Skip to the content

Department of War Suspends Cybersecurity Maturity Model Certification (CMMC) Phase II Requirements: Am I Now Off the Hook?

The Department of War's (DoW) July 13 announcement suspending the transition to CMMC Phase II, which had been scheduled to take effect on November 10, 2026, is welcome news for many defense contractors. The suspension delays the requirement for many organizations to obtain a third-party CMMC certification assessment. However, it does not eliminate existing contractual cybersecurity obligations or CMMC Phase I self-assessment requirements.

Key Updates

Effective immediately:

  • CMMC Phase II certification requirements are suspended.
  • CMMC Phase I self-assessment requirements remain in effect.
  • Pending and future CMMC Phase II implementation milestones in DoW solicitations and contracts are suspended during the review period.

The Department will conduct a 60-day review of the CMMC program to evaluate potential changes to the certification framework.

What Has Not Changed

Organizations subject to applicable CMMC and DFARS cybersecurity requirements remain responsible for:

  • Implementing and maintaining the security requirements of NIST SP 800-171 Rev. 2 through self-assessments and, where applicable, government-led assessments.
  • Complying with DFARS Clause 252.204-7012, which continues to require contractors and subcontractors to adequately safeguard covered defense information.
  • Completing applicable CMMC Phase I self-assessments and required affirmations.

What This Means

While the transition to CMMC Phase II has been suspended, existing cybersecurity requirements remain in effect. Contractors should continue to implement required security controls, complete applicable self-assessments and affirmations, and monitor additional guidance as the Department completes its review.

Whittlesey’s Cybersecurity team helps organizations prepare for evolving requirements through CMMC readiness assessments, NIST SP 800-171 gap analyses, remediation planning, and ongoing compliance advisory services.

To help assess your organization's preparedness, download our CMMC Readiness Checklist, which outlines practical steps to evaluate your cybersecurity posture, identify gaps, and prepare for future requirements.

If you have questions about how this announcement may affect your organization or would like to discuss your CMMC readiness strategy, please contact us.

Follow Us

For our thoughts on the industries we serve and firm updates, follow us on LinkedIn.

Ready to Connect?

We deliver personalized, expert services. Find out what we can do for you.