Published Tuesday, July 14, 2026 at 12:39 PM PT

BLUF: The Department of Defense has immediately suspended the transition to CMMC Phase II and launched a 60-day review to reassess cybersecurity requirements for defense contractors. Affected contractors should clarify current compliance obligations with their contracting officers; Phase II deadlines are effectively paused pending policy revision.
DETAILS:
- DoD suspended CMMC Phase II implementation effective immediately, halting the planned transition from Phase I requirements
- A 60-day formal review has been initiated to evaluate and potentially reduce compliance burden on defense industrial base contractors
- The suspension applies to the mandatory certification timeline previously established for contractors; current Phase I requirements remain in effect during the review period
- The policy revision is framed as addressing implementation challenges and contractor feedback regarding feasibility and cost
- No revised Phase II timeline or modified requirements have been announced; these will emerge from the 60-day review
IMPACT:
- Affected parties: All DoD contractors and subcontractors currently operating under CMMC Phase I requirements, particularly small and mid-sized suppliers
- Scope: Defense industrial base cybersecurity posture; supply chain risk management framework
- Operational effect: Contractors face regulatory uncertainty during the review period; Phase II compliance planning is effectively frozen pending new guidance
- Timeline: Current status quo maintained for 60 days minimum; revised requirements expected post-review
RECOMMENDED ACTIONS:
- Contractors should contact their contracting officers to confirm current Phase I compliance obligations remain unchanged
- Pause Phase II preparation activities pending DoD guidance; do not commit resources to Phase II implementation until revised requirements are published
- Monitor DoD and CMMC Accreditation Body communications for 60-day review outcomes
- Maintain current Phase I security posture and documentation
SOURCES:
Department of Defense announcement; DefenseScoop; CyberScoop; SecurityWeek
