CMMC Phase II Suspended: 60-Day Review Could Shift DoD Cybersecurity Framework
Key Takeaways
- The suspension of CMMC Phase II pauses mandatory third-party cybersecurity assessments, leaving contractors to rely on existing DFARS controls.
- A 60-day review may revise the framework.
- Cybersecurity professionals must ensure ongoing compliance while anticipating future changes.
Mentioned
Key Intelligence
Key Facts
- 1DoD suspended CMMC Phase II implementation deadlines, including the Nov. 10, 2026 transition, effective July 13, 2026.
- 2A 60-day CMMC Reform Task Force will review the program and issue a Request for Information (RFI) to gather industry feedback on readiness and cost over the next month.
- 3Contractors must still comply with DFARS 252.204-7012 and CMMC Phase I self-assessment requirements; DoD program managers may still require Level 1 or Level 2 (Self) assessments.
- 4The suspension is part of Secretary Hegseth’s Acquisition Transformation System aimed at reducing regulatory burdens and expanding the defense industrial base.
- 5Pending and future CMMC-related milestones in DoD solicitations and contracts are paused during the review.
- 6The underlying cybersecurity obligation to protect controlled unclassified information (CUI) remains in effect via existing regulations.
Analysis
- Allows time to refine the assessment framework to be more effective and risk-based
- Reduces administrative burden, freeing security resources for actual defense
- Encourages continuous monitoring approaches over point-in-time audits
- Pauses independent verification of contractor cybersecurity, potentially increasing risk
- May lead to confusion and reduced security spending
- Could delay detection of threats if oversight is weakened
Analysis
For cybersecurity leaders in the defense sector, the CMMC Phase II suspension could be a double-edged sword: it removes the immediate requirement for third-party assessments, but introduces uncertainty about the future of mandatory verification. While the suspension aims to reduce costs, it does not diminish the obligation to protect CUI under DFARS 252.204-7012. The 60-day review could redefine how the Pentagon assures cyber hygiene across its supply chain, with potential implications for threat detection and incident response protocols.
On July 13, 2026, the U.S. Department of Defense abruptly suspended the transition to Cybersecurity Maturity Model Certification (CMMC) Phase II, scrapping the November 10, 2026 deadline that would have mandated third-party assessments for contractors handling controlled unclassified information (CUI). The move, announced via two memoranda, halts the most stringent tier of the Pentagon’s landmark cybersecurity certification program and signals a fundamental reassessment of how to secure the defense industrial base without unduly burdening industry participants. The suspension is effective immediately, and pending CMMC milestones in solicitations and contracts are paused while a 60-day Reform Task Force conducts a comprehensive review.
Secretary of Defense Pete Hegseth’s Acquisition Transformation System (ATS) now frames this suspension as part of broader acquisition reform aimed at accelerating acquisitions, reducing unnecessary regulatory burdens, and expanding opportunities.
The CMMC program, finalized in October 2024 under 32 C.F.R. Part 170, was designed to replace a self-attestation model with third-party validation to verify contractors’ implementation of NIST SP 800-171 security controls. It rolled out in phases: Phase I began in September 2025, requiring basic self-assessments, while Phase II, originally set for November 2026, was to enforce full certification for CUI handlers. The program’s complexity and cost drew sharp criticism from industry, especially small and mid-sized contractors who argued that the compliance overhead threatened their viability. Secretary of Defense Pete Hegseth’s Acquisition Transformation System (ATS) now frames this suspension as part of broader acquisition reform aimed at accelerating acquisitions, reducing unnecessary regulatory burdens, and expanding opportunities.
The immediate effect for contractors is relief from the impending Phase II certification requirement. Defense firms that had been scrambling to achieve Level 2 third-party assessment readiness can now scale back those efforts, at least temporarily. However, the suspension does not relieve them of existing cybersecurity obligations. Contractors must still comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which mandates safeguarding CUI and reporting cyber incidents, and with any CMMC Phase I requirements, including applicable self-assessments. In addition, DoD program managers may still designate Level 1 or Level 2 (Self) assessment requirements on individual contracts, meaning that some self-assessment burdens persist. Thus, the compliance landscape remains in a state of partial limbo.
The 60-day CMMC Reform Task Force, established concurrently with the suspension, will gather industry feedback through a Request for Information (RFI) focusing on readiness, cost drivers, and current control implementations. The RFI, to be conducted over the coming month, seeks to identify barriers to participation in the defense supply chain. The task force’s recommendations, due at the end of the 60-day period, will inform a potential revision of the CMMC framework. The department’s goal is to maintain strong cybersecurity while removing friction that has narrowed the pool of eligible contractors, a concern amplified by recent geopolitical tensions and the need to surge production.
What to Watch
The market impact is multi-layered. For defense primes and large contractors that heavily invested in CMMC compliance, the suspension may be a mixed bag: it eliminates the immediate certification expense but also creates uncertainty about the future standard. For small and mid-sized vendors, the news is a clear win, removing a barrier that could have locked them out of contracts. The suspension could swell the number of eligible bidders and restore competition, potentially lowering costs for the DoD. On the other hand, some industry observers worry that a prolonged pause might erode cybersecurity vigilance and increase the attack surface, especially since the underlying threat landscape remains intense. The suspension may also delay contract awards that were contingent on CMMC readiness, introducing near-term procurement friction.
Looking ahead, the outcome of the 60-day review is crucial. Possible scenarios range from a tweaked Phase II timeline to a complete overhaul of the certification model, perhaps adopting a more risk-based approach or leveraging continuous monitoring instead of point-in-time assessments. The RFI’s emphasis on cost drivers suggests that the DoD is seriously contemplating ways to reduce compliance expenses, possibly through subsidies or shared assessment resources. Industry legal advisors will need to monitor the rulemaking docket for any proposed changes to C.F.R. Part 170 or DFARS. In the meantime, contractors should not dismantle their cybersecurity programs; they should continue to adhere to NIST SP 800-171 controls, as these remain the baseline and may be referenced in any future framework. The suspension underscores that regulatory requirements in defense procurement can shift rapidly with leadership priorities, and agility in compliance planning is now a strategic necessity.
Timeline
Timeline
CMMC Program Finalized
DoD publishes final rule for CMMC under 32 C.F.R. Part 170, establishing the phased certification framework.
Phase I Go-Live
CMMC Phase I begins, requiring basic self-assessments for contractors.
Phase II Suspension Announced
DoD issues two memoranda suspending all CMMC Phase II deadlines, including the planned Nov. 10 transition, effective immediately.
CMMC Reform Task Force and RFI
DoD establishes a 60-day task force and publishes a Request for Information to gather industry input on readiness, costs, and barriers.
Original Phase II Transition (Suspended)
This date would have mandated Level 2 third-party assessments for contractors handling CUI; now on hold.
Cite This Page
"CMMC Phase II Suspended: 60-Day Review Could Shift DoD Cybersecurity Framework." Cyber Intelligence Brief, July 15, 2026. https://getcyberbrief.com/story/cyber-cmmc-suspension-security-shift
From the Network
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
Sources are only linked to a story once they clear our classification pipeline at a minimum 35 percent relevance threshold. According to that methodology, reviewed July 2026, this follows multi-source corroboration standards recommended by journalism research bodies such as the Reuters Institute for the Study of Journalism.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |