Authors
CMMC slows down: DoW launches program review
On July 13, 2026, the Department of War (DoW) announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II certification requirements. The action pauses the third-party assessment requirement that was scheduled to take effect on November 10, 2026, and suspends implementation milestones across DoW solicitations and contracts.
The suspension was issued pursuant to Secretary of War Pete Hegseth’s Acquisition Transformation System directives, which emphasize speed to capability and reducing barriers to entry for small, medium, and non-traditional defense contractors. The DoW cited Small Business Administration data indicating that CMMC compliance costs have discouraged some innovative companies from participating in the Defense Industrial Base.
DoW Chief Information Officer Kirsten A. Davies will lead the review through a newly established CMMC Reform Task Force. The Task Force will evaluate the certification program and consider industry feedback collected through a forthcoming public request for information. The Task Force is expected to provide findings to the DoW CIO within 60 days.
The pause button does not suspend cybersecurity duties
Although CMMC Phase II implementation is paused, contractors should not view the suspension as a relaxation of cybersecurity requirements. Existing obligations remain in place, including:
- CMMC Phase I self-assessment requirements: Contractors must continue maintaining current and accurate self-assessments and compliance with applicable National Institute of Standards and Technology (NIST) SP 800-171 Rev. 2 requirements.
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 obligations: Contractors and subcontractors remain responsible for safeguarding covered defense information and reporting cyber incidents.
- DFARS 252.204-7020 requirements: Where incorporated into contracts, DoW assessment requirements tied to NIST SP 800-171 remain applicable.
- Government oversight: During the interim review period, the DoW will continue relying on NIST SP 800-171 Rev. 2 compliance measures, including self-assessments and targeted government assessments.
What contractors should do now
The suspension creates both opportunities and uncertainty for companies operating in or seeking to enter the Defense Industrial Base.
Contractors already preparing for CMMC Level 2 certification should continue maintaining NIST SP 800-171 Rev. 2 compliance because those controls remain foundational to existing DFARS obligations. Organizations that delayed third-party assessment preparation may have additional time to evaluate their compliance posture, but abandoning cybersecurity investments may create future risk if revised CMMC requirements are implemented.
The Task Force review also creates an opportunity for industry participation. Contractors should review the RFI and consider providing feedback regarding the cost, implementation, and effectiveness of the current certification framework. Responses are due on August 14, 2026, at 12:00 PM EDT. Responses will be accepted via electronic mail by the primary point of contact, Leanne Condren, and the PSB mailbox.
For small and non-traditional defense contractors that previously viewed CMMC certification costs as a barrier to entry, the interim period may present new opportunities to pursue DoW contracts while the program undergoes review.
FCA risk remains: Accuracy matters more than ever
The suspension of CMMC Phase II does not eliminate False Claims Act (FCA) exposure for defense contractors. The Department of Justice’s Civil Cyber-Fraud Initiative continues to focus on contractors and subcontractors that knowingly misrepresent their cybersecurity compliance posture in connection with federal contracts.
Because DFARS 252.204-7012 and DFARS 252.204-7020 remain operative, contractors continue to make compliance representations regarding their implementation of NIST SP 800-171 controls. Inaccurate self-assessments, unsupported certifications, or material misrepresentations regarding cybersecurity practices may form the basis for FCA enforcement actions, including qui tam claims brought by whistleblowers.
With CMMC Phase I self-assessments serving as a central compliance mechanism during the interim period, contractors should ensure that their scores are current, accurate, and supported by appropriate documentation – including Plans of Action and Milestones where compliance gaps remain.
The path forward
The DoW’s CMMC pause provides temporary relief from Phase II certification requirements, but it does not change the cybersecurity obligations already embedded in federal contracts. Contractors should use this period to validate their compliance posture, document gaps, and prepare for whatever framework emerges from the DoW’s review.
We will continue to monitor developments regarding the DoW’s CMMC review and any changes to the cybersecurity compliance framework. Please reach out to our team with any questions regarding how these developments may affect your organization’s compliance obligations, contracting strategy, or ongoing CMMC preparation efforts.
Client Alert 2026-148
Authors