The Department of War (DoW) announced July 13 that it is immediately suspending implementation of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026. The Department will instead conduct a comprehensive 60-day review of the program as part of Secretary of War Pete Hegseth’s broader Acquisition Transformation System (ATS) initiative, which seeks to streamline defense acquisition, reduce regulatory burdens, and accelerate delivery of new capabilities to the warfighter.
The Department emphasized that Phase I self-assessment requirements remain in effect, and defense contractors continue to be contractually required to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) under existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
The suspension applies to pending and future CMMC Phase II implementation milestones across Department solicitations and contracts.
A Familiar Pause in an Evolving Program
While the announcement represents the most significant change to CMMC since implementation began, it is not the first time the program has been delayed or substantially revised.
Originally introduced in 2020 as CMMC 1.0, the certification program was intended to require third-party cybersecurity assessments across the Defense Industrial Base before contractors could receive certain Department of Defense awards.
In early 2021, the Biden Administration initiated a comprehensive review of the program. That review resulted in the creation of CMMC 2.0, announced in November 2021, which reduced the framework from five certification levels to three, expanded the use of annual self-assessments for many contractors, and significantly delayed implementation while the Department completed federal rulemaking.
Implementation remained largely on hold throughout 2022, 2023, and much of 2024 as the Department finalized Title 32 and Title 48 regulations governing the program before phased implementation began in late 2025.
The latest suspension marks the first time the Department has paused a scheduled implementation phase after the revised framework entered contract execution.
Acquisition Reform Driving the Review
According to the Department, the review is intended to align cybersecurity requirements with the Administration’s broader acquisition modernization strategy.
“Ensuring access to leading-edge commercial capabilities is a critical driver powering the Secretary of War’s operational execution for the ‘Arsenal of Freedom,'” the Department said in announcing the decision.
Department officials argued that although CMMC was designed to strengthen cybersecurity across the Defense Industrial Base (DIB), the certification process has also created significant compliance costs, particularly for small businesses, non-traditional contractors, and commercial technology firms.
The Department cited recent Small Business Administration findings indicating that compliance costs have discouraged some innovative companies from entering or remaining in the defense marketplace, potentially slowing delivery of new technologies to the warfighter.
CIO Launches Comprehensive Review
“In support of Secretary Pete Hegseth’s directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program,” said Department of War Chief Information Officer Kirsten A. Davies.
“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape.”
The Department is establishing a CMMC Reform Task Force to conduct what officials described as a “top-to-bottom review” of the certification program.
The task force will analyze industry feedback submitted through a forthcoming Request for Information (RFI) and evaluate alternatives that:
- Lower barriers for small, medium-sized, and non-traditional businesses;
- Prioritize speed to capability;
- Develop scalable cybersecurity requirements; and
- Maintain operational resilience while reducing unnecessary administrative burden.
The Task Force is expected to submit recommendations to the CIO within 60 days.
Cybersecurity Requirements Remain Unchanged
Although the certification rollout has been paused, the Department stressed that cybersecurity obligations themselves remain unchanged.
Defense contractors will continue demonstrating compliance with NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments during the review period.
In addition, contractors remain contractually obligated under DFARS 252.204-7012 to adequately safeguard Covered Defense Information and report cyber incidents involving covered systems.
The Department emphasized that the suspension affects how compliance is verified, not the underlying requirement to protect sensitive defense information.
AI, Quantum, and Acquisition Speed
The review also comes as the cybersecurity landscape has evolved considerably since CMMC was first conceived.
Artificial intelligence is rapidly changing both cyber offense and defense, enabling attackers to automate vulnerability discovery and phishing campaigns while providing defenders with increasingly sophisticated tools for threat detection and incident response. At the same time, federal agencies are accelerating preparations for post-quantum cryptography as quantum computing advances raise concerns over the long-term security of today’s encryption standards.
Meanwhile, commercial software development and technology innovation now move at a pace measured in days or weeks, while cybersecurity certification and acquisition processes often operate over months or years. Department officials indicated the review will examine whether the current certification model appropriately balances cybersecurity assurance with the speed needed to field emerging capabilities.
What Comes Next
The announcement represents another significant milestone in the continuing evolution of CMMC rather than the elimination of the program itself.
The Department’s 60-day review will determine whether Phase II proceeds largely as planned, is modified to reduce compliance burdens, or is replaced with an alternative model emphasizing continuous cybersecurity practices, self-assessments, and targeted government oversight.
For now, contractors should view the announcement as a pause in certification implementation—not a relaxation of cybersecurity requirements. Existing DFARS obligations and NIST SP 800-171 compliance remain in force while the Department reassesses how best to secure the Defense Industrial Base in an increasingly dynamic technology and threat environment.




