The Department of War has officially paused the rollout of CMMC Phase II for 60 days, delaying certification requirements that were previously scheduled to begin on November 10, 2026.
If your organization is a defense contractor or subcontractor, this announcement is significant. However, it does not mean cybersecurity requirements have gone away.
Defense contractors must still comply with DFARS 252.204-7012, continue implementing NIST SP 800-171 Rev. 2 security controls, and protect Controlled Unclassified Information (CUI). The announcement pauses the certification rollout while the Department reviews the future of the CMMC program. It does not eliminate existing contractual cybersecurity obligations.
This guide explains exactly what happened, what changed, what stayed the same, and what defense contractors should do next.
Quick Answer
Has CMMC been canceled?
No. CMMC has not been canceled. The Department of War has paused the implementation of Phase II while it conducts a 60-day review of the certification program.
Do companies still need NIST SP 800-171?
Yes. Organizations that handle Controlled Unclassified Information (CUI) are still expected to implement NIST SP 800-171 security controls according to their contractual requirements.
Is DFARS still required?
Yes. DFARS 252.204-7012 remains in effect and continues to require defense contractors to protect covered defense information.
Should companies stop preparing for CMMC?
No. The pause creates additional time to strengthen your cybersecurity program, not a reason to delay security improvements.
Key Takeaways
- The Department of War paused CMMC Phase II for 60 days.
- The planned November 10, 2026 rollout has been suspended.
- CMMC has not been canceled.
- DFARS requirements remain in effect.
- NIST SP 800-171 requirements remain in effect.
- Organizations should continue improving cybersecurity and compliance documentation.
- A Department task force will review the future of CMMC and provide recommendations within 60 days.
What Happened to CMMC Phase II?
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II implementation.
According to the Department, the goal is to review the certification program and determine how it can better support small, medium-sized, and non-traditional defense contractors while maintaining strong cybersecurity across the Defense Industrial Base (DIB).
The review is expected to take 60 days.
During that time, the Department will gather industry feedback and evaluate ways to reduce unnecessary compliance costs while maintaining appropriate cybersecurity standards.
Read the official Department announcement here
Why Did the Department Pause CMMC?
According to the announcement, Department leadership believes the existing certification model created unnecessary administrative burdens for many contractors.
Specifically, the Department cited:
- Rising compliance costs
- Limited assessment resources
- Barriers for small businesses
- Delays in bringing innovative companies into the Defense Industrial Base
- A desire to reduce bureaucracy while maintaining cybersecurity
Rather than eliminating cybersecurity requirements, the Department is reviewing whether the certification process itself can be improved.
Is CMMC Going Away?
No.
The announcement does not eliminate CMMC.
Instead, it pauses Phase II implementation while the Department reviews:
- Certification requirements
- Assessment processes
- Compliance costs
- Industry feedback
- Opportunities to simplify implementation
The Department has stated that it will provide recommendations after the 60-day review.
Until then, organizations should assume existing contractual cybersecurity obligations remain in place.
What Has Changed?
The biggest change is that organizations are no longer working toward the previously announced Phase II implementation date while the review is underway.
For companies preparing for a C3PAO assessment, this provides additional time to improve their cybersecurity program and documentation before future certification requirements are finalized.
What Has Not Changed?
This is where many organizations become confused.
Several critical cybersecurity requirements remain exactly the same.
Defense contractors are still responsible for:
- Protecting Controlled Unclassified Information (CUI)
- Meeting DFARS 252.204-7012 obligations
- Implementing NIST SP 800-171 Rev. 2 security controls
- Completing required self-assessments where applicable
- Maintaining security documentation
- Demonstrating cybersecurity maturity when required by contract
The certification timeline may have shifted, but the expectation to protect sensitive defense information has not.
CMMC Timeline
Date | Update |
July 13, 2026 | Department announces a 60-day pause of CMMC Phase II |
Next 60 Days | CMMC Reform Task Force reviews the certification program |
Future | Updated guidance and recommendations expected following the review |
Before vs. After the Announcement
Before | After |
Phase II scheduled for November 10, 2026 | Phase II paused |
Expanded certification rollout moving forward | Certification model under review |
NIST SP 800-171 required | Still required |
DFARS 252.204-7012 required | Still required |
Protect CUI | Still required |
What Should Defense Contractors Do Now?
