DoD Halts CMMC Phase II to Review Compliance Burdens on Contractors
The Department of Defense has frozen the implementation of CMMC Phase II, set for November 2026. A 60-day review aims to streamline cybersecurity requirements, making it easier for contractors, particularly smaller firms, to comply while safeguarding sensitive information.
Key Signals
- DoD suspends CMMC Phase II requirements until further notice.
- 60-day review initiated to collect contractor feedback on compliance burdens.
- Contractors must continue adhering to Phase I requirements during this period.
"The partners who treat this 60-day window as an opportunity to go deeper 99not as a reason to deprioritize 99are building the trust that converts a compliance engagement into a long-term managed services relationship."
The Department of Defense (DoD) has officially suspended the implementation of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were slated to take effect on November 10, 2026. This unexpected pause halts all third-party certification mandates and associated milestones immediately, as the DoD embarks on a 60-day comprehensive review led by the newly established CMMC Reform Task Force. The aim of this review is to develop scalable cybersecurity requirements that not only reduce compliance burdens but also enhance participation from small and nontraditional defense contractors while ensuring robust protection for Controlled Unclassified Information (CUI).
During this moratorium, contractors are required to continue adhering to existing Phase I requirements, including the standards outlined in NIST SP 800-171 and DFARS 252.204-7012. This includes performing Level 1 and Level 2 self-assessments instead of undergoing potentially costly third-party audits. The task force intends to gather insights and recommendations from the contracting community, for which the DoD has issued a Request for Information (RFI) with responses due by August 14, 2026. This engagement seeks contractor feedback to guide the reform process effectively.
The decision to suspend CMMC Phase II reflects the DoD’s ongoing commitment to reform its acquisition practices, which aim to diminish compliance costs and broaden the industrial base's participation. The suspension acknowledges the ongoing struggle faced by many defense contractors, especially smaller businesses, to meet the rigorous demands of compliance without incurring significant expenses or administrative burdens. Compliance barriers that previously jeopardized equitable access to federal contracting opportunities have been a long-standing concern, particularly within the merit shop construction sector that caters to the DoD and other federal agencies.
Leading industry organizations, such as ABC, have welcomed this suspension as it aligns with their advocacy for cybersecurity rules that uphold national security without imposing excessive obstacles on qualified contractors. This approach not only mitigates compliance costs but also ensures that the necessary cybersecurity measures are not dismissed. As Kurt Michael, Chief Revenue Officer at Kiteworks, aptly noted, "The partners who treat this 60-day window as an opportunity to go deeper—not as a reason to deprioritize—are building the trust that converts a compliance engagement into a long-term managed services relationship."
Procurement professionals and contractors alike should take this suspension as an invitation to evaluate their current cybersecurity postures. The DoD's initiative represents a potential paradigm shift in how cybersecurity compliance is approached, ideally fostering a more inclusive environment for contractors of all sizes. As the 60-day evaluation unfolds, stakeholders must seize the opportunity to provide constructive feedback that will influence how upcoming CMMC phases will be structured, potentially impacting future contract cybersecurity clauses and compliance strategies across various defense-related contracts.
In summary, while the halt to CMMC Phase II may appear to postpone regulatory progress, it is a strategic move aimed at fostering a more robust and accessible cybersecurity compliance framework, particularly for smaller firms that are essential to the national defense supply chain.
Agencies
- Department of Defense
- Department of War
- Department of the Army
- Small Business Administration
- Department of Justice
Vendors
- Kiteworks
Sources
- US DoW suspends CMMC Phase II requirements for defence contractorsArmy Technology · Jul 15
- DoD Suspends Implementation of CMMC Phase II RequirementsThe National Law Review · Jul 14
- Newsline | ABC Applauds DOD's Suspension of CMMC Requirements, UrABC.org · Jul 14
- Department of War Pauses CMMC Phase II Implementation & Launches 60-Day Program Review | SteptoeSteptoe · Jul 14
- Department of War suspends CMMC Phase II, launches 60-day review to reduce compliance burden on defense contractors - Industrial CyberIndustrial Cyber · Jul 14