Regulation Neutral 6

DoD Suspends CMMC Phase II: 60-Day Review and 30-Day RFI Signal Major Regulatory Shift

DoD's immediate suspension of CMMC Phase II brings regulatory uncertainty for defense contractors. A 60-day task force and RFI aim to reassess compliance costs. Legal advisors must guide clients through ongoing DFARS obligations while monitoring potential new rulemaking.

· 4 min read · Verified by 2 sources ·
Share

Key Takeaways

  • DoD's immediate suspension of CMMC Phase II brings regulatory uncertainty for defense contractors.
  • A 60-day task force and RFI aim to reassess compliance costs.
  • Legal advisors must guide clients through ongoing DFARS obligations while monitoring potential new rulemaking.

Mentioned

U.S. Department of Defense government Cybersecurity Maturity Model Certification (CMMC) regulatory framework Defense Federal Acquisition Regulation Supplement (DFARS) regulation Pete Hegseth person CMMC Reform Task Force committee

Key Intelligence

Key Facts

  1. 1DoD suspended CMMC Phase II implementation deadlines, including the Nov. 10, 2026 transition, effective July 13, 2026.
  2. 2A 60-day CMMC Reform Task Force will review the program and issue a Request for Information (RFI) to gather industry feedback on readiness and cost over the next month.
  3. 3Contractors must still comply with DFARS 252.204-7012 and CMMC Phase I self-assessment requirements; DoD program managers may still require Level 1 or Level 2 (Self) assessments.
  4. 4The suspension is part of Secretary Hegseth’s Acquisition Transformation System aimed at reducing regulatory burdens and expanding the defense industrial base.
  5. 5Pending and future CMMC-related milestones in DoD solicitations and contracts are paused during the review.
  6. 6The underlying cybersecurity obligation to protect controlled unclassified information (CUI) remains in effect via existing regulations.

Analysis

For defense contractors and their legal teams, the DoD's suspension of CMMC Phase II represents a sudden regulatory halt with significant contractual implications. While the suspension temporarily removes the third-party assessment mandate, it does not absolve contractors from existing cybersecurity obligations under DFARS and CUI handling. The 60-day review could lead to a revised rulemaking that fundamentally alters the landscape of defense procurement compliance.

On July 13, 2026, the U.S. Department of Defense abruptly suspended the transition to Cybersecurity Maturity Model Certification (CMMC) Phase II, scrapping the November 10, 2026 deadline that would have mandated third-party assessments for contractors handling controlled unclassified information (CUI). The move, announced via two memoranda, halts the most stringent tier of the Pentagon’s landmark cybersecurity certification program and signals a fundamental reassessment of how to secure the defense industrial base without unduly burdening industry participants. The suspension is effective immediately, and pending CMMC milestones in solicitations and contracts are paused while a 60-day Reform Task Force conducts a comprehensive review.

Secretary of Defense Pete Hegseth’s Acquisition Transformation System (ATS) now frames this suspension as part of broader acquisition reform aimed at accelerating acquisitions, reducing unnecessary regulatory burdens, and expanding opportunities.

The CMMC program, finalized in October 2024 under 32 C.F.R. Part 170, was designed to replace a self-attestation model with third-party validation to verify contractors’ implementation of NIST SP 800-171 security controls. It rolled out in phases: Phase I began in September 2025, requiring basic self-assessments, while Phase II, originally set for November 2026, was to enforce full certification for CUI handlers. The program’s complexity and cost drew sharp criticism from industry, especially small and mid-sized contractors who argued that the compliance overhead threatened their viability. Secretary of Defense Pete Hegseth’s Acquisition Transformation System (ATS) now frames this suspension as part of broader acquisition reform aimed at accelerating acquisitions, reducing unnecessary regulatory burdens, and expanding opportunities.

The immediate effect for contractors is relief from the impending Phase II certification requirement. Defense firms that had been scrambling to achieve Level 2 third-party assessment readiness can now scale back those efforts, at least temporarily. However, the suspension does not relieve them of existing cybersecurity obligations. Contractors must still comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which mandates safeguarding CUI and reporting cyber incidents, and with any CMMC Phase I requirements, including applicable self-assessments. In addition, DoD program managers may still designate Level 1 or Level 2 (Self) assessment requirements on individual contracts, meaning that some self-assessment burdens persist. Thus, the compliance landscape remains in a state of partial limbo.

The 60-day CMMC Reform Task Force, established concurrently with the suspension, will gather industry feedback through a Request for Information (RFI) focusing on readiness, cost drivers, and current control implementations. The RFI, to be conducted over the coming month, seeks to identify barriers to participation in the defense supply chain. The task force’s recommendations, due at the end of the 60-day period, will inform a potential revision of the CMMC framework. The department’s goal is to maintain strong cybersecurity while removing friction that has narrowed the pool of eligible contractors, a concern amplified by recent geopolitical tensions and the need to surge production.

What to Watch

The market impact is multi-layered. For defense primes and large contractors that heavily invested in CMMC compliance, the suspension may be a mixed bag: it eliminates the immediate certification expense but also creates uncertainty about the future standard. For small and mid-sized vendors, the news is a clear win, removing a barrier that could have locked them out of contracts. The suspension could swell the number of eligible bidders and restore competition, potentially lowering costs for the DoD. On the other hand, some industry observers worry that a prolonged pause might erode cybersecurity vigilance and increase the attack surface, especially since the underlying threat landscape remains intense. The suspension may also delay contract awards that were contingent on CMMC readiness, introducing near-term procurement friction.

Looking ahead, the outcome of the 60-day review is crucial. Possible scenarios range from a tweaked Phase II timeline to a complete overhaul of the certification model, perhaps adopting a more risk-based approach or leveraging continuous monitoring instead of point-in-time assessments. The RFI’s emphasis on cost drivers suggests that the DoD is seriously contemplating ways to reduce compliance expenses, possibly through subsidies or shared assessment resources. Industry legal advisors will need to monitor the rulemaking docket for any proposed changes to C.F.R. Part 170 or DFARS. In the meantime, contractors should not dismantle their cybersecurity programs; they should continue to adhere to NIST SP 800-171 controls, as these remain the baseline and may be referenced in any future framework. The suspension underscores that regulatory requirements in defense procurement can shift rapidly with leadership priorities, and agility in compliance planning is now a strategic necessity.

Timeline

Timeline

  1. CMMC Program Finalized

  2. Phase I Go-Live

  3. Phase II Suspension Announced

  4. CMMC Reform Task Force and RFI

  5. Original Phase II Transition (Suspended)

Sources

Sources

Based on 2 source articles

Cite This Page

"DoD Suspends CMMC Phase II: 60-Day Review and 30-Day RFI Signal Major Regulatory Shift." Legal & RegTech Intelligence Brief, July 15, 2026. https://getlegalbrief.com/story/dod-suspends-cmmc-phase-2-legal-review

How we covered this story

Every story in our legal coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the legal space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.

Sources are only linked to a story once they clear our classification pipeline at a minimum 35 percent relevance threshold. According to that methodology, reviewed July 2026, this follows multi-source corroboration standards recommended by journalism research bodies such as the Reuters Institute for the Study of Journalism.

See something wrong in this story — a wrong fact, a broken source link, a misattributed entity? Report a data issue.