DoD Suspends CMMC Phase II, Initiates Comprehensive Review
DoD Suspends CMMC Phase II, Initiates Comprehensive Review
On July 13, 2026, the U.S. Department of Defense (DoD) announced the immediate suspension of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program. This decision halts the November 10, 2026, deadline for mandatory third-party certifications and all related implementation milestones. The suspension is part of a broader initiative to reassess and potentially reform the CMMC framework through a newly established CMMC Reform Task Force.
Background on CMMC
Introduced in 2019, the CMMC framework was designed to enhance the cybersecurity posture of the defense industrial base (DIB) by establishing a tiered certification system. The framework comprises multiple maturity levels, each with specific cybersecurity practices and processes. The goal was to ensure that contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) implemented appropriate cybersecurity measures.
Details of the Suspension
The suspension specifically affects CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) third-party assessment requirements. During this period, active solicitations and contracts must be amended to remove these designations. However, it's crucial to note that baseline cybersecurity obligations remain in effect. Contractors are still required to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and other applicable provisions. Additionally, DoD Program Managers may continue to designate requirements for Level 1 or Level 2 self-assessments.
According to a memorandum from the DoD, the suspension aims to reduce barriers to participation in the defense industrial base and to ensure that the CMMC program effectively enhances cybersecurity without imposing undue burdens on contractors. The department has initiated a 60-day comprehensive review of the program, including a Request for Information (RFI) to gather feedback from stakeholders.
Implications for Contractors
For contractors, this suspension offers a reprieve from the immediate pressures of obtaining third-party certifications. However, it does not eliminate the need for robust cybersecurity practices. Organizations should use this period to:
- Review and strengthen existing cybersecurity measures in line with NIST SP 800-171 controls.
- Ensure compliance with DFARS obligations and maintain accurate Supplier Performance Risk System (SPRS) score affirmations.
- Prepare for potential changes to the CMMC framework by staying informed about developments from the CMMC Reform Task Force.
It's also advisable for contractors to participate in the RFI process to provide feedback on the CMMC program, as this input could influence future reforms.
Industry Reactions
The suspension has elicited mixed reactions within the defense contracting community. Some stakeholders appreciate the DoD's willingness to reassess the program, viewing it as an opportunity to address concerns about the complexity and cost of compliance. Others express apprehension about the uncertainty this suspension introduces, particularly for organizations that have already invested significant resources in preparing for CMMC certifications.
Legal experts emphasize the importance of maintaining compliance with existing cybersecurity requirements. As noted by Greenberg Traurig LLP, "Contractors must still comply with cybersecurity controls established by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and other applicable provisions."
Next Steps
During the 60-day review period, the CMMC Reform Task Force will evaluate the program's effectiveness and consider potential reforms. Contractors should monitor communications from the DoD for updates and be prepared to adapt to any changes resulting from this review. Engaging with industry associations and legal counsel can also provide valuable insights and guidance during this transitional period.
In summary, while the suspension of CMMC Phase II provides temporary relief from certain certification requirements, it underscores the DoD's commitment to refining the program to better serve the defense industrial base. Contractors must remain vigilant in their cybersecurity practices and proactive in responding to forthcoming changes.
For more detailed information, refer to the following sources: