduce a grant system to encourage and subsidize cybersecurity enhancements for defense contractors in these categories.
- A key concern in a revised CMMC environment is the potential erosion of a consistent and sufficiently rigorous cybersecurity baseline across the defense supply chain. Whether cybersecurity requirements are applied unevenly or replaced with less comprehensive alternatives, gaps may emerge that threat actors can exploit to access sensitive information, disrupt operations, or undermine national security objectives.
3. Elimination of CMMC
The option of eliminating CMMC requirements remains unlikely, albeit a possibility.
- In this scenario, DFARS 252.204-7012 requirements could be repealed via the Federal Register’s rulemaking process. CMMC could be replaced with a limited set (i.e., 15 Basic Safeguarding of Covered Contractor Information Systems as defined in FAR 52.204-21), or a broader, more subjective set of cybersecurity requirements.
Our opinion in the face of uncertainty
The suspension of CMMC and its implementation is nothing new. The U.S. Government has taken many pauses over the last decade to review and revise the Cybersecurity Maturity Model Certification to accommodate the DIB and pursue lower cost of entry. The current suspension of Phase II implementation should not be interpreted as the end of cybersecurity requirements. The DOW has stated its intent to realign cybersecurity requirements to its reformed acquisition standards. The most likely outcome is a revised cybersecurity assurance model that aligns closely with the DOW’s Acquisition Transformation Strategy to increase speed to capability while continuing to prioritize cybersecurity requirements across defense contracts.
Given the ongoing legal and contractual requirement of Safeguarding Covered Defense Information and Cyber Incident Reporting, defense contractors or organizations interested in performing defense-related work should stay the course. Defense contractors that abandon adherence to DFARS requirements by not self-attesting to NIST 800-171r2 or submitting inaccurate self-attestation will accept significant risk. The U.S. Government can take steps to cancel contracts or pursue False Claims Act penalties.
The current suspension opens the door for defense contractors that may have otherwise left the DIB to reconsider its decisions. S-RM advises that these organizations connect with their legal counsel and compliance partners to assess the current landscape and stay prepared for CMMC reformation. We also recommend all defense contractors communicate and coordinate with your defense contractor ecosystem, upstream and downstream, to align on expected timeline, cybersecurity requirements, and control implementation.
[1] Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
[2] Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
[3] The DIB is the worldwide industrial complex that enables research and development of military weapons systems, subsystems, and components or parts.
[4] A managed enclave is a segmented, highly controlled workspace designed to securely store and process CUI in an environment separate from an organization’s commercial environment.