Department of Defense Suspends CMMC Phase II
CMMC requires defense contractors to undergo one of three certification "levels" (Level 1-3) to obtain a defense contract. The certification level required for each contract depends on the type of data the contractor may handle under that contract. CMMC has rolled out in phases since the DoD issued the final Program Rule in October 2024. We discussed this rollout and provided an overview of the program in a prior blog post. Phase I began on November 10, 2025, and introduced self-assessment requirements for Level 1 and Level 2 contracts. Phase II was scheduled to begin November 10, 2026, and would have required assessments for compliance with Level 2 conducted by CMMC third-party assessment assessor organizations (C3PAOs) in some DoD contracts. Phase 3, scheduled to begin November 10, 2027, would require assessments conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for Level 3 contracts. By Phase 4, scheduled to begin November 10, 2028, all DoD contracts would require certification with one of the three CMMC levels. The pause to Phase II calls into question whether the DoD will meet these timelines—and whether CMMC will continue in its existing form at all.
The suspension is framed by the DoD as necessary to review the "significant" and "prohibitive burdens" placed on defense contractors (particularly small businesses), including "prohibitive compliance costs," and "bureaucratic burdens," that "delay the delivery of critical capabilities to the warfighters," as well as "severe shortages in third-party assessment capacity." In a related Request for Information (RFI), the DoD has asked for input from industry participants on which security controls delivery meaningful risk reduction, and which create administrative overheard. This inquiry suggests that the DoD may be considering sweeping changes to the underlying security requirements of CMMC, not just to CMMC's attestation framework.
What This Announcement Does
The suspension pauses any ongoing Phase II assessments. During the suspension, defense contracts may only require CMMC Level 1 or Level 2 self-assessments. Defense contracts may not require Level 2 (C3PAO) assessments or Level 3 (DIBCAC) assessments (although CMMC does not require any DIBCAC assessments under Phase II, it gives contracting officers discretion to require them in solicitations and contracts).
The suspension requires the government to remove Phase II requirements from active solicitations and existing contracts. Contracting officers are directed to remove any Level 2 (C3PAO) or Level 3 (DIBCAC) assessment requirements from current solicitations or existing contracts. Solicitations must be amended "as soon as practicable" and existing contracts must be amended before the next option exercise or during the next scheduled administrative modification of the contract.
The DoD is conducting a 60-day review of CMMC. The DoD is establishing a CMMC Reform Task Force to conduct a top-to-bottom review and issue a report within 60 days.
The DoD released an RFI seeking industry feedback. DoD's RFI, titled "Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base," is open, with responses due by 12:00 p.m. ET on August 14, 2026. Notably, the RFI asks which NIST SP 800-171 controls deliver meaningful risk reduction, and which create administrative overhead and financial burden. These questions suggest that the DoD may seek to overhaul cybersecurity requirements for defense contractors—requirements that have been in place since 2016—rather than to simply revise CMMC's assessment framework.
What Remains the Same
Defense contractors are still required to meet the underlying security requirements contained in their defense contracts under DFARS 252.204-7012, which requires compliance with NIST SP 800-171 Rev. 2. This suspension affects how a defense contractor demonstrates compliance with these security requirements—not whether they must comply with them. Whether DoD ultimately amends those requirements remains to be seen.
Looking Ahead
Although the CMMC rollout is paused, defense contractors must still adhere to compliance obligations under DFARS 252.204-7012. Noncompliance can result in civil and criminal penalties, particularly under the False Claims Act.
Even though the core security requirements remain the same for now, we may see significant changes to CMMC in the near future. Defense contractors interested in participating in CMMC's future should review the DoD RFI and consider submitting responses by the August 14, 2026, deadline. Defense contractors should track updates from the Reform Task Force and review the final report when it is issued.
DWT's privacy and security team will continue to monitor developments with CMMC.
+++
Michael Borgia is a partner in DWT's Washington, D.C., office and Andrew Lewis is counsel in the firm's San Francisco office. For questions or more insights, please reach out to the authors or another member of our privacy & security team and sign up for our alerts.