Overview
On July 13, 2026, the Department of War (DoW) announced the immediate suspension of all Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had originally been scheduled to take effect November 10, 2026, including the transition to mandatory third-party assessments by CMMC Third-Party Assessment Organizations (C3PAOs) for contractors handling Controlled Unclassified Information (CUI). The DoW simultaneously established a CMMC Reform Task Force charged with delivering a comprehensive report within 60 days recommending “realistic, scalable security measures” for the Defense Industrial Base (DIB).
The suspension, announced by DoW Chief Information Officer Kirsten A. Davies, aligns with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives and the broader “Arsenal of Freedom” initiative. Critically, the action does not relieve contractors of their underlying obligations to protect federal data, which includes the current DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and the NIST SP 800-171 Rev. 2 security controls upon which the CMMC Phase II requirements are based.