Department of War Halts CMMC Phase II Requirements to Ease Compliance Burdens

    The Department of War has suspended the CMMC Phase II requirements, impacting third-party assessments for contractors managing Controlled Unclassified Information. This move aims to ease compliance costs for small and medium businesses while ensuring adherence to NIST cybersecurity standards, indicating potential shifts in the cybersecurity certification landscape.

    Department of War, Department of Defense, Pentagon, Defense Cyber Crime Center, Small Business Administration

    Key Signals

    • CMMC Phase II suspended, third-party assessments on hold
    • Ongoing compliance with NIST SP 800-171 required
    • Task Force review to evaluate scalable cybersecurity measures

    "We have a strategic imperative to reduce bureaucracy as we build the world's strongest Arsenal of Freedom. The CIO's decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain."

    Michael Duffey

    In a significant policy shift, the Department of War has decided to suspend the implementation of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were set to come into effect on November 10, 2026. This decision comes as a response to increasing concerns regarding the compliance burden placed on defense contractors, especially among small and medium-sized enterprises (SMEs) within the Defense Industrial Base (DIB). The suspension halts the mandatory third-party assessments that were designed to evaluate contractors handling Controlled Unclassified Information (CUI), thereby temporarily alleviating the financial and administrative pressures faced by these organizations.

    Although the CMMC Phase II assessments are on hold, contractors are still required to adhere to existing cybersecurity standards. Specifically, compliance with NIST SP 800-171 Rev 2 and the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 remains crucial. This suspension reflects a broader strategic imperative by the Department of Defense (DoD) to balance robust security with the need for operational agility and innovation in defense contracting. According to Michael Duffey, a senior official associated with the policy change, "We have a strategic imperative to reduce bureaucracy as we build the world's strongest Arsenal of Freedom. The CIO's decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain."

    The formation of a newly established CMMC Reform Task Force will spearhead a comprehensive 60-day review aimed at exploring scalable cybersecurity measures that align with the Acquisition Transformation System directives. This task force will likely reassess the effectiveness of existing frameworks while considering how best to reduce compliance burdens while maintaining security standards necessary for national defense.

    The implications of this announcement are profound, especially for SMEs that have been disproportionately affected by the costs associated with the CMMC requirements. The immediate suspension of third-party assessments can lead to reduced compliance costs and administrative burdens, allowing smaller companies to pivot in their subcontracting and bidding strategies without the looming threat of CMMC compliance disrupting their operations. This shift could potentially foster a more favorable procurement climate, where innovation can thrive, and competition is encouraged amongst defense contractors.

    However, while the immediate suspension provides relief, it also introduces uncertainty within the cybersecurity certification market, notably impacting consulting firms, assessment service providers, and timelines for contract readiness. Prospective contractors and current defense suppliers must remain vigilant in adapting their cybersecurity compliance plans in light of evolving DoW acquisition policies, which may undergo further reforms following the task force's review.

    Businesses in the DIB must not overlook the necessity of maintaining cybersecurity posture even amid these changes. It remains important to continue compliance with the established cybersecurity standards imposed by NIST and DFARS, as failure to do so could result in repercussions in future contract opportunities. Additionally, as output from the CMMC Reform Task Force emerges, organizations should be prepared to align their cybersecurity practices accordingly to both meet existing and anticipated procurement requirements, ensuring their competitiveness in ongoing and future defense contracting opportunities.

    Agencies

    • Department of War
    • Department of Defense
    • Pentagon
    • Defense Cyber Crime Center
    • Small Business Administration

    Vendors

    • Lockheed Martin
    • Boeing