CMMC Isn’t Dead. But the Rules Just Changed.
For years, I’ve been telling business leaders that cybersecurity isn’t optional if you’re doing business with the federal government. In light of the recent CMMC Phase II Requirement Suspended announcement, it’s more important than ever to stay informed. Whether you’re a prime contractor or a subcontractor, protecting sensitive government information isn’t just a best practiceโit’s a requirement.
That’s why the Department of War’s announcement on July 13, 2026, caught the attention of the entire Defense Industrial Base. The department suspended the implementation of CMMC Phase II requirements and launched a comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program. Before anyone starts celebrating or assumes cybersecurity requirements have disappeared, let’s talk about what actually happened and what it means for organizations that want to continue doing business with the federal government.
What Happened?
The Department of War announced the immediate suspension of CMMC Phase II requirements, which were scheduled to become effective on November 10, 2026. At the same time, it created a CMMC Review and Reform Task Force to examine the program and recommend changes. The stated goal is to reduce barriers to entry for small, medium-sized, and non-traditional defense contractors while maintaining an acceptable cybersecurity baseline.
This decision does not eliminate CMMC altogether. It pauses the next phase of implementation while leadership reevaluates how cybersecurity compliance is validated throughout the defense supply chain.
What Changed?
The biggest change is that organizations that were preparing for mandatory Phase II certification requirements now find themselves in a holding pattern.
Under the original roadmap, many contractors handling Controlled Unclassified Information (CUI) would eventually need third-party assessments and certifications to demonstrate compliance. That implementation has now been suspended pending review. The department has indicated it wants to identify ways to reduce compliance complexity and lower the cost of participation for defense contractors.
In simple terms, the government hit the pause button on additional certification requirementsโnot on cybersecurity itself.
What Remains in Effect?
This is the part many businesses are overlooking.
The cybersecurity requirements have not gone away.
Phase I self-assessment requirements remain in force. Contractors are still expected to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Organizations handling CUI are still expected to comply with NIST SP 800-171 requirements, and the government can still validate cybersecurity compliance through self-assessments and selected government-led reviews. Existing DFARS cybersecurity obligations also remain unchanged.
If your organization stopped investing in cybersecurity because you heard “CMMC was suspended,” you’re misunderstanding the announcement.
Compliance verification may be changing. Cybersecurity expectations are not.
Why Did They Do It?
According to department leadership, the review is intended to reduce bureaucracy, accelerate acquisition timelines, and make it easier for smaller businesses to compete for federal contracts. Officials expressed concern that the cost and complexity of compliance could discourage innovative companies from participating in the defense supply chain.
I understand that concern.
Many small businesses struggle with the expense of assessments, policy development, security tools, documentation, and ongoing compliance management. For some organizations, the cost of certification has felt like a barrier to entry rather than a security improvement.
The challenge for the government is finding the right balance between accessibility and security.
What Does This Mean for Contractors?
My advice to contractors is simple: stay the course.
If you’ve been working toward NIST 800-171 compliance, continue. If you’ve invested in security controls, employee awareness training, vulnerability management, multi-factor authentication, endpoint security, and incident response capabilities, don’t stop now.
Organizations that pause their cybersecurity initiatives because certification requirements are under review may create significant risk for themselves. The government has made it clear that protecting federal information remains a non-negotiable requirement.
Contractors should continue:
- Maintaining NIST 800-171 compliance efforts.
- Performing required self-assessments.
- Maintaining accurate SPRS reporting where applicable.
- Improving documentation and security processes.
- Preparing for future certification requirements that may emerge from the review.
The organizations that remain proactive will be in the best position regardless of what the final version of CMMC looks like.
What Does This Mean for Cybersecurity?
This is where things get interesting.
For years, one of the biggest criticisms of the defense supply chain has been that cybersecurity often relied on self-attestation rather than independent validation. CMMC was designed to address that concern by introducing varying levels of assessment and verification.
By suspending Phase II requirements, the government is signaling that it wants to rethink how cybersecurity assurance is measured while reducing unnecessary burden on contractors. Whether this ultimately strengthens or weakens cybersecurity will depend on what replaces the current approach.
What should not be lost in this discussion is the reality that nation-state adversaries, ransomware groups, and cybercriminals are not pausing their attacks while the government reviews CMMC. Sensitive data remains valuable. Supply chain attacks remain common. The threat landscape remains aggressive.
The organizations that view cybersecurity only as a compliance exercise will always struggle. The companies that view cybersecurity as a business imperative will continue protecting their customers, their reputation, and their federal contracts regardless of what acronym appears in the regulations.
Final Thoughts
CMMC is not dead. It’s being reexamined.
The Department of War has paused Phase II certification requirements, but the obligation to protect federal information remains fully intact. Contractors should not interpret this announcement as permission to slow down cybersecurity investments. In my opinion, the smartest organizations will continue building mature security programs, maintaining NIST 800-171 compliance, and preparing for whatever version of CMMC emerges from this review process.
Because at the end of the day, compliance may change. Threat actors won’t.













