LawFlash

Department of War Suspends CMMC Phase II Requirements, but Cybersecurity Obligations Remain

16 июля 2026 г.

The Department of War (DoW) announced on Monday, July 13, 2026, that it was immediately suspending the implementation of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were set to take effect on November 10, 2026. Phase II would have required certain contractors to obtain cybersecurity assessments from Certified Third-Party Assessment Organizations (C3PAOs).

The Phase II requirements were previously discussed in our LawFlash, DOD Finalizes CMMC Rules, Adding Cybersecurity and False Claims Act Compliance Risks and our blog post, CMMC in Effect: Cybersecurity Compliance Measures.

The DoW’s suspension, which also pauses later implementation milestones, offers immediate relief to contractors facing near-term C3PAO assessment deadlines but does not alter substantive cybersecurity obligations to protect federal contract information (FCI) and controlled unclassified information (CUI). According to the DoW, the suspension was driven in significant part by concerns that the existing certification model imposed substantial costs and administrative burdens on the defense industrial base (DIB), particularly small, medium-sized, and nontraditional contractors, and by concerns regarding available third-party assessment capacity.

While the suspension provides a brief reprieve to some companies, they remain subject and exposed to False Claims Act (FCA) risk because compliance with cybersecurity obligations and associated self-assessments remains central to contract requirements for many government contractors.

EFFECTS OF THE SUSPENSION

The DoW’s decision suspends the upcoming November 2026 transition to Phase II and holds pending and future CMMC implementation milestones in abeyance until further notice. During the suspension, contracting officers may only include CMMC Level 1 (Self) or Level 2 (Self) assessment requirements in government contracts.

  • Level 1: This applies to contractors that handle FCI, which is any information not intended for public release that is provided by or generated for the government under a government contract. Generally, compliance requires implementing Federal Acquisition Regulation (FAR) 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and the 15 security controls that the clause specifies. Contractors that handle FCI are required to complete annual self-assessments and affirmations regarding compliance with Level 1 cybersecurity requirements.
  • Level 2: This applies to contractors that handle CUI, which is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Generally, compliance requires that contractors implement the 110 NIST (National Institute of Standards and Technology) 800-171 security requirements, which is an existing obligation for contractors subject to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Contractors are only required to perform a self-assessment of compliance while the suspension is in place.

During the suspension, contracting officers and procurements may not require Level 2 (C3PAO) or Level 3 (Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)) assessments.

WHAT REMAINS IN PLACE

CMMC is best understood as a mechanism for the government to require assessment of and certification for cybersecurity requirements. The DoW’s suspension should be viewed as a pause in the CMMC certification rollout, not a waiver of cybersecurity requirements. With the exception of CMMC Level 3, the CMMC program did not impose new substantive requirements. The substantive requirements already exist in the FAR and DFARS clauses that are otherwise incorporated into contracts.

In other words, the CMMC framework does not change or replace the underlying FAR and DFARS duties that already apply to contractors. Materials the DoW released alongside the suspension announcement expressly state that “all other contractual cybersecurity clauses” remain intact and that contractors and subcontractors remain obligated to protect federal data.

For instance, FAR 52.204-21 continues to establish basic safeguarding requirements for information systems that process, store, or transmit FCI. For defense contractors handling covered defense information, DFARS 252.204-7012 remains in effect and continues to require safeguarding of covered defense information and cyber incident reporting. Under DFARS 252.204-7012, contractors must implement the 110 security controls of NIST 800-171.

Pausing C3PAO and DIBCAC assessments does not halt the need to implement or maintain remediation plans, system security plans, Supplier Performance Risk System entries, incident reporting procedures, subcontractor flowdowns, and internal controls. Inaccurate self-assessments or unsupported affirmations may still create contractual, administrative, and FCA exposure.

Notably, because Level 1 and Level 2 self-assessments remain the primary compliance-verification mechanism during the suspension, the government may place heightened attention on the accuracy and supportability of contractor self-assessments and affirmations.

THE 60-DAY TASK FORCE AND RFI

Along with the suspension, the DoW Chief Information Officer is establishing a CMMC Reform Task Force to conduct a review of the certification program and deliver recommendations within 60 days.

