- within Cannabis & Hemp and Strategy topic(s)
On July 13, 2026, the U.S. Department of Defenser (DOD) temporarily suspended Cybersecurity Maturity Model Certification (CMMC) Phase II requirements — originally scheduled to take effect on November 10, 2026 — pending a review by the CMMC Reform Task Force. (Our September 2025 Advisory detailed the CMMC phases and other CMMC program requirements.) DOD suspended CMMC Phase II due to concerns about “prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines” as well as reports from the Small Business Administration indicating “that the current CMMC program is structurally incompatible with our need to rapidly expand the DIB [Defense Industrial Base].”
Pursuant to the DOD memorandum:
- The CMMC Phase II transition is suspended, and “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.”
- Although the CMMC Defense Federal Acquisition Regulation Supplement (DFARS) Program Rule gave DOD discretion to require CMMC Level 2 C3PAO certification assessments during Phase I, the memorandum instructs that “Program Managers and requiring activities shall only include the need for CMMC Level 1 or Level 2 Self Assessments in procurement request and requirement documents.” DOD guidance makes clear that “Program Managers and requiring activities may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments during this period.”
- DOD is establishing the CMMC Reform Task Force “to conduct a top-to-bottom 60-day review of the certification program.” The Task Force will “provide recommendations for a reformed cybersecurity and operational resilience framework that prioritizes speed to capability, lowers barriers for small, medium, and non-traditional businesses, and replaces prohibitive third-party compliance models with scalable, realistic security measures.”
DOD’s decision to temporarily suspend CMMC Phase II does not affect DOD contractors’ foundational cybersecurity obligations. The information safeguarding requirements in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, remain in effect as do the CMMC Level 1 and Level 2 self-assessment Phase I requirements in DFARS 252.204-7021. Thus, DOD contractors must continue to comply with National Institute of Standards and Technology Special Publication 800-171 Rev 2 and cloud security requirements, cyber incident reporting obligations, and other directives. DOD will also continue its efforts to “enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, focusing on tangible cyber hygiene.”
What’s Next
- DOD will collect information through a Request for Information (RFI), and industry members interested in providing input can submit responses to the RFI by August 14, 2026.
- For active solicitations that require CMMC Level 2 (C3PAO) or CMMC Level 3 status, DOD must issue amendments “explicitly removing those requirements.”
- For active contracts that require CMMC Level 2 (C3PAO) or CMMC Level 3 status, DOD must modify the contracts to remove those requirements “prior to the exercise of the next option period or during the next scheduled administrative modification.”
- DOD contractors should continue to exercise vigilance both in complying with existing DFARS requirements and in monitoring new proposed information security and supply chain requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]