DoD Pauses CMMC Phase II, Launches 60-Day Review to Reduce Burdens
The Department of War has halted its CMMC Phase II requirements, addressing compliance concerns. This decision aims to alleviate cost pressures on over 100,000 small defense contractors, promoting their participation within the Defense Industrial Base while ensuring cybersecurity standards are upheld.
Key Signals
- DoD pauses CMMC Phase II requiring third-party assessments
- 60-day review initiated to reform CMMC compliance obligations
- SBA supports DoD’s decision affecting over 100,000 small businesses
"With over 100,000 small businesses impacted and compliance costs approaching as much as $600,000, the SBA strongly supports the Department of War’s decisive action to preserve strong cybersecurity while cutting red tape, bringing American innovators into our defense supply chain, and advancing the DoW’s efforts to rapidly expand modern capabilities essential to warfighter readiness."
On July 13, 2026, the Department of War announced a significant postponement of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements that were set to take effect on November 10, 2026. This move places a crucial pause on the implementation of mandatory third-party cybersecurity assessments for defense contractors dealing with sensitive, yet unclassified, information. The suspension is the result of a recognized need for a comprehensive review aimed at formulating reforms to the CMMC program with a focus on diminishing compliance burdens particularly impacting small and non-traditional defense contractors, while still safeguarding necessary cybersecurity standards. The U.S. Small Business Administration (SBA) has voiced strong support for this decision, indicating that the earlier framework imposed prohibitive compliance costs on small businesses, posing a potential threat to their viability within the Defense Industrial Base (DIB).
The CMMC was originally introduced to enhance cybersecurity across the defense supply chain. However, as it evolved, small contractors raised concerns that the compliance requirements were too intricate, creating barriers to entry that could force many out of defense-related contracts. In light of the extensive ramifications for small businesses—over 100,000 entities affected and compliance costs potentially as high as $600,000—the SBA emphasized the importance of this review. SBA Administrator Kelly Loeffler remarked, "Let there be no doubt: the small businesses that undergird our defense industrial base are committed to protecting our nation’s digital domain - but cybersecurity cannot come at the cost of bureaucracy that shuts out the very companies our warfighters depend on."
The newly initiated 60-day review process will focus on aligning cybersecurity requirements more effectively with the acquisition transformation goals of the Department of Defense. This strategic shift seeks to maintain strong cybersecurity measures while alleviating the regulatory pressures that hinder small companies from contributing to national security objectives. The review also stands to support the Department's goals related to speed to capability, underscoring the need for scalable and resilient cybersecurity measures rather than strenuous compliance frameworks.
For procurement professionals, this suspension represents the advent of changes to CMMC compliance requirements that could significantly impact contract eligibility and cybersecurity obligations for defense contractors operating on the small to medium scale. The Department of War is also expected to elicit feedback from industry stakeholders as part of this review, which highlights an opportunity for contractors to engage with the reform process proactively and adapt their cybersecurity strategies to align with emerging standards.
Additionally, the phased approach to CMMC implementation, which began in November 2025, aimed to incrementally roll out cybersecurity requirements. Though the CMMC program was designed primarily to enforce existing federal cybersecurity mandates, the industry response demonstrates a collective concern over its complexity and potential cost implications. The CMMC Reform Task Force, tasked with this urgent review, will focus on stakeholder feedback to refine the program further to ensure it supports innovation within the defense supply chain rather than stifles it.
The current suspension thus signals a pivotal moment for the defense contracting landscape, where fostering a collaborative cybersecurity environment can coexist with the imperative of national security. As the program evolves, it presents an essential opportunity for small and innovative defense contractors to maintain their roles in safeguarding vital defense information while navigating an increasingly complex regulatory environment.
If successful in its reform efforts, the Department of War aims to establish a modernized cybersecurity framework that emphasizes efficiency and operational effectiveness—key to sustaining the readiness of U.S. military forces.
Agencies
- U.S. Small Business Administration
- U.S. Department of War
- Department of Defense
- National Institute of Standards and Technology
Sources
- SBA Commends U.S. Department of War’s Suspension of CMMC Phase II for Small Defense Contractors | The Manila TimesThe Manila Times · Jul 13
- Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements > U.S. Department of War > Release | U.S. Department of WarU.S. Department of War (.gov) · Jul 13
- Pentagon suspends CMMC phase two requirements, launches review of program | Federal News NetworkFederal News Network · Jul 13
- DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn't math’ | DefenseScoopDefenseScoop · Jul 13
- BREAKING: Pentagon Suspends Phase 2 of CMMC ProgramNational Defense Magazine · Jul 13