DoD Halts CMMC Phase II to Address Contractor Compliance Concerns

    The DoD has paused the Cybersecurity Maturity Model Certification Phase II implementation set for November 2026. This decision addresses rising compliance costs and barriers for small and mid-sized defense contractors while permitting self-assessments to remain effective in the interim. A 60-day feedback review period is now underway to reassess compliance requirements.

    Department of Defense

    Key Signals

    • DoD pauses CMMC Phase II due to supplier concerns
    • 60-day feedback review initiated
    • NIST 800-171 requirements still in effect for contractors

    "While this suspends the Level 2 requirements for new and active solicitations between the DoD and its Primes, the Primes can still require their subs be certified."

    Original poster

    On July 14, 2026, the Department of Defense (DoD) announced a significant pause in the rollout of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program. The plan, which would have mandated third-party audits for defense contractors starting November 10, 2026, was suspended after small and mid-sized defense contractors voiced serious concerns about the financial and administrative burdens of the compliance requirements. As these smaller entities form a vital part of the defense supply chain, the DoD recognized that the stringent requirements risked eliminating their participation in military contracts, leading to potential disruptions in supply chain stability.

    The Pentagon's decision reflects the ongoing challenge of balancing the need for robust cybersecurity protocols against the accessibility of defense contracting opportunities. In light of complaints from industry stakeholders, the DoD has initiated a 60-day review period to gather feedback from contractors and explore adjustments to the CMMC framework. This pause allows contractors to continue operations under existing cybersecurity mandates without incurring the costs associated with third-party audits.

    The CMMC initiative commenced in November 2025, designed to enhance the security of Controlled Unclassified Information (CUI) shared with contractors. Industry leaders have warned for some time that these upcoming compliance demands could inhibit the ability of smaller suppliers to compete effectively in the defense marketplace. Many expressed that compliance could incur costs upwards of hundreds of thousands of dollars—a burden that could push innovative companies out of the Defense Industrial Base.

    The immediate implications of this pause are significant for procurement professionals and defense contractors alike. Although the third-party audits are delayed, existing requirements under NIST 800-171 and DFARS 252.204-7019 continue to stand, meaning that companies still need to assess their cybersecurity practices through self-assessments at levels 1 or 2. Understanding these requirements remains crucial for maintaining eligibility for government contracts and minimizing risks associated with cybersecurity compliance.

    As the DoD analyzes industry feedback over the next two months, contractors should remain vigilant regarding potential adjustments to the CMMC framework. The establishment of the CMMC Reform Task Force points to the DoD's commitment to reforming the oversight process while ensuring that national security interests, particularly regarding cyber threats, remain protected. Any future policy shifts will need to strike a careful balance between securing sensitive military information and supporting the competitive landscape within the defense contracting community.

    In conclusion, the pause in implementing Phase II of the CMMC program signifies an opportunity for the DoD to recalibrate its strategy to effectively meet cybersecurity needs without undermining the participation of critical suppliers. As developments unfold, contractors must actively engage with the department to ensure compliance strategies are aligned with upcoming recommendations for reform.

    • The DoD is postponing CMMC Phase II to address industry compliance concerns.
    • Third-party audits originally set to begin on November 10, 2026, are now on hold.
    • Small and mid-sized contractors reported compliance costs could exceed $100,000.
    • During the pause, current cybersecurity compliance under NIST 800-171 remains crucial for contractors.
    • A 60-day review period has been initiated to collect contractor feedback on CMMC requirements.
    • The CMMC program aims to safeguard Controlled Unclassified Information (CUI) within the defense contractor ecosystem.
    • The suspension may help bolster competition within the Defense Industrial Base, particularly for small suppliers.
    • Future CMMC regulations could potentially alter compliance cost structures and operational requirements.
    • Procurement professionals should stay informed about changes arising from the CMMC Reform Task Force.
    • Companies are advised to prepare for potential adjustments to cybersecurity certifications moving forward to remain competitive in defense procurement.