CMMC Phase II Just Got Suspended For 60 Days – But Don’t Put Your Guard Down
On July 13, 2026, the U.S. Department of War (the renamed Department of Defense) did something almost nobody in the defense compliance world saw coming: it hit pause on CMMC Phase II effective immediately — the requirement that was set to become mandatory on November 10, 2026, less than four months from now.
If you’ve spent the last two years budgeting for a third-party assessment, chasing down a C3PAO slot, and treating that November deadline as a wall you had to get over, this is some big news. So let’s break down what actually happened, what it does not change, and what you should do about it.
What the Department of War actually announced
The short version: the transition to CMMC Phase II is suspended, effective immediately. That suspension applies not just to Phase II itself but to pending and future CMMC implementation milestones across Department of War solicitations and contracts.
A few things to pin down, because the details matter:
- Phase I is not going anywhere. All Phase I self-assessment requirements remain firmly in place. This is a pause on the next phase, not a repeal of the program.
- It’s a study, not a burial. The Department is standing up a “CMMC Reform Task Force” to run a top-to-bottom review of the certification program, gathering industry feedback through a public Request for Information and delivering a final report to the DoW Chief Information Officer within 60 days.
- There’s a clear “why” behind it. The Department pointed to data — including reporting from the Small Business Administration — indicating that CMMC compliance costs were pushing innovative companies out of the Defense Industrial Base entirely. The stated goal is to reduce compliance barriers for small, medium, and non-traditional businesses under Secretary of War Pete Hegseth’s Acquisition Transformation System, prioritizing “speed to capability” over administrative overhead.
Here’s the part you cannot afford to miss
This is where a lot of people are going to read the headline, exhale, and quietly shelve their security program. That would be a serious mistake.
Suspending CMMC Phase II does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.
That obligation is written into your contract. It did not move. It did not soften. It is exactly as binding today as it was before this announcement.
And there’s more: during this interim period, the Department will continue to enforce cybersecurity compliance against the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments.
So what really changed? The third-party certification mechanism is on hold. The underlying security requirements are not. If you were relying on CMMC assessors to eventually tell you where your gaps were, that safety net just moved — but the expectation that your gaps are already closed did not.
What this means for you, practically
If you’re a defense contractor or a subcontractor anywhere in the supply chain, here’s how to think about the next 60 days:
- Keep implementing NIST SP 800-171. This is still the operative standard, and it’s still being assessed. A pause on Phase II is not a pause on 800-171.
- Don’t dismantle the work you’ve done. Every control you’ve implemented toward CMMC readiness is a control you’re still contractually expected to have under DFARS 252.204-7012. The certification date moved; the security bar didn’t.
- Watch for “select government-led assessments.” The Department explicitly reserved the right to conduct these. Self-attestation without the substance behind it carries real exposure — including False Claims Act risk if your self-assessment score doesn’t match reality.
- Expect the rules to evolve, and stay ready to move. A 60-day task force means new guidance is coming. Companies that keep their security posture current will be able to adapt to whatever emerges; companies that let things lapse will be scrambling to rebuild.
If you’re a Canadian firm operating in or supplying the U.S. defense base, the same logic applies — your contractual data-protection obligations don’t disappear because a rollout date shifted, and staying aligned to 800-171 keeps you in the game regardless of where the reform lands.
The bottom line
This is a big, surprising, and consequential move — but it’s a change in how compliance gets verified, not a change in whether you have to protect federal information. The smartest response isn’t to relax. It’s to keep your house in order so you’re ready for whatever the reform task force delivers in the next two months.
We’re here to help. Whether you need a hand interpreting what this means for you, want a clear-eyed assessment of where you actually stand against NIST SP 800-171 and DFARS 252.204-7012, or simply want to keep your program on track through a period of shifting requirements — reach out. We’ll help you cut through the noise and make sure your security posture stays strong no matter which way the policy winds blow. Get in touch today if you need any assistance.
