Published Tuesday, July 14, 2026 at 12:39 PM PT

<strong>CMMC PHASE II SUSPENDED: DoD HALTS CONTRACTOR COMPLIANCE TRANSITION, INITIATES 60-DAY POLICY REVIEW</strong>

BLUF: The Department of Defense has immediately suspended the transition to CMMC Phase II and launched a 60-day review to reassess cybersecurity requirements for defense contractors. Affected contractors should clarify current compliance obligations with their contracting officers; Phase II deadlines are effectively paused pending policy revision.


DETAILS:

  • DoD suspended CMMC Phase II implementation effective immediately, halting the planned transition from Phase I requirements
  • A 60-day formal review has been initiated to evaluate and potentially reduce compliance burden on defense industrial base contractors
  • The suspension applies to the mandatory certification timeline previously established for contractors; current Phase I requirements remain in effect during the review period
  • The policy revision is framed as addressing implementation challenges and contractor feedback regarding feasibility and cost
  • No revised Phase II timeline or modified requirements have been announced; these will emerge from the 60-day review

IMPACT:

  • Affected parties: All DoD contractors and subcontractors currently operating under CMMC Phase I requirements, particularly small and mid-sized suppliers
  • Scope: Defense industrial base cybersecurity posture; supply chain risk management framework
  • Operational effect: Contractors face regulatory uncertainty during the review period; Phase II compliance planning is effectively frozen pending new guidance
  • Timeline: Current status quo maintained for 60 days minimum; revised requirements expected post-review

RECOMMENDED ACTIONS:

  • Contractors should contact their contracting officers to confirm current Phase I compliance obligations remain unchanged
  • Pause Phase II preparation activities pending DoD guidance; do not commit resources to Phase II implementation until revised requirements are published
  • Monitor DoD and CMMC Accreditation Body communications for 60-day review outcomes
  • Maintain current Phase I security posture and documentation

SOURCES:

Department of Defense announcement; DefenseScoop; CyberScoop; SecurityWeek