DoD Suspends CMMC Phase II Requirements Ahead of November Deadline

3 min readSources: National Law Review

The Department of Defense has suspended the CMMC Phase II certification requirements effective immediately.

Why it matters: Legal teams advising defense contractors must update compliance strategies and contracts due to this unexpected procedural change impacting cybersecurity obligations.

  • DoD announced on July 13, 2026 suspension of CMMC Phase II requirements originally set for November 10, 2026.
  • Phase I self-assessment requirements under CMMC continue without interruption.
  • A 60-day CMMC Reform Task Force will review the certification program and consider industry feedback.
  • Contractors must still comply with NIST SP 800-171 Rev 2 and DFARS 252.204-7012 standards during the review period.

On July 13, 2026, the Department of Defense (DoD announcement) suspended the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, initially slated to take effect on November 10, 2026. This suspension applies only to Phase II, which involved third-party certification assessments, while Phase I self-assessments remain mandatory.

The DoD attributed this decision to the need to reduce bureaucratic hurdles and keep a competitive defense supply chain. Under Secretary of Defense for Acquisition and Sustainment Michael Duffey emphasized the balance between maintaining robust security and reducing costs that could force smaller vendors out of the market. Duffey noted, "By pausing [CMMC] Phase 2 implementation, we are keeping more companies in the DIB who would otherwise be forced out at a time when we need them most." Similarly, DoD CIO Kirsten Davies stated the move is intended to reduce red tape, not security standards.

During this suspension, a 60-day CMMC Reform Task Force will conduct a thorough review of the certification program. The task force will examine compliance costs, implementation challenges, and consider potential alternatives to the current model, incorporating extensive industry feedback.

Contractors must continue to follow existing cybersecurity obligations, including compliance with NIST Special Publication 800-171 Revision 2 via self-assessments and selected government-led assessments. Additionally, requirements under DFARS 252.204-7012 remain in full effect. These include protecting Covered Defense Information, reporting qualifying cyber incidents, preserving affected systems, and submitting malware samples when necessary.

Legal professionals advising defense contractors should carefully revise guidance and contract language to reflect these procedural changes. The suspension creates temporary regulatory uncertainty but affirms ongoing cybersecurity responsibilities essential for protecting national defense operations.

By the numbers:

  • July 13, 2026 — date DoD announced suspension
  • November 10, 2026 — original Phase II CMMC compliance deadline
  • 60 days — duration of CMMC Reform Task Force review

Yes, but: While Phase II certification requirements are suspended, contractors still face rigorous cybersecurity obligations under existing NIST and DFARS standards during the transition.

What's next: The 60-day CMMC Reform Task Force will deliver recommendations for program modifications, expected to inform future enforcement and certification frameworks.