Published Tuesday, July 14, 2026 at 06:39 PM PT

<strong>DEPARTMENT OF WAR SUSPENDS CMMC PHASE II; 60-DAY REVIEW UNDERWAY</strong>

BLUF: Department of War halted implementation of Cybersecurity Maturity Model Certification (CMMC) Phase II effective immediately, postponing November 10, 2026 compliance deadline. All DoD contractors and subcontractors should pause Phase II preparation activities pending review outcome. Compliance timeline and requirements remain uncertain.


DETAILS

  • DoW announced suspension on July 13, 2026, halting Phase II rollout scheduled for November 10, 2026
  • Department initiating 60-day comprehensive review of CMMC program; review scope and specific focus areas not yet detailed in available reporting
  • Phase II suspension applies to all defense contractors and subcontractors currently preparing for compliance
  • Multiple sources confirm suspension but provide limited detail on review rationale; one source references “reducing compliance burden” as potential driver—this characterization is editorial interpretation, not official DoW statement
  • No official guidance issued yet on interim compliance expectations or revised timeline

IMPACT

  • Affected parties: All DoD contractors and subcontractors (estimated 300,000+ entities) currently working toward CMMC Level 2 certification by November 2026
  • Scope: Defense industrial base cybersecurity posture; supply chain security requirements; contractor compliance planning
  • Uncertainty: Current status of Phase I requirements, interim compliance obligations, and whether suspension affects already-certified entities remains unconfirmed

RECOMMENDED ACTIONS

  • Immediate: Contractors should monitor official DoW/CMMC-AB channels for guidance; do not halt security improvements, but defer Phase II-specific certification activities pending clarification
  • Within 7 days: Compliance officers should document current Phase II preparation status and budget implications
  • Ongoing: Prepare for potential revised requirements; 60-day review concludes approximately mid-September 2026

SOURCES

Homeland Security Today, Industrial Cyber, SecurityWeek, CyberScoop (July 13-14, 2026)