07/14/2026 | Press release | Distributed by Public on 07/15/2026 12:01
The Department of Defense (DoD) has announced the immediate suspension of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program and has launched a comprehensive review of the certification framework. Importantly, this is not a suspension of the requirements for protecting Controlled Unclassified Information (CUI) under DFARS 252.204-7012.
Under the announcement, DoD will continue to enforce Phase I requirements, including self-assessments and annual affirmations of compliance, while evaluating whether and how the broader CMMC program should continue. For defense contractors, the suspension alleviates the near-term burden of obtaining third-party CMMC certifications but leaves in place the existing obligation to self-assess and report compliance. False statements in these reports will continue to expose contractors to liability under the False Claims Act in lawsuits filed by the government and qui tam relators (whistleblowers who file False Claims Act complaints on the government's behalf and can share in the recovery proceeds).
After years of false starts, CMMC Phase I became effective in November 2025. Phase I, which mirrors prior DFARS requirements, requires applicable contractors to conduct self-assessments and report compliance scores through the Supplier Performance Risk System (SPRS). It also allows contracting officers to require ad hoc Level 2 Certified Third-Party Assessment Organization (C3PAO) assessments. Phase II, scheduled to begin on Nov. 10, 2026, would have required mandatory Level 2 C3PAO assessments for most defense contractors handling CUI. Small and medium-sized defense contractors raised serious concerns about assessment costs and burden and lobbied the DoD to walk back requirements.
On July 13, DoD announced that it was suspending Phase II and launching a 60-day review of the program. According to DoD, concerns about compliance costs, assessment capacity and barriers to participation in the defense industrial base contributed to the decision. DoD stated that it will continue to rely on self-assessments and selected government-led assessments while the review is ongoing. DoD has invited comments from industry.
For now, defense contractors will not be required to obtain the third-party certifications that would have been required under Phase II. The DoD has directed that any C3PAO requirements included in pending solicitations be promptly removed through amendments and that any requirements appearing in current contracts be removed through contract modifications. The planned rollout of broader C3PAO assessment requirements has been paused.
However, the suspension should not be mistaken as eliminating contractors' cybersecurity obligations. Contractors that process, store or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) remain responsible for meeting existing contractual cybersecurity requirements, such as FAR 52.204-21 and DFARS 252.204-7012. Phase I remains in effect.
If you handle FCI (as most contractors do), you are still subject to CMMC Level 1 requirements, including annual self-assessments against the applicable safeguarding controls and compliance affirmations. If you handle CUI, then you remain responsible for implementing the security requirements associated with CMMC Level 2, which are based on the 110 security controls in NIST SP 800-171. Under Phase 1, organizations generally must:
In short, contractors may have gained relief from third-party certification deadlines, but they have not been relieved of their underlying cybersecurity obligations.
Indeed, the suspension of Phase II may increase the significance of self-assessments because the government will be relying more heavily on contractor representations regarding cybersecurity compliance. The DoD announcement emphasized that it is not suspending contractors' underlying cybersecurity obligations.
The Department of Justice has made cybersecurity enforcement a priority through the Civil Cyber-Fraud Initiative, which focuses on situations where contractors allegedly misrepresent compliance with cybersecurity requirements or fail to adequately protect sensitive government information. While the CMMC framework continues to evolve, existing contract requirements under DFARS 252.204-7012, NIST SP 800-171 and related representations remain enforceable.
Contractors should pay particular attention to the following issues:
Overstated SPRS Scores. Companies that submit assessment scores that do not accurately reflect implementation of required controls may face allegations that they knowingly misrepresented their compliance posture.
Unsupported Annual Affirmations. Annual affirmations of compliance should not be viewed as administrative exercises. They should be supported by documented evidence demonstrating control implementation and operational effectiveness. Contractors should be prepared to substantiate their assertions if challenged.
Inaccurate SSPs. SSPs frequently become outdated or fail to accurately describe operational environments. An SSP that materially differs from reality can become evidence supporting allegations that compliance representations were misleading.
Failure To Close Known Gaps. Many organizations maintain Plans of Action and Milestones. Contractors should ensure that known deficiencies are properly documented, tracked and remediated in accordance with applicable requirements rather than ignored or informally accepted.
Executive Certifications Without Adequate Diligence. As compliance affirmations increasingly become management-level decisions, executives should ensure they have a reasonable basis for representations submitted to the government.
DoD's suspension of Phase II creates an opportunity for contractors to reassess their cybersecurity compliance programs before additional certification requirements potentially return.
Organizations should consider:
The suspension of CMMC Phase II removes the immediate requirement for contractors to obtain third-party Level 2 certifications. It does not eliminate existing cybersecurity obligations or the requirement to perform self-assessments and make compliance affirmations. Contractors handling CUI remain responsible for implementing NIST SP 800-171 controls, maintaining supporting documentation and accurately representing their compliance status. It also does not necessarily change the cybersecurity expectation of higher-tiered contractors, which are free to continue to impose obligations on their supply chains.
From an organizational perspective, the principal risk may be shifting from pre-award screening to post-award enforcement. The assessment process would have barred entry for contractors that failed to meet third-party assessment requirements. With DoD's return to a self-assessment framework, more contractors will remain eligible for DoD awards and false representations will be addressed through post-award enforcement under the False Claims Act and the Department of Justice's cyber-fraud enforcement initiatives.