1. Home
  2. |Insights
  3. |Department of War Immediately Suspends CMMC Phase II Requirements, Launches 60-Day Reform Review

Department of War Immediately Suspends CMMC Phase II Requirements, Launches 60-Day Reform Review

What You Need to Know

  • Key takeaway #1

    The Department of War (DoW) is immediately suspending Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026, along with other pending and future CMMC implementation milestones in current contracts.

  • Key takeaway #2

    DoW plans to establish a CMMC Reform Task Force and conduct a 60-day study of CMMC.

  • Key takeaway #3

    DFARS 252.204-7012 and CMMC Phase I self-assessment requirements remain unaffected. Contractors are still required to protect federal data and implement security controls, including NIST SP 800-171, as required by their contracts.

Client Alert | 2 min read | 07.13.26

The Department of War (DoW) is immediately suspending Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026.

What is CMMC, and What is Phase II?

DoW’s CMMC program is a certification initiative to verify that the Defense Industrial Base is consistently implementing mandatory cybersecurity controls to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). DoW had planned for CMMC to take effect over a four-phase rollout. Phase I took effect on November 10, 2025, and focused on contractor self-assessment requirements. Phase II, which had been expected to take effect on November 10, 2026, would see the inclusion of third-party assessment requirements in DoW contracts.

What Happened?

Citing prohibitive compliance costs and bureaucratic burdens, the DoW announced the suspension of Phase II in alignment with Secretary Hegseth's initiatives to streamline the acquisition process.  The DoW specified that it is suspending the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts.

The DoW’s Chief Information Officier is establishing a CMMC Reform Task Force to conduct a comprehensive top-to-bottom review of the certification program, synthesizing industry feedback obtained through a public Request for Information and delivering a final report within 60 days.

During this review period, DoW will continue to enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard via self-assessments and select government-led assessments.

What Remains Unchanged?

As DoW notes, this action does not eliminate other contractual requirements to protect federal data. Importantly, all defense contractors and subcontractors remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012.  Additionally, DoW noted that CMMC Phase I self-assessment requirements “remain firmly in place.”  These include Level 1 self-assessed certifications and attestations to protect FCI, as well as Level 2 self-assessments and attestations to protect CUI. The DoW did not explicitly reference the discretion that Phase 1 provided the DoW to require C3PAO assessments on a case-by-case basis before Phase 2. 

What This Means for Contractors?

Defense contractors should continue to maintain robust cybersecurity practices under existing DFARS obligations, monitor for opportunities to submit feedback to the Reform Task Force, and track the 60-day review for guidance on revised CMMC requirements.

Defense contractors should be aware that while the Phase II rollout is paused, existing compliance obligations, particularly DFARS 252.204-7012 and CMMC Phase I requirements, remain in force. Whether or not CMMC certification obligations change, contractors will need to implement NIST SP 800-171 to safeguard DoW CUI and ensure they can defend their practices under government scrutiny. The Department of Justice remains vigilant about leveraging the False Claims Act to investigate alleged noncompliance with DFARS 252.204-7012 and 252.204-7020 under its Civil Cyber-Fraud Initiative, and could expand its focus to false or inaccurate CMMC Phase I self-assessments in the future.

For more information, please contact the Crowell & Moring Government Contracts and Privacy and Cybersecurity Groups.

Contacts

Insights

Client Alert | 3 min read | 07.13.26

Amici Rally Behind Liberty Global, Urging Tenth Circuit to Rein in Economic Substance Doctrine

Following the 10th Circuit's April 21, 2026, decision affirming the disallowance of Liberty Global’s $2.4 billion deduction under the codified economic substance doctrine, I.R.C. § 7701(o), Liberty Global filed a petition for panel rehearing or rehearing en banc on June 5, 2026. That petition has since drawn significant amicus support from various industry groups representing large taxpayers, as discussed below....