The Department of Defense (DoD) announced the immediate suspension of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program on July 13, 2026. CMMC is the DoD's mandatory cybersecurity compliance program for defense contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). To implement the suspension, DoD contracting officers are directed to remove Phase II third-party assessment requirements from solicitations and current contracts. At least for the time being, contracting officers may only require self-assessments of CMMC requirements. All other CMMC implementation deadlines are "held in abeyance until further notice." Contractors must still comply with the underlying cybersecurity obligations in their DoD contracts.

CMMC requires defense contractors to undergo one of three certification "levels" (Level 1-3) to obtain a defense contract. The certification level required for each contract depends on the type of data the contractor may handle under that contract. CMMC has rolled out in phases since the DoD issued the final Program Rule in October 2024. We discussed this rollout and provided an overview of the program in a prior blog post. Phase I began on November 10, 2025, and introduced self-assessment requirements for Level 1 and Level 2 contracts. Phase II was scheduled to begin November 10, 2026, and would have required assessments for compliance with Level 2 conducted by CMMC third-party assessment assessor organizations (C3PAOs) in some DoD contracts. Phase 3, scheduled to begin November 10, 2027, would require assessments conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for Level 3 contracts. By Phase 4, scheduled to begin November 10, 2028, all DoD contracts would require certification with one of the three CMMC levels. The pause to Phase II calls into question whether the DoD will meet these timelines—and whether CMMC will continue in its existing form at all.

The suspension is framed by the DoD as necessary to review the "significant" and "prohibitive burdens" placed on defense contractors (particularly small businesses), including "prohibitive compliance costs," and "bureaucratic burdens," that "delay the delivery of critical capabilities to the warfighters," as well as "severe shortages in third-party assessment capacity." In a related Request for Information (RFI), the DoD has asked for input from industry participants on which security controls delivery meaningful risk reduction, and which create administrative overheard. This inquiry suggests that the DoD may be considering sweeping changes to the underlying security requirements of CMMC, not just to CMMC's attestation framework.

What This Announcement Does

The suspension pauses any ongoing Phase II assessments. During the suspension, defense contracts may only require CMMC Level 1 or Level 2 self-assessments. Defense contracts may not require Level 2 (C3PAO) assessments or Level 3 (DIBCAC) assessments (although CMMC does not require any DIBCAC assessments under Phase II, it gives contracting officers discretion to require them in solicitations and contracts).

The suspension requires the government to remove Phase II requirements from active solicitations and existing contracts. Contracting officers are directed to remove any Level 2 (C3PAO) or Level 3 (DIBCAC) assessment requirements from current solicitations or existing contracts. Solicitations must be amended "as soon as practicable" and existing contracts must be amended before the next option exercise or during the next scheduled administrative modification of the contract.

The DoD is conducting a 60-day review of CMMC. The DoD is establishing a CMMC Reform Task Force to conduct a top-to-bottom review and issue a report within 60 days.

The DoD released an RFI seeking industry feedback. DoD's RFI, titled "Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base," is open, with responses due by 12:00 p.m. ET on August 14, 2026. Notably, the RFI asks which NIST SP 800-171 controls deliver meaningful risk reduction, and which create administrative overhead and financial burden. These questions suggest that the DoD may seek to overhaul cybersecurity requirements for defense contractors—requirements that have been in place since 2016—rather than to simply revise CMMC's assessment framework.

What Remains the Same

Defense contractors are still required to meet the underlying security requirements contained in their defense contracts under DFARS 252.204-7012, which requires compliance with NIST SP 800-171 Rev. 2. This suspension affects how a defense contractor demonstrates compliance with these security requirements—not whether they must comply with them. Whether DoD ultimately amends those requirements remains to be seen.

Looking Ahead

Although the CMMC rollout is paused, defense contractors must still adhere to compliance obligations under DFARS 252.204-7012. Noncompliance can result in civil and criminal penalties, particularly under the False Claims Act. 

Even though the core security requirements remain the same for now, we may see significant changes to CMMC in the near future. Defense contractors interested in participating in CMMC's future should review the DoD RFI and consider submitting responses by the August 14, 2026, deadline. Defense contractors should track updates from the Reform Task Force and review the final report when it is issued.

DWT's privacy and security team will continue to monitor developments with CMMC. 

+++

Michael Borgia is a partner in DWT's Washington, D.C., office and Andrew Lewis is counsel in the firm's San Francisco office. For questions or more insights, please reach out to the authors or another member of our privacy & security team and sign up for our alerts.