ARTICLE
15 July 2026

DoW Pauses CMMC Third-Party Assessment Regime—Could This Be CMMC 3.0?

AG
Akin Gump Strauss Hauer & Feld LLP

Contributor

Akin is a law firm focused on providing extraordinary client service, a rewarding environment for our diverse workforce and exceptional legal representation irrespective of ability to pay. The deep transactional, litigation, regulatory and policy experience we bring to client engagements helps us craft innovative, effective solutions and strategies.
On July 13, 2026, the Department of War (DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements that were originally scheduled to take effect on November 10, 2026.
United States Technology
Angela B. Styles’s articles from Akin Gump Strauss Hauer & Feld LLP are most popular:
  • in United States

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements that were originally scheduled to take effect on November 10, 2026. Phase II is the stage of the CMMC rollout that would have made third-party assessments by certified CMMC Third-Party Assessment Organizations (C3PAOs) a condition of many contract awards. This announcement will be a relief to many in the defense industrial base.

Importantly, DoW made clear that all Phase I self-assessment requirements remain firmly in place, and that the action “does not eliminate the requirement for companies to protect federal data.” Contractors must continue to comply with applicable requirements for safeguarding Federal Contract Information and Covered Defense Information, including Federal Acquisition Regulation (FAR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. For contractors, the practical takeaway is that this is a pause in one verification mechanism and an indication that DoW leadership is sympathetic to contractors’ compliance cost burdens, but it is not a reprieve from the substantive cybersecurity obligations that the Department of Justice (DOJ) has been enforcing through the Civil Cyber-Fraud Initiative.

What the Pentagon Announced

Effective immediately, DoW has announced the following changes to the CMMC program:

  • Phase II is suspended. DoW has halted the planned November 10, 2026 transition to Phase II, which was expected to significantly expand the number of DoW solicitations and contracts subject to CMMC Level 2 third-party assessment requirements.
  • Future CMMC implementation milestones are on hold. DoW’s memorandum states that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.”
  • For now, acquisition officials are limited to self-assessment requirements. Program managers and requiring activities have been directed to include only CMMC Level 1 or Level 2 self-assessment requirements in procurement requests and requirements documents.
  • DoW is launching a 60-day review focused on reducing CMMC costs and burdens. A new CMMC Reform Task Force will conduct a “top-to-bottom” review of the program and consider industry feedback through a public request for information (RFI). DoW has cited “prohibitive compliance costs,” shortages in third-party assessment capacity, and barriers to small and nontraditional businesses as reasons for this review and has directed the Task Force to recommend more “scalable, realistic security measures.” The Task Force is expected to provide its recommendations to the DoW CIO within 60 days.
  • Underlying cybersecurity requirements remain in effect. Phase I self-assessment requirements remain in place. DoW will continue enforcing National Institute of Standards and Technology Special Publication (NIST SP) 800-171 Rev. 2 through self-assessments and selected government-led assessments, and DFARS 252.204-7012 remains in effect. DoW emphasized that the suspension “does not eliminate the requirement for companies to protect federal data.”

Suspension of Phase II Rollout May Heighten Supply Chain Risk for Some Contractors

Prior to the suspension, prime contractors could increasingly rely on CMMC certifications as objective evidence that their suppliers adequately protected sensitive government information, including Controlled Unclassified Information (CUI). With Phase II suspended, that independent validation is largely unavailable, and a supplier lacking adequate controls still presents contractual, operational and breach risk even if certification is no longer required. Instead, primes will need to rely more heavily on their own subcontractor risk management programs.

Expect Civil Cyber-Fraud Enforcement to Continue

Since DOJ launched the Civil Cyber-Fraud Initiative in October 2021—announcing that it would use the FCA and its treble damages and penalties to pursue knowing violations of cybersecurity obligations—cyber-fraud has become part of the “bread-and-butter” of DOJ’s FCA practice. DOJ has identified three categories of targeted misconduct: providing deficient cybersecurity products or services, misrepresenting cybersecurity practices or protocols and violating obligations to monitor and report cybersecurity incidents. The FCA’s qui tam provision allows whistleblowers to sue in the government’s name and share in recoveries, and DOJ has repeatedly noted that whistleblowers play an outsized role in cybersecurity fraud cases.

The administration has announced more cybersecurity fraud resolutions since taking office than in the entire prior administration combined and DOJ leadership has publicly professed its continued commitment to civil cyber-fraud enforcement. The majority of DOJ’s cyber-related settlements have involved the DoW cybersecurity requirements that predated CMMC and that remain in effect during the just-announced suspension of further steps in the CMMC rollout. As recently as June 2026, DOJ has announced resolutions with small defense contractors, as well as large ones, based on allegations that they failed to meet NIST SP 800-171 controls, submitted false Supplier Performance Risk System (SPRS) scores or otherwise mispresented their cybersecurity posture to the government.

Recommended Actions

Contractors should continue to treat cybersecurity compliance and the accuracy of their government-facing representations as live, priority obligations. In particular, contractors should:

  • Continue to implement and maintain the 110 NIST SP 800-171 Rev. 2 controls required by DFARS 252.204-7012 and preserve the incident-reporting and subcontractor flow-down disciplines the clause requires.
  • Continue to monitor all contracts for unchanged or new CUI security requirements – particularly under General Services Administration contracts and the new proposed Federal Acquisition Regulation CUI rule.
  • If preparing for a third-party assessment because of the November 2026 Phase II rollout, consider reevaluating the timing and expense of that assessment.
  • Ensure that SPRS scores and annual affirmations reflect the actual state of their implementation.
  • Close open items in plans of action and milestones (POA&Ms) and document remediation efforts in case of later cyber-fraud investigation.
  • Take internal complaints and whistleblower concerns seriously and manage them carefully as qui tam relators, often from within a company and even its cybersecurity component, remain drivers of government cyber-fraud enforcement.
  • Consult experienced counsel under privilege as to how to handle past non-compliance, including possible disclosure to DoW or DOJ.
  • Consider responding as industry participants to the forthcoming RFI to provide feedback on compliance costs, third-party assessment capacity and potential alternatives to the current certification model.

The bottom line is straightforward: further implementation of the CMMC third-party assessment requirement is paused, but the duty to be compliant, and to be accurate in representations to the government, remains. Contractors who maintain rigorous compliance and truthful certifications will be best positioned to weather continued FCA enforcement and very likely better positioned to compete as DoW reshapes CMMC over the coming months.

Akin’s Government Contracts; Cybersecurity, Privacy and Data Protection; and False Claims Act teams are available to assist with compliance counseling, risk assessments, internal investigations, and enforcement matters.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More