Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

The US Department of Defense (DoD) has suspended the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements until it reviews the program to allow for more innovation in the US defense industrial base (DIB).

Originally scheduled to come into effect on November 10, 2026, the requirements corresponded to the second stage of the DoD’s phased rollout for the CMMC, a program designed to enhance cyber hygiene for US defense contractors and subcontractors handling federal contract information (FCI) and controlled unclassified information (CUI) for the DoD – also known as the Department of War (DoW).

While the first phase (CMMC Phase I) allowed companies to self-report their cybersecurity compliance levels, this second phase would have required contractors that work with the military and handle sensitive information to have this checked by an outside company.

Specifically, CMMC Phase II requirements were designed to transition US defense contractors handling CUI from basic self-attestations to mandatory, independent assessments led by Certified Third-Party Assessment Organizations (C3PAOs) to verify compliance with the 110 security controls referred to in NIST SP 800-171, a standard published by the US National Institute of Standards and Technology (NIST).

The DoD previously estimated that between 220,000 and 300,000 companies participate in the DIB, with roughly 80,000 that were expected to require CMMC Phase II.

A CyberSheath report published in October 2025 revealed that only 1% of defense contractors felt fully prepared for CMMC Phase II audits.

Furthermore, Phase II was supposed to be followed by a third and a fourth phase, scheduled to be completed in November 2027 and November 2028, respectively.

Phase III was to introduce level 3 audits, led directly by the DoD, for contracts with the most sensitive data, while Phase IV would have meant all DoD contractors and subcontractors would need full CMMC compliance. 

CMMC Has Created “Bureaucratic Burdens” for the DIB

To justify the suspension of CMMC Phase II, the DoD argued in its July 13 statement that the program has “created prohibitive compliance costs and bureaucratic burdens” instead of enhancing cybersecurity for DIB firms.

“Recent data, including reports from the Small Business Administration (SBA), confirmed that CMMC compliance is forcing innovative companies out of the DIB which will delay the delivery of critical capabilities to the warfighters,” said the Department.

Therefore, the DoD will establish a ‘CMMC Reform Task Force’ to conduct a 60-day, top-to-bottom review of the program to ensure that it is aligned with the Secretary of War Pete Hegseth’s acquisition transformation system (ATS) strategy.

This includes directives lowering barriers for small, medium and non-traditional businesses and “replacing bureaucratic compliance with scalable, resilient cybersecurity measures.”

“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape,” said the Department’s CIO, A. Davies, who will be responsible for putting together the task force.

During the interim period, the DoD said it will enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, “focusing on tangible cyber hygiene rather than administrative overhead.”

Experts Warn Against Abandoning CMMC Compliance Efforts

Following the announcement, some security compliance experts shared their interpretation for the sudden suspension.

Dave Schroeder, director of National Security Initiatives at the University of Wisconsin Madison, said on LinkedIn that because CMMC is a program to prove a firm’s compliance with NIST 800-171 and DFARS 252.204-7012, the reason behind the recent DoD is likely due to not enough contractors being ready to comply with CMMC Phase II by Nov 10.

Nelina Varenas, director and a founding member of the KDM Consortium, emphasized in a LinkedIn article published on July 14 that contractors should not interpret the delay as an opportunity to abandon their compliance efforts.

“First, as the DoD announcement stated, all CMMC Level 1 self-assessment requirements remain in place,” Varenas noted.

She urged concerned organizations not to abandon their compliance efforts, warning that the delay should not be misinterpreted as a relaxation of standards. Instead, she advised the suspension should be viewed as valuable breathing room to ensure cybersecurity practices are implemented correctly and thoroughly before potential future enforcement resumes.

The future of CMMC remains uncertain, but Varenas cautioned, “This is not the time to step back; it’s the time to ensure compliance is done right.”

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *