Pentagon Suspends CMMC Phase II Requirements
Why and How CMMC Phase II Is Being Suspended
On July 13, 2026, the Pentagon announced the immediate suspension of CMMC Phase II requirements, which had been scheduled to begin on November 10, 2026. The suspension primarily affects the requirement for third-party C3PAO cybersecurity assessments and audits, while leaving existing cybersecurity obligations in place.
The Pentagon’s Reasoning
According to Pentagon Chief Information Officer Kirsten Davies, the Department concluded that the current CMMC Phase II implementation has become too costly and administratively burdensome, particularly for small businesses and non-traditional defense contractors. Officials argued that cybersecurity remains essential, but that excessive compliance requirements were discouraging innovative companies from participating in the Defense Industrial Base (DIB). Innovative small businesses that participate in programs such as SBIR and STTR may not have the funding, annual revenue, and staffing levels to meet the time and costs required to achieve and maintain CMMC compliance, making CMMC both a necessity and potentially insurmountable obstacle for small business cybersecurity.
A July 10 memorandum cited “significant and often prohibitive burdens” on defense contractors and stated that compliance requirements should not come at the expense of industrial-base growth or rapid delivery of capabilities to warfighters. Pentagon officials emphasized that the goal is to reduce bureaucracy, not cybersecurity.
While some companies have been able to afford the cost and put in the effort to achieve CMMC Level 2 certification, vastly more companies have not yet met Level 2 requirements. It’s been estimated that more than 100,000 companies require CMMC certifications, but there may be fewer than 100 authorized C3PAO companies available to perform the required inspections. Too few inspectors and too many companies needing to be inspected have been major contributing factors in the decision to temporarily suspend CMMC implementation. Moreover, CMMC is also required for international partners competing for DoD contracts, even if participating as a subcontractor or supplier for US prime contractors, adding potentially thousands more foreign partner companies to the backlog of CMMC inspections.

What Is Being Suspended?
The key element being paused is the Phase II certification mechanism, which would have required contractors handling Controlled Unclassified Information (CUI) to undergo periodic third-party assessments by accredited C3PAOs. Under Secretary Michael Duffey stated that the Department is halting the requirement for third-party audits while it reevaluates the program.
The Department has established a CMMC Reform Task Force and initiated a 60-day review intended to align cybersecurity requirements with broader acquisition reform initiatives focused on:
- Speeding capability delivery
- Lowering barriers for small and medium-sized businesses
- Encouraging non-traditional suppliers to enter the defense market
- Replacing bureaucratic compliance mechanisms with more scalable security measures
What Is Not Changing?
The suspension does not eliminate contractors’ cybersecurity responsibilities. The Pentagon has explicitly stated that:
- DFARS 252.204-7012 remains in effect
- Contractors must still protect Covered Defense Information and CUI
- NIST SP 800-171 requirements remain applicable
- Phase I self-assessment requirements remain in place
- Government-led DIBCAC assessments may continue
- False Claims Act liability associated with inaccurate self-attestations still exists
In other words, the Pentagon is suspending the audit and certification process, not the underlying cybersecurity standards. Contractors are still expected to maintain adequate cybersecurity safeguards and accurately report their compliance status.
What Happens Next?
The newly formed CMMC Reform Task Force has been directed to conduct a top-to-bottom review of the program and provide recommendations within 60 days. Pentagon officials have indicated that CMMC could return in a revised form, potentially with a streamlined certification model intended to preserve cybersecurity while reducing compliance costs and administrative overhead.
Bottom Line
The Pentagon suspended CMMC Phase II because it determined that the current third-party certification framework was imposing excessive costs and administrative burdens on defense contractors—especially small businesses—while potentially discouraging participation in the Defense Industrial Base. However, contractors are still required to comply with DFARS and NIST cybersecurity requirements, and the Department is reviewing how to maintain strong cybersecurity protections with a less burdensome compliance structure.

The images in this article were created using an AI image generator. All illustrations are ©Intelliwings.