ARTICLE
16 July 2026

DoD Suspends CMMC Deadlines And Seeks To Reassess Requirements

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP has more than 3,100 lawyers across 51 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.

The U.S. Department of Defense has suspended the November 2026 transition to CMMC Phase II, halting mandatory third-party Level 2 assessments for defense contractors.
United States Government, Public Sector
Eleanor M. Ross’s articles from Greenberg Traurig, LLP are most popular:
  • with readers working within the Aerospace & Defence and Retail & Leisure industries
Go-To Guide:
  • The U.S. Department of Defense (DoD) has suspended the November 2026 transition to Cybersecurity Maturity Model Certification (CMMC) Phase II, meaning contractors will not be required to achieve third-party Level 2 assessments while the suspension remains in place.
  • DoD has launched a 60-day review of the CMMC Program, including a Request for Information, aimed at reducing barriers to participation in the defense industrial base.
  • Contractors must still comply with cybersecurity controls established by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and other applicable provisions. DoD Program Managers may still designate requirements for Level 1 or Level 2 (Self) assessments.

On July 13, 2026, the DoD released two memoranda announcing the immediate suspension of upcoming CMMC implementation deadlines, including the planned Nov. 10, 2026, transition to Phase II. That transition would have required contractors and subcontractors handling controlled unclassified information (CUI) to achieve Level 2 third-party assessments.

As covered in prior GT Alerts, the CMMC Program was finalized in October 2024 under 32 C.F.R. Part 170, and the program’s go-live date was set for September 2025. The transition to Phase II is now suspended with immediate effect for a limited period. During this time, DoD is establishing a 60-day CMMC Reform Task Force to conduct a program review. As part of that effort, DoD has issued a Request for Information (RFI) seeking “to gather detailed information about industry readiness, cost drivers, and current cybersecurity control implementation” over the next month. Recommendations are expected at the end of the review period.

Phase II Transition and Other CMMC Milestones Suspended

The CIO’s memo “Removing Barriers to Defense Industrial Base Expansion” appears to reflect DoD’s concern that the current CMMC Program is slowing down procurement objectives by imposing front-end costs that some defense contractors may be unable to absorb. According to the memorandum, the current version of CMMC imposes “significant and often prohibitive burdens” on defense contractors, and more specifically, on small businesses and non-traditional contractors who “are the engine of American innovation.” The second memo, “Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturation Model Certification Phase 2 Requirements,” signed by the Under Secretary of War for Acquisition and Sustainment, states that the temporary suspension is aligned with Pillar 3 of the Acquisition Transformation Strategy, which seeks to “maximiz[e] acquisition flexibility through reduced regulations and process.”

The July 13 memoranda suspended the phased implementation schedule, including the November 2026 deadline for DoD’s transition to Phase II of CMMC implementation, placing all pending and future CMMC implementation milestones “in abeyance until further notice.”

Baseline Cybersecurity Requirements Remain

While the memoranda do not clearly establish a new implementation timeline, the CIO and Under Secretary both reiterate that the interim suspension does not eliminate underlying cybersecurity obligations applicable to defense contractors.

  • DoD will continue to enforce baseline compliance with NIST SP 800-171 Rev. 2 controls through contractor self-assessments and select government-led assessments.
  • Requirements under FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” remain in effect.
  • DoD Program Managers may still include CMMC Level 1 or Level 2 self-assessment requirements in procurement requests, consistent with Phase I requirements. Where applicable, they may also “require additional cybersecurity protections as commensurate with law and regulation.”
  • Existing DoD cybersecurity support programs such as services provided through DoD’s Cyber Crime Center, the National Security Agency’s (NSA) Cybersecurity Collaboration Center, and Project Spectrum, will all remain available during the review period.

Where a solicitation requires CMMC Level 2 (C3PAO) or Level 3, the Under Secretary has directed the issuance of a solicitation amendment removing those requirements. For contracts or agreements already containing the suspended requirements, contracting officers are “directed to remove them via modification prior to the exercise of the next option period or during the next scheduled administrative modification.” As a result, contractors (and subcontractors) performing on existing contracts with CMMC requirements beyond Phase I, will need to continue meeting those requirements for some period of time.

Task Force to Initiate a Comprehensive Review of CMMC

A dedicated CMMC Reform Task Force will conduct a 60-day “top-to-bottom” review of the CMMC Program and deliver implementation recommendations. The task force will be responsible for examining DoD’s supply chain cybersecurity approach and alignment with DoD Secretary Pete Hegseth’s acquisition reform initiatives. These objectives include:

  • Prioritizing speed of capability;
  • Lowering barriers for small, medium-sized, and non-traditional businesses;
  • Evaluating alternatives to third-party compliance structures; and
  • Developing cybersecurity and operational resilience measures that DoD describes as scalable and realistic.

In support of this review, DoD has issued an RFI seeking industry feedback, including on compliance key cost drivers and administrative burdens, specific security controls and tangible outcomes, availability and use of commercial solutions, and recommendations for actionable policy reforms.

The RFI acknowledges there may be “duplicative overlaps in existing regulatory data requirements lack[ing] meaningful operational resilience guidance or requirements.” As previously covered, these may include competing requirements under the proposed FAR CUI Rule and CISA’s Cyber Incident Reporting for Critical Infrastructure Act.

Responses to the RFI are due on Aug. 14, 2026, and the task force is expected to issue recommendations based on industry feedback. During the review period, DoD will not grant waivers under the CMMC Program. Contractors (and subcontractors) must continue implementing baseline cybersecurity controls to safeguard federal contract information and CUI, and should consider monitoring solicitation or contract-specific modifications to determine the applicable scope of required security controls.

*Special thanks to Project Assistant Ema Amuial for contributing to this GT Alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More