The announcement should not change your cybersecurity roadmap.
Instead, it gives organizations additional time to strengthen their security posture before future certification requirements are finalized.
This is an excellent opportunity to:
Continue Implementing NIST SP 800-171
Focus on completing technical, administrative, and operational security controls.
Improve Documentation
Review and update your:
- System Security Plan (SSP)
- Plans of Action and Milestones (POA&M)
- Security policies
- Procedures
- Evidence collection
Good documentation often makes the difference between a smooth assessment and a difficult one.
Close Compliance Gaps
Identify controls that still need implementation and prioritize remediation efforts.
Prepare for Future Assessments
Whether certification requirements change or remain largely the same, organizations with mature cybersecurity programs will be better positioned for future assessments and contract opportunities.
Why This Pause Could Benefit Contractors
Many organizations have spent months trying to secure:
- Registered Practitioners
- Compliance consultants
- C3PAO assessments
- Internal compliance resources
Demand has significantly outpaced available resources.
This temporary pause allows organizations to be more deliberate instead of rushing through implementation simply to meet a deadline.
Companies that use this time wisely will likely enter future assessments with stronger security programs and better documentation.
What This Means for the Defense Industrial Base
The Department’s announcement signals an effort to balance cybersecurity with operational efficiency.
The goal appears to be maintaining strong protection for federal information while reducing unnecessary barriers that make it difficult for innovative businesses to participate in the Defense Industrial Base.
Exactly what changes will result from the review remains to be seen.
For now, organizations should continue building mature cybersecurity programs that align with current contractual requirements.
Final Thoughts
The CMMC Phase II pause is not a signal to stop preparing.
It is an opportunity to prepare more strategically.
Organizations that continue strengthening cybersecurity, improving documentation, and closing compliance gaps during this pause will be better positioned regardless of how the certification program evolves.
Whether future requirements look exactly the same or are revised following the Department’s review, one thing has not changed: protecting Controlled Unclassified Information remains a contractual responsibility for defense contractors.
If your organization is unsure how these changes affect your compliance roadmap, Charles IT can help you assess your current cybersecurity posture, identify gaps, and build a practical path toward CMMC and NIST SP 800-171 readiness.
Want to learn more about the recent CMMC Phase II pause and what it means for your organization? Contact our team to discuss how the latest changes may impact your compliance strategy and what steps you should take next.
Frequently Asked Questions
What is CMMC Phase II?
CMMC Phase II expands cybersecurity certification requirements for many defense contractors handling Controlled Unclassified Information (CUI). It was originally scheduled to begin rolling out in November 2026.
Why was CMMC Phase II paused?
The Department of War stated that it wants to review the program to reduce compliance costs, simplify implementation, and support small and medium-sized businesses while maintaining cybersecurity standards.
Has CMMC been canceled?
No. The certification rollout has been paused while the Department reviews the program.
Is NIST SP 800-171 still required?
Yes. Organizations that handle CUI should continue implementing NIST SP 800-171 according to contractual requirements.
Is DFARS still required?
Yes. DFARS 252.204-7012 remains in effect.
Does this affect CMMC Level 1?
The announcement specifically focuses on the Phase II rollout. Organizations should continue following applicable contractual requirements.
Do I still need a C3PAO assessment?
Expanded Phase II certification requirements are currently paused while the Department reviews the program. Future assessment requirements will depend on the outcome of that review
Should my company stop preparing?
No. Continue improving cybersecurity, implementing controls, documenting compliance, and strengthening your security program.
Can I still bid on DoD contracts?
Contract requirements vary. Organizations should carefully review solicitation language and continue meeting applicable cybersecurity obligations.
What happens after the 60-day review?
The Department’s CMMC Reform Task Force is expected to provide recommendations that could reshape future certification requirements.