Key Details: On July 13, 2026, the Department of War suspended CMMC Phase II implementation and related third-party assessment requirements. The DOW official press release can be found here and the official suspension memorandum can be found here. The suspension pauses the planned November 10, 2026 transition to Phase II, including Level 2 third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) and Level 3 assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The Department established a CMMC Reform Task Force to conduct a top-to-bottom review of the program and provide recommendations within 60 days. While the suspension pauses certain assessment requirements, it does not eliminate existing cybersecurity obligations. Phase I self-assessments remain in place, and contractors should continue documenting compliance with NIST SP 800-171 Rev. 2, maintaining Supplier Performance Risk System (SPRS) information, complying with FAR 52.204-21 and DFARS 252.204-7012, and meeting applicable cyber incident reporting requirements.
The Cybersecurity Maturity Model Certification (CMMC) Program is the Department of War's framework for validating cybersecurity controls across the Defense Industrial Base (DIB). The program was designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through a combination of self-assessments, third-party assessments, and cybersecurity compliance requirements tied to federal contracts.
The July 2026 action is best understood as a pause and reform effort, not a cancellation of cybersecurity compliance requirements.
According to the Department, the suspension pauses:
The Department stated that the current implementation created significant compliance costs and administrative burdens, particularly for small, medium-sized, and non-traditional defense contractors. The Small Business Administration supported the suspension, citing concerns that compliance costs and assessment capacity issues were pushing some innovative companies out of the Defense Industrial Base.
The practical takeaway is straightforward: the assessment requirements have been paused, but cybersecurity compliance obligations remain enforceable.
The Department's announcement should not be interpreted as a reason to stop cybersecurity work.
Instead, contractors should:
Contractors that continue addressing cybersecurity gaps and strengthening documentation may be better positioned when a revised framework is announced. Contractors should also remember that suspension of third-party assessment requirements does not eliminate risks associated with inaccurate cybersecurity representations. Organizations should continue ensuring that System Security Plans, SPRS submissions, self-assessments, and cybersecurity attestations accurately reflect actual compliance status.
The CMMC Reform Task Force is expected to deliver recommendations within 60 days.
Contractors should monitor:
Because the review is ongoing, this remains an evolving area for defense contractors.
The Department of War's suspension of CMMC Phase II provides temporary relief from upcoming third-party assessment requirements, particularly for contractors preparing for Level 2 C3PAO or Level 3 DIBCAC assessments.
However, the suspension does not eliminate existing cybersecurity obligations. Phase I self-assessments, remain in place, and requirements under NIST SP 800-171 Rev. 2, FAR 52.204-21, DFARS 252.204-7012 continue to apply incorporated into current contracts. Contractors should therefore continue maintaining applicable SPRS submissions, affirmations, and cyber incident reporting processes consistent with their current existing contract requirements.
Contractors should treat the suspension as a planning window to strengthen compliance and documentation, not as a pause on cybersecurity readiness. Organizations doing business with the Department of War should review existing cybersecurity requirements, contract language, self-assessment documentation, and compliance processes during the review period. Proactively addressing compliance gaps now may reduce future implementation risk if revised CMMC requirements are released.
About Sagarika Susarla
Finance Consultant
Sagarika Susarla is a Finance Consultant at Ryan & Wetmore. She focuses on supporting clients through financial analysis, tax consulting, and building practical tools that improve efficiency and decision-making. Sagarika earned her MBA from The George Washington University and her undergraduate degree in Finance, with a concentration in Corporate Finance.
About Samad Arouna
Marketing Coordinator
Samad Arouna is the Marketing Coordinator at Ryan & Wetmore, bringing a wealth of knowledge in digital marketing strategy and analytics. Before joining Ryan & Wetmore, Samad honed his skills working as a loan specialist for the Small Business Administration. He holds a Bachelor of Business Administration and a Master of Science in Marketing. Samad is dedicated to devising innovative marketing solutions that drive growth and success for the firm.
No. The suspension pauses certain third-party assessment requirements, but it does not remove existing cybersecurity obligations. Contractors should continue maintaining self-assessment documentation, SPRS information, System Security Plans, POA&Ms, and cyber incident reporting processes where applicable.
Contractors should start by reviewing active solicitations, current contract language, SPRS scores, self-assessment documentation, SSPs, POA&Ms, and subcontractor flow down requirements. This helps identify where clarification, updates, or continued documentation may be needed.
Contractors should monitor recommendations from the CMMC Reform Task Force, revised Department guidance, solicitation amendments, contract modifications, and any updates to assessment or validation requirements. The suspension creates a temporary review period, but future requirements may change once the reform process is complete.