


The Department of Defense has announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026. The Department is conducting a 60-day review of the program through a newly established CMMC Reform Task Force.
While the Phase II rollout is paused, Phase I self-assessment requirements remain in effect, and contractors and subcontractors remain responsible for safeguarding covered defense information under existing contractual requirements, including DFARS 252.204-7012.
The suspension affects the planned transition to Phase II certification requirements and associated implementation milestones. However, cybersecurity obligations have not been suspended.
The Department has stated that compliance will continue to be enforced through self-assessments and select government-led assessments during the review period. Organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) should continue maintaining cybersecurity controls, documentation, and evidence aligned with NIST SP 800-171.
The announcement should be viewed as a pause in certification rollout activities, not a pause in cybersecurity requirements.
Although the future structure of the CMMC program may change, contractors remain responsible for protecting covered defense information and demonstrating cybersecurity readiness.
Organizations that continue remediation efforts, maintain current documentation, and preserve evidence of control implementation will be better positioned to respond to future guidance and avoid disruptions if certification requirements resume in a revised form.
The Elliott Davis Cybersecurity Advisory team can help organizations evaluate current compliance efforts, assess NIST SP 800-171 readiness, strengthen documentation and evidence programs, and prepare for future CMMC requirements as additional guidance becomes available.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.