ARTICLE
15 July 2026

DoW Hits Pause On CMMC: What Contractors Need To Know Now

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
On July 13, 2026, the Department of War (“DoW”) dropped a major announcement regarding the Cybersecurity Maturity Model Certification (“CMMC”) program via a press release...
United States Government, Public Sector
Townsend L. Bourne’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with readers working within the Media & Information industries
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

On July 13, 2026, the Department of War (“DoW”) dropped a major announcement regarding the Cybersecurity Maturity Model Certification (“CMMC”) program via a press releaseForging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements (the “Release”) (see our past blogs here and here for background on CMMC)The Release announced that DoW is immediately suspending the Phase II requirements for CMMC (originally scheduled to be effective November 10, 2026) as well as all pending and future CMMC implementation milestones across DoW solicitations/contracts. As a reminder, Phase II incorporated the Level 2 (C3PAO) requirement in applicable solicitations/contracts as a condition of award.

Review of CMMC

The Release further stated that DoW will begin a “comprehensive review of CMMC” with the goals of “aligning with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives prioritizing speed to capability, lowering barriers for small, medium, and non-traditional businesses, and replacing bureaucratic compliance with scalable, resilient cybersecurity measures.” The Release continued to critique CMMC, stating that while the aim of the program was to enhance Defense Industrial Base (“DIB”) cybersecurity, instead, “it has created prohibitive compliance costs and bureaucratic burdens” citing Small Business Administration (“SBA”) data that “CMMC compliance is forcing innovative companies out of the [DIB] which will delay the delivery of critical capabilities to the warfighters.”

The DoW further announced and initiated a 60-day study of the “future” of the CMMC program. This includes a new CMMC Reform Task Force, reporting to the DoW Chief Information Officer (“CIO”), which will “conduct a comprehensive top-to-bottom review of the certification program.” The Task Force will serve as the central hub for industry feedback.

The DoW also published a Request for Information (“RFI”), Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base (DIB). The RFI “seeks direct feedback from DIB companies on practical strategies to inform the newly established CMMC Reform Task Force during its review.” Specifically, the RFI requests feedback on the following themes:

  • Protecting federal data and uplifting operational resilience against cyber-attacks while also reducing compliance costs and administrative burdens; and
  • Ideas such as DIB usage of existing commercial cybersecurity capabilities, leveraging and optimizing self-attestation capabilities, and streamlining cybersecurity compliance.

The RFI details seven specific questions for DIB feedback, in line with the above themes. All responses to the RFI are due by 12pm ET on Friday, August 14, 2026. Responses will be accepted via electronic means only to: whs.mc-alex.ad.mbx.eosd-psb-branch-mailbox@mail.mil and leanne.m.condren.civ@mail.mil.

DoW Memos

Along with the Release and RFI, the DoW published two memos: (1) Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements (“CMMC Suspension Memo”), and (2) Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements (“CMMC Suspension Implementation Memo”).

The CMMC Suspension Memo emphasizes that the CMMC program is “structurally incompatible” with the DoW need to continue to “rapidly expand the DIB.” The Memo references SBA data that demonstrates that (1) prohibitive compliance costs, (2) severe shortages of C3PAO capacity, and (3) complex regulatory timelines are forcing small businesses and new businesses to opt out of DoW contracts subject to CMMC. The Memo directed three immediate actions: (1) suspension of the November 2026 Phase II transition deadline, as well as holding all pending and future CMMC deadlines in abeyance until further notice, (2) Task Force (detailed above) to conduct a 60-day review, with the goal to provide recommendations for a reformed framework, and (3) DoW shall continue to enforce baseline cybersecurity compliance (e.g., NIST SP 800-171 Rev. 2, DIB self-assessments and select government-led assessments, DFARS 252.204-7012).

The CMMC Suspension Implementation Memo articulates DoW implementation directives for the suspension of CMMC. The Memo specifies that DoW program offices/requiring activities are permitted only to include Level 1 (self) or Level 2 (self) requirements in contracts/solicitations. Further, program offices/requiring activities are directed to initiate amendments to active solicitations that include Level 2 (C3PAO) or Level 3 (DIBCAC) requirements. The amendment must explicitly remove these requirements and the contracting officer must issue a corresponding solicitation amendment as soon as practicable. For active contracts with these requirements, contracting officers must remove the requirements via modification “prior to the exercise of the next option period or during the next scheduled administrative modification.” Lastly, the CMMC waiver procedures are suspended pending the 60-day review of the program.

Current Status of CMMC

Note that the suspension has no effect on CMMC Phase I, which has been in effect since November 10, 2025. Phase I incorporated Level 1 (self) and Level 2 (self) requirements in applicable solicitations/contracts as a condition of award, as well as Level 2 (C3PAO) requirements at the DoW’s discretion.

Below is a summary table of the CMMC phases as well as the current status (as of July 13, 2026, pending DoW’s 60-day review) of each phase:

Phase

Start Date

Impact

Status as of

July 13, 2026

Phase 1

November 10, 2025

Inclusion of Level 1 (self) or Level 2 (self) requirement in applicable solicitations/contracts (as a condition of award), as well as Level 2 C3PAO certifications at DoW discretion

Effective

Phase 2

One calendar year after Phase 1 begins.

Level 2 C3PAO requirement in applicable solicitations/contracts (as a condition of award).

Suspended

Phase 3

One calendar year after Phase 2 begins.

Level 2 C3PAO as a condition for exercising option periods; and Level 3 (DIBCAC) requirement for all applicable solicitations/contracts (as a condition of award).

Suspended

Phase 4

One calendar year after Phase 3 begins.

Full implementation of the CMMC requirements in all applicable solicitations and contracts, including option periods.

Suspended

This is a major announcement that very likely means that CMMC as we know it will be changing. Contractors should continue to treat contractual requirements (including CMMC Level 1 (self) and Level 2 (self)) and baseline cybersecurity obligations as fully in force. It is also worth considering a submission in response to the RFI.

Sheppard’s Governmental Cybersecurity and Data Protection team is closely following the CMMC suspension and related developments and will continue to provide updates as they become available. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More