The task force is charged with reviewing whether the current program can be redesigned to better align with the DoW’s Acquisition Transformation System directives, including lowering barriers for small, medium-sized, and nontraditional contractors while maintaining cybersecurity and operational resilience.

As part of that review, the DoW issued a Request for Information (RFI) seeking industry input on cost drivers, administrative burdens, security controls that provide meaningful cyber uplift, commercial cybersecurity tools and managed services, challenges with Phase I self-assessments, and policy reforms that could be implemented over the next 60 days.

RFI responses are due by 12:00 pm ET on Friday, August 14, 2026. Contractors that have experienced assessment bottlenecks, duplicative controls, subcontractor flow-down issues, or uncertainty about self-assessment documentation should consider providing targeted feedback.

Because the CMMC Reform Task Force has been tasked with conducting a top-to-bottom review of the certification program and recommending potential reforms within 60 days, contractors should not assume that the current suspension represents the final disposition of third-party assessment requirements. Depending on the outcome of that review, those requirements could return in modified form.

SOLICITATIONS, CONTRACTS, AND NEXT STEPS

The suspension’s implementing memorandum addresses both future requirements and current contracting instruments. If an active solicitation was based on a requirements package that included Level 2 (C3PAO) or Level 3 (DIBCAC) requirements, program managers must provide amended requirements documents removing those requirements, and contracting officers must issue corresponding solicitation amendments as soon as practicable.

For existing contracts and agreements that already contain such requirements, contracting officers and agreements officers are directed to remove them by modification before exercising the next option period or during the next scheduled administrative modification.

Contractors should not assume that every solicitation or contract will be updated immediately. Companies should review pending bids, active awards, subcontract templates, and option-period planning to identify CMMC assessment requirements that may now be inconsistent with DoW guidance and to assess the implications of the suspension for pending proposals, subcontractor requirements, and certification-related investments already underway.

Where needed, contractors should seek clarification, amendments, or modifications and preserve written records showing how the parties handled any suspended CMMC terms or terms held in abeyance. Contractors should also continue to track subcontractor obligations because CMMC assessment language may have flowed down based on earlier Phase II planning.

KEY TAKEAWAYS

  • Phase II is paused, but Phase I is not. The suspension affects third-party assessment requirements, not the underlying cybersecurity obligations themselves. Level 1 and Level 2 self-assessment requirements remain applicable for solicitations and contracts, and contractors should continue maintaining accurate self-assessments and supporting records. Failure to implement the substantive requirements underlying Level 1 (i.e., FAR 52.204-21) or Level 2 (i.e., DFARS 252.204-7012) could lead to breach of contract or FCA liability.
  • Substantive cybersecurity obligations remain in effect. FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171 obligations, and incident reporting duties are not suspended merely because third-party certification milestones are on hold. The Department of Justice’s Civil Cyber-Fraud Initiative and related FCA enforcement efforts likewise remain unaffected by the suspension, keeping noncompliance risk in place.
  • Contractors should review contract language now. Existing or pending Level 2 (C3PAO) and Level 3 (DIBCAC) terms may need solicitation amendments or contract modifications, and contractors should seek written clarification where requirements remain in contracts despite the suspension.
  • Contractors who were previously excluded from competition or declined to participate in competitions because of Level 2 (C3PAO) requirements should consider potential options to reengage in or challenge the procurements. Notably, this issue is most likely to arise in solicitations that expressly required a Level 2 (C3PAO) assessment, although contractors should also review procurements where such assessments may have been incorporated through amended requirements packages or agency-specific implementation decisions.
  • The CMMC Reform Task Force and RFI open a short window of opportunity for contractors to help shape any revised certification model, particularly around cost, third-party assessor availability, commercial cybersecurity capabilities, and operational resilience.
  • While the RFI requests input on the CMMC framework (and that framework’s requirement for third-party assessments undoubtedly caused concern for contractors), it is unclear whether the DoW will tackle the substantive requirements for cybersecurity compliance that give pause to many small, medium-sized, and nontraditional contractors, such as the need to implement the 110 security controls of NIST 800-171.

Summer associate Cameron Marsh contributed to this LawFlash.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:

Authors
Alexander B. Hastings (Washington, DC)
Daniel Funaro (Washington, DC)
Scott Whitman (Washington, DC)
Moshe Klein (Washington, DC)
Alison Tanchyk (Miami / Philadelphia)