The defense contracting world received a major shockwave on July 13, 2026, when the U.S. Department of War (DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements. Originally scheduled to take effect on November 10, 2026, the sudden pause has left many enterprise leaders wondering: Is CMMC dead, or has the clock just paused?
Here is a breakdown of what this suspension actually means, what the U.S. government is saying, and what organizations should be doing right now.
The DoW has halted the transition to Phase II of the CMMC rollout, alongside all subsequent implementation milestones (Phases III and IV).
To understand why this is a big deal, one must look at the structural bottleneck that was looming. Phase II was set to mandate that any contractor handling Controlled Unclassified Information (CUI) obtain a third-party cybersecurity certification from an accredited Certified Third-Party Assessment Organization (C3PAO).
But, the reality of that requirement quickly crashed into logistical limits:
The bottleneck: There are only about 100 authorized C3PAOs in existence, tasked with auditing more than 100,000 defense contractors.
The economic impact: Compliance costs were ballooning, and Small Business Administration (SBA) data confirmed that innovative small and medium-sized businesses were actively leaving the Defense Industrial Base (DIB) because they couldn't afford the compliance overhead.
In response, the DoW established a CMMC Reform Task Force to conduct a comprehensive, 60-day review of the program.
During a press briefing, DoW Chief Information Officer Kirsten A. Davies was refreshingly candid about the operational reality of the rollout. Pointing to the massive imbalance between available auditors and companies needing certification, she noted, "The math just simply doesn't math."
Davies and other department officials made it clear that the suspension is designed to reduce the administrative "red tape" paralyzing the supply chain, rather than to lower the government's cybersecurity expectations.
Additionally, Under Secretary of War for Acquisition and Sustainment Michael Duffey emphasized that this pause aligns with broader acquisition reform goals to prioritize speed to capability and lower barriers for innovative commercial partners.
Brian Haugli, CEO of SideChannel, had this to say on LinkedIn:
"Watch what happens next. Thousands of defense contractors are about to reveal whether they were building security programs or buying certificates.
If your entire cyber effort was aimed at passing a CMMC assessment, you just lost your reason to keep going. The budget gets pulled, the project stalls, and in 60 days you'll be scrambling to restart whenever the new requirements drop.
If you built a program to actually manage risk, today changed nothing. 800-171 is still enforced. DFARS 7012 is still in your contracts. Adversaries targeting the DIB didn't read the press release and stand down.
This is the problem with compliance-driven security. The requirement moves and the whole thing collapses, because it was never yours to begin with.
Same advice I've given for years, and it holds up on days like this: build the program for the risk, let the certification fall out of it. Not the other way around.
The contractors who did that are fine this morning. The ones who didn't are calling their consultants asking if they can get a refund."
The changes do not alter the underlying security rules/requirements.
It is incredibly important to separate the certification process from the security standard. While the third-party audit requirement (Phase II) is paused, the requirement to protect sensitive government data remains legally binding.
Here is what is active versus what is suspended:
CMMC Element, Phase I (Self-Assessments): Active; You must still perform annual self-assessments, submit scores to the Supplier Performance Risk System (SPRS), and submit annual affirmations.
Phase II (Third-Party Audits): Suspended; The November 10, 2026, deadline for mandatory C3PAO audits is on hold indefinitely.
DFARS 252.204-7012: Active; This clause remains in your contracts. You are still contractually obligated to safeguard covered defense information.
NIST SP 800-171 Rev 2: Active; This remains the active technical standard that you must implement and self-assess against.
If your business interacts with the defense supply chain, treating this pause as "time off" from cybersecurity is a dangerous mistake. Government-led spot audits are still active, and false self-attestations carry massive legal and financial risks under the False Claims Act.
Instead, adjust your strategy to focus on these four actions.
1. Do NOT stop your NIST SP 800-171 implementation: Immediate Priority
Because Phase I self-assessments are still active, you must continue remediating gaps in your system security plans (SSPs). The core technical controls (like access management, MFA, and incident response) are still mandatory.
2. Keep your SPRS scores updated: Ongoing Maintenance
Ensure your organization's self-assessment scores in the SPRS database are accurate and updated. Contracting officers will still verify your Phase I self-assessment status before awarding contracts.
3. If an audit is in progress, finish it: Strategic Choice
If your organization was already preparing for or actively undergoing a C3PAO assessment, stopping now might cost you more than it saves. A strong security posture is still a massive competitive differentiator.
4. Participate in the public RFI: Deadline is August 14, 2026
The DoW has opened a public Request for Information (RFI) to gather direct feedback on compliance costs and how companies are using commercial tools to meet these goals. Make your voice heard before the August 14 deadline.
CMMC is not dead; it is being rebuilt to be more practical. Expect the Reform Task Force to return in autumn 2026 with a updated framework that relies more heavily on self-attestation and existing commercial tools. In the meantime, focus on real cybersecurity hygiene rather than the bureaucratic paperwork.