Article
July 14, 2026
built to scale

CMMC phase II requirements suspended: Next steps for defense contractors

Table of Contents

Ready to learn more?
related insights

The Department of Defense has announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026. The Department is conducting a 60-day review of the program through a newly established CMMC Reform Task Force.

While the Phase II rollout is paused, Phase I self-assessment requirements remain in effect, and contractors and subcontractors remain responsible for safeguarding covered defense information under existing contractual requirements, including DFARS 252.204-7012.

What This Means for Defense Contractors

The suspension affects the planned transition to Phase II certification requirements and associated implementation milestones. However, cybersecurity obligations have not been suspended.

The Department has stated that compliance will continue to be enforced through self-assessments and select government-led assessments during the review period. Organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) should continue maintaining cybersecurity controls, documentation, and evidence aligned with NIST SP 800-171.

The announcement should be viewed as a pause in certification rollout activities, not a pause in cybersecurity requirements.

Why Preparation Matters Now

Although the future structure of the CMMC program may change, contractors remain responsible for protecting covered defense information and demonstrating cybersecurity readiness.

Organizations that continue remediation efforts, maintain current documentation, and preserve evidence of control implementation will be better positioned to respond to future guidance and avoid disruptions if certification requirements resume in a revised form.

Steps Contractors Can Take Now

  1. Continue remediation activities for identified NIST SP 800-171 control gaps.
  2. Update System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), policies, and supporting evidence to reflect current implementation status.
  3. Confirm whether existing contracts include DFARS 252.204-7012 or other cybersecurity-related requirements.
  4. Maintain readiness for self-assessments and potential government-led assessments.
  5. Monitor Department guidance and any requests for industry feedback related to the CMMC Reform Task Force.
  6. Prioritize cybersecurity improvements that reduce operational risk and strengthen overall security posture.

We Can Help

The Elliott Davis Cybersecurity Advisory team can help organizations evaluate current compliance efforts, assess NIST SP 800-171 readiness, strengthen documentation and evidence programs, and prepare for future CMMC requirements as additional guidance becomes available.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.

authors

download the white paper

contact our team

contact our team

contact our team.