CMMC Phase II Paused: What the 60-Day Delay Means for Defense Contractors

CMMC Phase II Paused: What the 60-Day Delay Means for Defense Contractors

The Department of War has officially paused the rollout of CMMC Phase II for 60 days, delaying certification requirements that were previously scheduled to begin on November 10, 2026. 

If your organization is a defense contractor or subcontractor, this announcement is significant. However, it does not mean cybersecurity requirements have gone away. 

Defense contractors must still comply with DFARS 252.204-7012, continue implementing NIST SP 800-171 Rev. 2 security controls, and protect Controlled Unclassified Information (CUI). The announcement pauses the certification rollout while the Department reviews the future of the CMMC program. It does not eliminate existing contractual cybersecurity obligations. 

This guide explains exactly what happened, what changed, what stayed the same, and what defense contractors should do next. 

 Quick Answer 

Has CMMC been canceled? 

No. CMMC has not been canceled. The Department of War has paused the implementation of Phase II while it conducts a 60-day review of the certification program. 

Do companies still need NIST SP 800-171? 

Yes. Organizations that handle Controlled Unclassified Information (CUI) are still expected to implement NIST SP 800-171 security controls according to their contractual requirements. 

Is DFARS still required? 

Yes. DFARS 252.204-7012 remains in effect and continues to require defense contractors to protect covered defense information. 

Should companies stop preparing for CMMC? 

No. The pause creates additional time to strengthen your cybersecurity program, not a reason to delay security improvements. 

Key Takeaways 

  • The Department of War paused CMMC Phase II for 60 days.  
  • The planned November 10, 2026 rollout has been suspended.  
  • CMMC has not been canceled.  
  • DFARS requirements remain in effect.  
  • NIST SP 800-171 requirements remain in effect.  
  • Organizations should continue improving cybersecurity and compliance documentation.  
  • A Department task force will review the future of CMMC and provide recommendations within 60 days.  

What Happened to CMMC Phase II? 

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II implementation. 

According to the Department, the goal is to review the certification program and determine how it can better support small, medium-sized, and non-traditional defense contractors while maintaining strong cybersecurity across the Defense Industrial Base (DIB). 

The review is expected to take 60 days. 

During that time, the Department will gather industry feedback and evaluate ways to reduce unnecessary compliance costs while maintaining appropriate cybersecurity standards. 

Read the official Department announcement here

 Why Did the Department Pause CMMC? 

According to the announcement, Department leadership believes the existing certification model created unnecessary administrative burdens for many contractors. 

Specifically, the Department cited: 

  • Rising compliance costs  
  • Limited assessment resources  
  • Barriers for small businesses  
  • Delays in bringing innovative companies into the Defense Industrial Base  
  • A desire to reduce bureaucracy while maintaining cybersecurity  

Rather than eliminating cybersecurity requirements, the Department is reviewing whether the certification process itself can be improved. 

Is CMMC Going Away? 

No. 

The announcement does not eliminate CMMC. 

Instead, it pauses Phase II implementation while the Department reviews: 

  • Certification requirements  
  • Assessment processes  
  • Compliance costs  
  • Industry feedback  
  • Opportunities to simplify implementation  

The Department has stated that it will provide recommendations after the 60-day review. 

Until then, organizations should assume existing contractual cybersecurity obligations remain in place. 

What Has Changed? 

The biggest change is that organizations are no longer working toward the previously announced Phase II implementation date while the review is underway. 

For companies preparing for a C3PAO assessment, this provides additional time to improve their cybersecurity program and documentation before future certification requirements are finalized. 

What Has Not Changed? 

This is where many organizations become confused. 

Several critical cybersecurity requirements remain exactly the same. 

Defense contractors are still responsible for: 

  • Protecting Controlled Unclassified Information (CUI)  
  • Meeting DFARS 252.204-7012 obligations  
  • Implementing NIST SP 800-171 Rev. 2 security controls  
  • Completing required self-assessments where applicable  
  • Maintaining security documentation  
  • Demonstrating cybersecurity maturity when required by contract  

The certification timeline may have shifted, but the expectation to protect sensitive defense information has not. 

