Originally published on CyberNetSec.
Executive Summary
On July 13, 2026, the U.S. Department of War (DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II implementation. This decision halts the requirement for third-party cybersecurity assessments, originally scheduled to take effect on November 10, 2026. A newly formed CMMC Reform Task Force will conduct a 60-day review to streamline the program, reduce compliance costs, and lower entry barriers for small and medium-sized businesses in the Defense Industrial Base (DIB). Importantly, existing contractual requirements under DFARS clause 252.204-7012, which mandate self-assessment against NIST SP 800-171, remain in full effect. This move signals a strategic pivot from enforcement through third-party audits to a more internally-focused, yet still mandatory, compliance framework for the time being.
Regulatory Details
The core change is the suspension of mandatory CMMC Level 2 and Level 3 assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs). This was the cornerstone of CMMC Phase II, designed to validate the cybersecurity posture of contractors handling Controlled Unclassified Information (CUI).
Key points of the suspension include:
- Immediate Effect: The suspension is effective as of July 13, 2026.
- 60-Day Review: A CMMC Reform Task Force will analyze the program's impact, particularly the financial and bureaucratic burden on DIB contractors. The goal is to develop recommendations for a more scalable and resilient framework.
- Contract Modifications: The DoW has directed that any active solicitations or existing contracts containing CMMC Level 2 or 3 assessment requirements must be amended to remove them.
- Phase I Unchanged: All CMMC Phase I requirements, which involve self-assessment against the 110 controls of NIST SP 800-171 Rev 2, remain mandatory. Contractors must still conduct these self-assessments, score them using the NIST SP 800-171 DoD Assessment Methodology, and upload the scores to the Supplier Performance Risk System (SPRS).
According to DoW CIO Kirsten Davies, the suspension aims to address "paralyzing costs" and "bureaucratic red tape" without diminishing cybersecurity standards. The focus shifts from external validation back to contractor attestation and government-led spot checks.
Affected Organizations
This policy change primarily affects the entire U.S. Defense Industrial Base (DIB), which includes over 300,000 companies. The impact is most significant for:
- Small and Medium-Sized Businesses (SMBs): These organizations faced the most substantial financial burden. The Small Business Administration (SBA) Office of Advocacy praised the decision, citing potential compliance costs of nearly $600,000 per small firm for a third-party assessment.
- Prime Contractors: They remain responsible for the security of their supply chains but are temporarily relieved of the duty to enforce CMMC third-party certifications on their subcontractors.
- CMMC Ecosystem Providers: This includes C3PAOs, Registered Provider Organizations (RPOs), and certified professionals whose business models were built around the now-suspended third-party assessment requirement.
Compliance Requirements
During the 60-day review period and until further notice, the compliance landscape for DIB contractors is as follows:
- DFARS 252.204-7012: This clause remains the primary driver of cybersecurity compliance. It requires contractors to provide "adequate security" for covered defense information, which is defined as meeting the requirements of NIST SP 800-171.
- NIST SP 800-171 Self-Assessment: Contractors must continue to perform self-assessments against the 110 security controls in NIST SP 800-171 Rev 2.
- SPRS Submission: A current (not more than three years old) assessment score must be posted to the DoD's Supplier Performance Risk System (SPRS). A perfect score is 110.
- System Security Plan (SSP): Contractors must maintain an SSP describing how the NIST 800-171 controls are implemented.
- Plans of Action & Milestones (POA&M): For any unimplemented controls, a POA&M must be created to document the plan to meet them.
Government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will continue for select contractors.
Implementation Timeline
- July 13, 2026: CMMC Phase II third-party assessment requirements suspended.
- July-September 2026: 60-day review period conducted by the CMMC Reform Task Force.
- September 2026 (projected): The Task Force is expected to deliver its recommendations to DoW leadership.
- November 10, 2026: Original effective date for CMMC Phase II, now nullified.
A new timeline for a revised CMMC program, if any, will be established following the review.
Impact Assessment
The immediate impact is significant financial and operational relief for DIB contractors, especially SMBs who viewed the cost of certification as a barrier to entry. However, it also introduces uncertainty. Organizations that have already invested heavily in CMMC preparation may see that investment as wasted. The suspension could also be perceived as a weakening of the DIB's overall cybersecurity posture by removing the independent verification component, although the DoW disputes this. For the next 60 days, the DIB will be in a holding pattern, awaiting the outcome of the review and clarity on the future of cybersecurity compliance for DoW contracts.
Enforcement & Penalties
While third-party CMMC assessments are suspended, enforcement of existing requirements continues. The Department of Justice's Civil Cyber-Fraud Initiative can still use the False Claims Act to pursue contractors who knowingly fail to meet their cybersecurity obligations. Non-compliance with DFARS 252.204-7012 and the failure to maintain an accurate SPRS score can result in contract termination, suspension, debarment, and financial penalties.
Compliance Guidance
Contractors should not interpret this suspension as a relaxation of cybersecurity requirements. The mandate to protect CUI is unchanged.
Action Plan:
- Continue NIST 800-171 Implementation: Do not pause efforts to implement and maintain the 110 controls. This remains a contractual obligation.
- Validate SPRS Score: Ensure your self-assessment score in SPRS is current and accurately reflects your current security posture. Be prepared to defend it during a DIBCAC audit.
- Maintain SSP and POA&Ms: Keep your System Security Plan and Plans of Action & Milestones updated. Focus on closing gaps identified in your POA&M.
- Pause C3PAO Engagement: Organizations can pause contracts and engagements with C3PAOs for formal certification assessments. However, continuing to use RPOs or consultants for advisory services on NIST 800-171 implementation remains a valuable strategy.
- Monitor Official Channels: Stay informed by monitoring announcements from the DoW and the CMMC Accreditation Body for updates following the 60-day review.
Top comments (0)