← All posts
Filed in / cmmc · compliance · small-business

Why the Department of War Suspended CMMC Phase II

In this piece
  1. 01 The CMMC Phase II announcement in brief
  2. 02 Why the Department says it suspended Phase II
  3. 03 What the 60-day CMMC review will examine
  4. 04 Cybersecurity requirements remain in place
  5. 05 What the announcement says about acquisition reform
  6. 06 What defense contractors should take away
  7. 07 The bottom line
  8. 08 Related reading

The Department of War suspended CMMC Phase II on July 13, 2026, stopping requirements that were scheduled to take effect on November 10, 2026. It also paused pending and future CMMC implementation milestones while it conducts a broader review of the program.

The decision is not presented as a retreat from cybersecurity. In its “Forging the Arsenal of Freedom” announcement, the Department argues that CMMC’s certification structure has become too costly and administratively heavy for parts of the Defense Industrial Base (DIB), particularly small, medium, and nontraditional businesses.

The Department is now asking whether it can protect federal data with a more scalable approach, one that emphasizes practical cybersecurity outcomes without discouraging capable companies from pursuing defense work.

The CMMC Phase II announcement in brief

The July 13 release makes five main points:

  1. CMMC Phase II is suspended immediately. The November 10, 2026 transition will not proceed as scheduled.
  2. Later implementation milestones are also on hold. The suspension applies to pending and future CMMC milestones across Department solicitations and contracts.
  3. Phase I remains in place. Contractors must continue meeting applicable self-assessment requirements.
  4. The Department is launching a 60-day review. A new CMMC Reform Task Force will collect industry feedback and recommend changes to the Department CIO.
  5. The duty to protect federal data remains. Contractors and subcontractors are still responsible for safeguarding covered defense information under DFARS 252.204-7012.

The 60 days refers to the review period. The release does not announce a new Phase II start date or say that the suspension will automatically end when the review is complete.

Why the Department says it suspended Phase II

The announcement connects the decision to Secretary of War Pete Hegseth’s Acquisition Transformation System. That initiative prioritizes faster delivery of military capability, wider access to commercial technology, and lower barriers for companies that want to enter or remain in the DIB.

According to the Department, the current CMMC program has worked against those goals by creating high compliance costs and administrative burdens. The release points to reporting from the Small Business Administration and says those burdens are pushing innovative companies away from defense work.

That claim is central to the Department’s case for reform. Beyond what certification costs any individual contractor, the Department is worried about what those costs do to competition, supplier capacity, and the speed at which new capabilities reach the warfighter.

The release therefore frames CMMC as an acquisition issue as well as a cybersecurity program. If a security requirement is so difficult to navigate that qualified companies leave the market, the Department argues, the result can weaken the industrial base it is intended to protect.

What the 60-day CMMC review will examine

Department CIO Kirsten A. Davies is establishing a CMMC Reform Task Force to conduct what the release describes as a top-to-bottom review of the certification program.

The task force will gather feedback through a public Request for Information focused on compliance challenges. It will then recommend security measures that are intended to be more realistic and scalable, particularly for small and nontraditional businesses. Its final report is due to the CIO within 60 days.

The review is expected to consider a basic tension: how to verify that contractors protect sensitive federal information without making the verification process the dominant cost of participation.

The announcement does not prescribe the answer. It does not identify a replacement assessment model, a revised phase schedule, or a future role for third-party certification. Those decisions are part of the work now assigned to the task force.

Cybersecurity requirements remain in place

The strongest warning in the release is also the easiest part to miss: suspending Phase II does not eliminate contractors’ responsibility to protect federal data.

All Phase I self-assessment requirements remain in effect. During the review, the Department says it will continue enforcing NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments.

Contractors and subcontractors also remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012. That means the operational work behind compliance still matters: controlling access, protecting systems that handle CUI, responding to incidents, maintaining documentation, and showing that required safeguards are actually working.

In short, the planned expansion of CMMC certification requirements is suspended, while the underlying responsibility to protect FCI and CUI stays in force. Nothing about the day-to-day work of safeguarding federal data has been called off. What changed is how the Department plans to expand and evaluate its certification program.

What the announcement says about acquisition reform

The release’s title, “Forging the Arsenal of Freedom,” points to the Department’s broader argument that acquisition policy should help expand the supplier base rather than narrow it.

Three priorities run through the announcement.

Speed to capability. The Department wants security requirements that do not unnecessarily delay access to useful commercial products and services.

More competition. Lowering barriers for small, medium, and nontraditional businesses is presented as a way to keep more suppliers in the defense market.

Practical cyber resilience. The Department says it wants to focus enforcement on tangible cyber hygiene and operational resilience rather than administrative overhead.

Those priorities do not remove the need for evidence or accountability. They do show what the Department wants the reform task force to optimize for: security measures that can scale across a diverse industrial base without treating every contractor as if it has the resources of a major prime.

What defense contractors should take away

The immediate guidance for contractors is short.

  • Continue all applicable Phase I self-assessments.
  • Keep implementing and documenting NIST SP 800-171 Rev. 2 safeguards.
  • Continue protecting covered defense information under DFARS 252.204-7012.
  • Watch for the public RFI, the task force’s recommendations, and further Department guidance.
  • Do not assume the 60-day review creates a new deadline or guarantees a particular outcome.

Companies that have already invested in stronger controls have not wasted that effort. The Department continues to describe cybersecurity and operational resilience as critical to protecting American innovation and warfighter readiness. What is being reconsidered is the structure and burden of the certification program around those controls.

The bottom line

The Department of War suspended CMMC Phase II because it believes the program’s cost and bureaucracy are restricting participation in the Defense Industrial Base. It has given a reform task force 60 days to recommend a more scalable approach that supports both cybersecurity and faster acquisition.

For now, Phase I remains active, NIST SP 800-171 Rev. 2 remains the stated security baseline, and DFARS safeguarding obligations remain intact. The question facing the Department is not whether defense contractors should protect federal data. It is how to verify that protection without driving capable suppliers out of the market.

If your team needs to keep NIST 800-171 safeguards running while the certification picture settles, IRONKEEP is built for that. It gives small and mid-sized defense contractors a US-hosted platform for encrypted email, secure file storage, and controlled collaboration under a single compliance-focused boundary, so the controls and evidence DFARS still requires stay in place regardless of where the reform lands. Lock in founding member pricing before we launch.

Get the CMMC Level 2 readiness checklist

30 items across 11 control families, with what a C3PAO expects to see for each one. Subscribers also get early access to founding member pricing.