The Department of War has suspended CMMC Phase II implementation while it reviews the program and seeks industry input on reducing compliance burdens. Government contractors should understand which requirements remain in effect, how active solicitations may change, and what the temporary pause could mean for assessment costs and future cybersecurity obligations.
Highlights
- Phase II Suspension. On July 13, 2026, the Department of War suspended CMMC Phase II requirements that were scheduled to take effect on November 10, 2026.
- Requirements Still in Effect. Contractors and subcontractors must continue meeting applicable contractual cybersecurity requirements and maintaining required self-assessments and annual affirmations in SPRS.
- Solicitation Changes. During the suspension, program offices may include only CMMC Level 1 Self or Level 2 Self requirements, and contracting officers must amend active solicitations to remove Level 2 C3PAO and Level 3 DIBCAC requirements.
- Contract Impact. Contractors should evaluate whether solicitation amendments or changing assessment requirements affect performance plans, prior compliance investments, subcontract administration, or fixed-price contract costs.
- Industry Review. DOW is reviewing CMMC implementation and seeking industry feedback on reducing compliance burdens, particularly for small and nontraditional businesses, through August 14, 2026.
On July 13, 2026, the Department of War (DOW) announced a major update to its cybersecurity compliance framework: the immediate suspension of CMMC Phase II requirements, which had been scheduled to take effect on November 10, 2026. The DOW confirmed that all Phase I self‑assessment requirements remain in force.
This suspension supports a broader effort to align cybersecurity and acquisition processes with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS). ATS focuses on speed to capability, reducing barriers for small, medium, and non‑traditional businesses, and replacing bureaucratic compliance mechanisms with scalable and realistic cybersecurity practices.
Requirements Unaffected by the Phase II Suspension
Contractors and subcontractors must still:
- Comply with their contractual required cybersecurity requirements (FAR 52.240-93 and DFARS 252.204-7012) and
- Complete and post the self-assessment and annual affirmation to the Supplier Performance Risk System (SPRS).
Why DOW Suspended Phase II Implementation?
The memo states that although the CMMC program was designed to strengthen cybersecurity in the Defense Industrial Base (DIB), it has instead imposed prohibitive compliance costs and significant administrative burdens on small businesses. According to data and reports from the Small Business Administration (SBA), these burdens are forcing innovative firms out of the DIB, which, in turn, threatens to delay the delivery of critical capabilities to warfighters. SBA commended DOW on the suspension.
To address these concerns, DOW has established a task force to conduct a comprehensive review of the CMMC program. Within 60 days, the task force will provide the DOW Chief Information Officer (CIO) with recommendations on realistic security measures designed to lower barriers for small and non-traditional contractors. The DOW CIO has published a Request for Information (RFI) on Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base (DIB), with input due by August 14, 2026.
What Does This Mean for Government Contractors?
CMMC Phase II had been scheduled to take effect on November 10, 2026, and would have required contractors to undergo CMMC Level II Certified Third-Party Assessment Organization (C3PAO) assessments. The requirement for a contractor to pay for and undergo a C3PAO assessment has been put on hold.
This 60-day suspension doesn’t change contractor and subcontractor requirements under Phase I, which require maintaining CMMC Level 1 and Level 2 self-assessments and annual affirmations in SPRS. Furthermore, the temporary suspension does not remove existing requirements to safeguard federal information. Contractors and subcontractors with contracts containing the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting remain contractually obligated to safeguard covered defense information by implementing the security requirements in NIST SP 800-171 Rev 2.
What Is Changing Immediately?
On July 13, 2026, the Office of the Under Secretary of War, Acquisition and Sustainment office issued a Memorandum titled Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements providing direction on how to handle the CMMC Phase 2 implementation during the suspension period. Program offices are only permitted to include CMMC Level 1 (Self) or Level 2 (Self) assessments in solicitations while the suspension is in effect. For any active solicitations that contain requirements for CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC), contracting officers must issue a solicitation amendment to remove those requirements.
This memo is not clear as to contracts with existing requirements to implement Phase II C3PAO assessments. We believe the intent is that, at least for the 60-day suspension period, the Phase II C3PAO assessments can be put on hold and any ongoing DIBCAC assessments should be stopped by DCMA.
Takeaways
Review your active solicitations as Contracting Officers are directed to issue amendments removing CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) requirements during the suspension period.
Contractors and subcontractors with a significant amount of fixed-priced contracts and subcontracts should carefully assess the impact of this suspension and potential rework that may result from changing requirements. While specific impacts may not yet be determinable, contracting officers for high-dollar value contracts, as well as buyers of high-dollar value subcontracts, should be formally notified in writing that if the impact proves to be material, a Request for Equitable Adjustment (REA) under the FAR 52.243-1 changes clause will be submitted. As a reminder, you only have 30 days to make your assertion for an adjustment.
We strongly encourage small businesses, nontraditional businesses, and all DIB participants to submit feedback to the DoD CIO's Request for Information (RFI). Comments are due by August 14, 2026.
Managing Contract Impacts During the CMMC Suspension
Redstone GCI assists government contractors in understanding changing Government requirements and managing contract impacts from award through closeout. Our consultants review solicitation amendments and contract clauses, evaluate potential cost and schedule effects, prepare required notices, document contractor impacts, and support the development of assertions and requests for equitable adjustment under applicable changes clauses. We also assist with subcontractor flowdowns, cybersecurity compliance requirements, contract administration, and supporting documentation when changing CMMC requirements affect planned or completed work.
Frequently Asked Questions (FAQs)
- What is CMMC? The Cybersecurity Maturity Model Certification program establishes cybersecurity assessment requirements for contractors and subcontractors that handle federal contract information or controlled unclassified information. The required assessment level depends on the information involved and the applicable contract requirements.
- What part of CMMC has been suspended? The Department of War suspended the advancement to Phase II, which would have expanded the use of third-party CMMC Level 2 assessments and government-led Level 3 assessments. The suspension applies to requirements that were scheduled to take effect on November 10, 2026.
- Do contractors still have cybersecurity obligations during the suspension? Yes. Contractors and subcontractors must continue complying with the cybersecurity requirements included in their contracts. Required self-assessments and annual affirmations must also continue to be completed and posted in SPRS.
- Does the suspension eliminate CMMC assessments? No. CMMC Level 1 and Level 2 self-assessment requirements remain in effect. The requirement to pay for and undergo a Level 2 C3PAO assessment has been placed on hold during the suspension.
- How does the suspension affect active solicitations? Contracting officers are directed to amend active solicitations that require Level 2 C3PAO or Level 3 DIBCAC assessments. During the suspension, program offices may include only Level 1 Self or Level 2 Self-assessment requirements.
- Why is DOW reviewing the CMMC program? DOW is evaluating whether current CMMC requirements create excessive costs and administrative burdens, particularly for small and nontraditional businesses. The review will consider possible changes intended to maintain cybersecurity protections while reducing barriers to participation in the Defense Industrial Base.

