Department of War Halts CMMC Phase II Certification Requirements for Review

    The Department of War has suspended CMMC Phase II requirements, Pausing the November 2026 deadline. A new task force will evaluate compliance burdens while ensuring cybersecurity protections remain in place, particularly for small businesses.

    Department of War, Small Business Administration, United States Department of War, Under Secretary of War for Acquisition & Sustainment, Department of Defense

    Key Signals

    • CMMC Phase II requirements suspended by Department of War, initiating 60-day review
    • Contractors remain obligated to comply with DFARS and NIST cybersecurity standards
    • Industry feedback sought via Request for Information due August 14, 2026
    • Task Force to assess compliance burdens on small and medium businesses
    • Consultants may need to adapt services amid renewed focus on industry compliance

    "The requirements are still there. Unfortunately the guardrails are even more uncertain than before. Previously the industry received valuable feedback from both sides of the assessment. Harder than even before to know what is 7acceptable8 at the present time."

    Commenter

    The Department of War has announced an immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II third-party certification requirements, which were due to take effect on November 10, 2026. This decision comes amid growing concerns about the compliance burdens placed on small and medium-sized businesses within the Defense Industrial Base (DIB). The suspension is temporary and will initiate a 60-day comprehensive review aimed at reassessing these requirements and exploring ways to reduce administrative hurdles while still prioritizing essential cybersecurity measures.

    This development follows revelations from industry stakeholders that the costs associated with achieving CMMC compliance have deterred innovative firms from participating in defense contracts, ultimately jeopardizing the delivery of critical capabilities to military operatives. The need to foster a competitive environment, particularly for smaller contractors, received special emphasis from Kirsten A. Davies, Chief Information Officer at the Department of War, who noted the importance of maintaining a robust cybersecurity infrastructure while easing the compliance pathway for smaller players.

    While the CMMC Phase II certification has been paused, the underlying obligations from previous requirements remain in place, compelling contractors to adhere to existing cybersecurity mandates outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and NIST SP 800-171. This means that while contractors may breathe a sigh of relief regarding the looming certification deadline, they are still bound to execute self-assessments, report any incidents, and safeguard Controlled Unclassified Information (CUI). The Department has confirmed that the integral focus during this period is to engage industry stakeholders further to pinpoint compliance challenges and solicit feedback via a Request for Information (RFI), which is expected to be submitted by August 14, 2026.

    The establishment of a dedicated CMMC Reform Task Force is another significant step the Department is taking toward comprehensive cybersecurity reform. This task force is expected to synthesize inputs from the industry filed through the RFI, driving the momentum toward crafting tailored security measures that align with the Acquisition Transformation System (ATS) directives. This indicates a commitment to enhancing the speed to capability needed in defense procurement while simultaneously lowering the barriers that have previously hindered broader participation from non-traditional contractors.

    With due attention to the procurement implications of this suspension, contracting professionals must navigate the adjustments carefully. The existing regulatory frameworks remain untouched, but updates to contract requirements and compliance monitoring will be essential to reflect the changes stemming from the announcement. The strategic move to pause CMMC Phase II reflects a broader intention to mitigate compliance-related paralysis by offering opportunities for feedback from industry representatives, creating a pathway for reforms that better support small and medium-sized businesses without sacrificing the importance of cybersecurity. As recovery from earlier compliance challenges unfolds, procurement professionals should ensure that federal obligations remain a core focus while preparing for potential reforms in the near future.

    In the interim, businesses aiming to remain contract-eligible must maintain rigorous self-assessment protocols and incident response readiness. This caution is particularly applicable to smaller firms that stand to benefit from amended certification processes but cannot afford to neglect their current cybersecurity commitments.

    The suspension brings to light the necessity of balancing compliance with practical cybersecurity implementation, a prevailing concern echoed by industry commentators reflecting on the uncertainty surrounding acceptable standards during this transitional period. "The requirements are still there. Unfortunately, the guardrails are even more uncertain than before," one industry expert noted, highlighting the shifting landscape of compliance.

    Overall, the temporary halt on CMMC Phase II requirements indicates a pivotal shift within the Department of War to refine cybersecurity policies that are both supportive and proactive, thereby fostering a more resilient defense acquisition framework.