- with readers working within the Media & Information industries
- within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)
On July 13, 2026, the Department of War (“DoW”) dropped a major announcement regarding the Cybersecurity Maturity Model Certification (“CMMC”) program via a press release, Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements (the “Release”) (see our past blogs here and here for background on CMMC). The Release announced that DoW is immediately suspending the Phase II requirements for CMMC (originally scheduled to be effective November 10, 2026) as well as all pending and future CMMC implementation milestones across DoW solicitations/contracts. As a reminder, Phase II incorporated the Level 2 (C3PAO) requirement in applicable solicitations/contracts as a condition of award.
Review of CMMC
The Release further stated that DoW will begin a “comprehensive review of CMMC” with the goals of “aligning with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives prioritizing speed to capability, lowering barriers for small, medium, and non-traditional businesses, and replacing bureaucratic compliance with scalable, resilient cybersecurity measures.” The Release continued to critique CMMC, stating that while the aim of the program was to enhance Defense Industrial Base (“DIB”) cybersecurity, instead, “it has created prohibitive compliance costs and bureaucratic burdens” citing Small Business Administration (“SBA”) data that “CMMC compliance is forcing innovative companies out of the [DIB] which will delay the delivery of critical capabilities to the warfighters.”
The DoW further announced and initiated a 60-day study of the “future” of the CMMC program. This includes a new CMMC Reform Task Force, reporting to the DoW Chief Information Officer (“CIO”), which will “conduct a comprehensive top-to-bottom review of the certification program.” The Task Force will serve as the central hub for industry feedback.
The DoW also published a Request for Information (“RFI”), Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base (DIB). The RFI “seeks direct feedback from DIB companies on practical strategies to inform the newly established CMMC Reform Task Force during its review.” Specifically, the RFI requests feedback on the following themes:
- Protecting federal data and uplifting operational resilience against cyber-attacks while also reducing compliance costs and administrative burdens; and
- Ideas such as DIB usage of existing commercial cybersecurity capabilities, leveraging and optimizing self-attestation capabilities, and streamlining cybersecurity compliance.
The RFI details seven specific questions for DIB feedback, in line with the above themes. All responses to the RFI are due by 12pm ET on Friday, August 14, 2026. Responses will be accepted via electronic means only to: whs.mc-alex.ad.mbx.eosd-psb-branch-mailbox@mail.mil and leanne.m.condren.civ@mail.mil.
DoW Memos
Along with the Release and RFI, the DoW published two memos: (1) Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements (“CMMC Suspension Memo”), and (2) Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements (“CMMC Suspension Implementation Memo”).
The CMMC Suspension Memo emphasizes that the CMMC program is “structurally incompatible” with the DoW need to continue to “rapidly expand the DIB.” The Memo references SBA data that demonstrates that (1) prohibitive compliance costs, (2) severe shortages of C3PAO capacity, and (3) complex regulatory timelines are forcing small businesses and new businesses to opt out of DoW contracts subject to CMMC. The Memo directed three immediate actions: (1) suspension of the November 2026 Phase II transition deadline, as well as holding all pending and future CMMC deadlines in abeyance until further notice, (2) Task Force (detailed above) to conduct a 60-day review, with the goal to provide recommendations for a reformed framework, and (3) DoW shall continue to enforce baseline cybersecurity compliance (e.g., NIST SP 800-171 Rev. 2, DIB self-assessments and select government-led assessments, DFARS 252.204-7012).
The CMMC Suspension Implementation Memo articulates DoW implementation directives for the suspension of CMMC. The Memo specifies that DoW program offices/requiring activities are permitted only to include Level 1 (self) or Level 2 (self) requirements in contracts/solicitations. Further, program offices/requiring activities are directed to initiate amendments to active solicitations that include Level 2 (C3PAO) or Level 3 (DIBCAC) requirements. The amendment must explicitly remove these requirements and the contracting officer must issue a corresponding solicitation amendment as soon as practicable. For active contracts with these requirements, contracting officers must remove the requirements via modification “prior to the exercise of the next option period or during the next scheduled administrative modification.” Lastly, the CMMC waiver procedures are suspended pending the 60-day review of the program.
Current Status of CMMC
Note that the suspension has no effect on CMMC Phase I, which has been in effect since November 10, 2025. Phase I incorporated Level 1 (self) and Level 2 (self) requirements in applicable solicitations/contracts as a condition of award, as well as Level 2 (C3PAO) requirements at the DoW’s discretion.
Below is a summary table of the CMMC phases as well as the current status (as of July 13, 2026, pending DoW’s 60-day review) of each phase:
|
Phase |
Start Date |
Impact |
Status as of July 13, 2026 |
|
Phase 1 |
November 10, 2025 |
Inclusion of Level 1 (self) or Level 2 (self) requirement in applicable solicitations/contracts (as a condition of award), as well as Level 2 C3PAO certifications at DoW discretion |
Effective |
|
Phase 2 |
One calendar year after Phase 1 begins. |
Level 2 C3PAO requirement in applicable solicitations/contracts (as a condition of award). |
Suspended |
|
Phase 3 |
One calendar year after Phase 2 begins. |
Level 2 C3PAO as a condition for exercising option periods; and Level 3 (DIBCAC) requirement for all applicable solicitations/contracts (as a condition of award). |
Suspended |
|
Phase 4 |
One calendar year after Phase 3 begins. |
Full implementation of the CMMC requirements in all applicable solicitations and contracts, including option periods. |
Suspended |
This is a major announcement that very likely means that CMMC as we know it will be changing. Contractors should continue to treat contractual requirements (including CMMC Level 1 (self) and Level 2 (self)) and baseline cybersecurity obligations as fully in force. It is also worth considering a submission in response to the RFI.
Sheppard’s Governmental Cybersecurity and Data Protection team is closely following the CMMC suspension and related developments and will continue to provide updates as they become available.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]