Department of War Suspends CMMC Phase II, Launches 60-Day Review

The Department of War (DoW) announced July 13 that it is immediately suspending implementation of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026. The Department will instead conduct a comprehensive 60-day review of the program as part of Secretary of War Pete Hegseth’s broader Acquisition Transformation System (ATS) initiative, which seeks to streamline defense acquisition, reduce regulatory burdens, and accelerate delivery of new capabilities to the warfighter.

The Department emphasized that Phase I self-assessment requirements remain in effect, and defense contractors continue to be contractually required to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) under existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

The suspension applies to pending and future CMMC Phase II implementation milestones across Department solicitations and contracts.

A Familiar Pause in an Evolving Program

While the announcement represents the most significant change to CMMC since implementation began, it is not the first time the program has been delayed or substantially revised.

Originally introduced in 2020 as CMMC 1.0, the certification program was intended to require third-party cybersecurity assessments across the Defense Industrial Base before contractors could receive certain Department of Defense awards.

In early 2021, the Biden Administration initiated a comprehensive review of the program. That review resulted in the creation of CMMC 2.0, announced in November 2021, which reduced the framework from five certification levels to three, expanded the use of annual self-assessments for many contractors, and significantly delayed implementation while the Department completed federal rulemaking.

Implementation remained largely on hold throughout 2022, 2023, and much of 2024 as the Department finalized Title 32 and Title 48 regulations governing the program before phased implementation began in late 2025.

The latest suspension marks the first time the Department has paused a scheduled implementation phase after the revised framework entered contract execution.

Acquisition Reform Driving the Review

According to the Department, the review is intended to align cybersecurity requirements with the Administration’s broader acquisition modernization strategy.

“Ensuring access to leading-edge commercial capabilities is a critical driver powering the Secretary of War’s operational execution for the ‘Arsenal of Freedom,'” the Department said in announcing the decision.

Department officials argued that although CMMC was designed to strengthen cybersecurity across the Defense Industrial Base (DIB), the certification process has also created significant compliance costs, particularly for small businesses, non-traditional contractors, and commercial technology firms.

The Department cited recent Small Business Administration findings indicating that compliance costs have discouraged some innovative companies from entering or remaining in the defense marketplace, potentially slowing delivery of new technologies to the warfighter.

CIO Launches Comprehensive Review

“In support of Secretary Pete Hegseth’s directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program,” said Department of War Chief Information Officer Kirsten A. Davies.

“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape.”

The Department is establishing a CMMC Reform Task Force to conduct what officials described as a “top-to-bottom review” of the certification program.

The task force will analyze industry feedback submitted through a forthcoming Request for Information (RFI) and evaluate alternatives that:

  • Lower barriers for small, medium-sized, and non-traditional businesses;
  • Prioritize speed to capability;
  • Develop scalable cybersecurity requirements; and
  • Maintain operational resilience while reducing unnecessary administrative burden.

The Task Force is expected to submit recommendations to the CIO within 60 days.

Cybersecurity Requirements Remain Unchanged

Although the certification rollout has been paused, the Department stressed that cybersecurity obligations themselves remain unchanged.

Defense contractors will continue demonstrating compliance with NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments during the review period.

In addition, contractors remain contractually obligated under DFARS 252.204-7012 to adequately safeguard Covered Defense Information and report cyber incidents involving covered systems.

The Department emphasized that the suspension affects how compliance is verified, not the underlying requirement to protect sensitive defense information.

AI, Quantum, and Acquisition Speed

The review also comes as the cybersecurity landscape has evolved considerably since CMMC was first conceived.

Artificial intelligence is rapidly changing both cyber offense and defense, enabling attackers to automate vulnerability discovery and phishing campaigns while providing defenders with increasingly sophisticated tools for threat detection and incident response. At the same time, federal agencies are accelerating preparations for post-quantum cryptography as quantum computing advances raise concerns over the long-term security of today’s encryption standards.

Meanwhile, commercial software development and technology innovation now move at a pace measured in days or weeks, while cybersecurity certification and acquisition processes often operate over months or years. Department officials indicated the review will examine whether the current certification model appropriately balances cybersecurity assurance with the speed needed to field emerging capabilities.

What Comes Next

The announcement represents another significant milestone in the continuing evolution of CMMC rather than the elimination of the program itself.

The Department’s 60-day review will determine whether Phase II proceeds largely as planned, is modified to reduce compliance burdens, or is replaced with an alternative model emphasizing continuous cybersecurity practices, self-assessments, and targeted government oversight.

For now, contractors should view the announcement as a pause in certification implementation—not a relaxation of cybersecurity requirements. Existing DFARS obligations and NIST SP 800-171 compliance remain in force while the Department reassesses how best to secure the Defense Industrial Base in an increasingly dynamic technology and threat environment.

Kalyna White is an operations and strategy professional with expertise spanning government relations, nonprofit leadership, and digital communications. She currently serves as Manager at the Government Technology & Services Coalition (GTSC), where she oversees day-to-day operations, manages over $1 million in annual billing, supports 200+ member companies, and leads events with up to 400 attendees. She also directs the editorial and digital strategy for Homeland Security Today, where her leadership has grown the platform from 200,000 to more than 4 million annual visitors. In addition to her professional work, Kalyna is the Founder of LABUkraine, a nonprofit organization that connects Ukrainian youth to opportunity through technology and education by building computer labs with recycled technology from American businesses. Since Russia’s invasion, she has expanded LABUkraine’s mission to deliver critical humanitarian aid to frontline communities, coordinating international logistics for medical supplies, water filtration systems, and hygiene goods. A graduate of the University of California, San Diego with a B.A. in Political Science and minors in Middle Eastern Studies and English Literature, Kalyna also served as President of the Panhellenic Association and Pi Beta Phi Fraternity, representing more than 1,500 women. She has been deeply engaged in the homeland security community since high school, serving for nearly a decade as Youth Ambassador and later a Board Member for Women in Homeland Security. She is passionate about leveraging operations, strategy, and innovation to strengthen organizations and create lasting global impact.

Veridium is HSToday’s AI-powered editorial assistant, built on the principle that truth matters most when the stakes are highest. Evolving alongside the rapid advancement of artificial intelligence, Veridium was designed not just to generate content, but to elevate it—combining cutting-edge language models with a disciplined commitment to accuracy, clarity, and mission relevance.

From its earliest iterations, Veridium has been rigorously trained to prioritize facts over narratives. It does not follow political trends or ideological framing; instead, it anchors its outputs in verified information, credible sourcing, and balanced analysis. Its development has been guided by a clear standard: to support journalism that informs rather than influences.

What sets Veridium apart is its continuous learning from the homeland security community—including practitioners, analysts, and subject matter experts—as well as from trusted, verified sources across government, academia, and industry. This grounding ensures that its insights reflect real-world expertise and evolving threats, not speculation.

As AI continues to transform how information is created and consumed, Veridium represents a deliberate path forward: technology in service of truth, built to support the integrity and mission of HSToday.

Related Articles

Latest Articles