CMMC Timeline 

Date 

Update 

July 13, 2026 

Department announces a 60-day pause of CMMC Phase II 

Next 60 Days 

CMMC Reform Task Force reviews the certification program 

Future 

Updated guidance and recommendations expected following the review 

 

Before vs. After the Announcement 

Before 

After 

Phase II scheduled for November 10, 2026 

Phase II paused 

Expanded certification rollout moving forward 

Certification model under review 

NIST SP 800-171 required 

Still required 

DFARS 252.204-7012 required 

Still required 

Protect CUI 

Still required 

 

What Should Defense Contractors Do Now? 

The announcement should not change your cybersecurity roadmap. 

Instead, it gives organizations additional time to strengthen their security posture before future certification requirements are finalized. 

This is an excellent opportunity to: 

Continue Implementing NIST SP 800-171 

Focus on completing technical, administrative, and operational security controls. 

Improve Documentation 

Review and update your: 

  • System Security Plan (SSP)  
  • Plans of Action and Milestones (POA&M)  
  • Security policies  
  • Procedures  
  • Evidence collection  

Good documentation often makes the difference between a smooth assessment and a difficult one. 

Close Compliance Gaps 

Identify controls that still need implementation and prioritize remediation efforts. 

Prepare for Future Assessments 

Whether certification requirements change or remain largely the same, organizations with mature cybersecurity programs will be better positioned for future assessments and contract opportunities. 

Why This Pause Could Benefit Contractors 

Many organizations have spent months trying to secure: 

  • Registered Practitioners  
  • Compliance consultants  
  • C3PAO assessments  
  • Internal compliance resources  

Demand has significantly outpaced available resources. 

This temporary pause allows organizations to be more deliberate instead of rushing through implementation simply to meet a deadline. 

Companies that use this time wisely will likely enter future assessments with stronger security programs and better documentation. 

What This Means for the Defense Industrial Base 

The Department’s announcement signals an effort to balance cybersecurity with operational efficiency. 

The goal appears to be maintaining strong protection for federal information while reducing unnecessary barriers that make it difficult for innovative businesses to participate in the Defense Industrial Base. 

Exactly what changes will result from the review remains to be seen. 

For now, organizations should continue building mature cybersecurity programs that align with current contractual requirements. 

Final Thoughts 

The CMMC Phase II pause is not a signal to stop preparing. 

It is an opportunity to prepare more strategically. 

Organizations that continue strengthening cybersecurity, improving documentation, and closing compliance gaps during this pause will be better positioned regardless of how the certification program evolves. 

Whether future requirements look exactly the same or are revised following the Department’s review, one thing has not changed: protecting Controlled Unclassified Information remains a contractual responsibility for defense contractors. 

If your organization is unsure how these changes affect your compliance roadmap, Charles IT can help you assess your current cybersecurity posture, identify gaps, and build a practical path toward CMMC and NIST SP 800-171 readiness. 

Want to learn more about the recent CMMC Phase II pause and what it means for your organization? Contact our team to discuss how the latest changes may impact your compliance strategy and what steps you should take next.

Frequently Asked Questions

What is CMMC Phase II? 

CMMC Phase II expands cybersecurity certification requirements for many defense contractors handling Controlled Unclassified Information (CUI). It was originally scheduled to begin rolling out in November 2026.

The Department of War stated that it wants to review the program to reduce compliance costs, simplify implementation, and support small and medium-sized businesses while maintaining cybersecurity standards. 

No. The certification rollout has been paused while the Department reviews the program. 

Yes. Organizations that handle CUI should continue implementing NIST SP 800-171 according to contractual requirements. 

Yes. DFARS 252.204-7012 remains in effect. 

The announcement specifically focuses on the Phase II rollout. Organizations should continue following applicable contractual requirements. 

Expanded Phase II certification requirements are currently paused while the Department reviews the program. Future assessment requirements will depend on the outcome of that review

No. Continue improving cybersecurity, implementing controls, documenting compliance, and strengthening your security program. 

Contract requirements vary. Organizations should carefully review solicitation language and continue meeting applicable cybersecurity obligations. 

The Department’s CMMC Reform Task Force is expected to provide recommendations that could reshape future certification requirements. 

CMMC Certifications

CMMC: Everything You Need to Know