Pentagon Pulls Emergency Brake on CMMC Phase II Certification

The Department of War hit pause on CMMC Phase II third-party certification requirements on July 13, 2026. The November 10, 2026 deadline is suspended indefinitely, leaving 120,000 small businesses who were supposed to undergo assessment – either self-assessment or third-party audit – stuck in limbo while a 60-day review determines what comes next.
For anyone wondering if this counts as the fourth major CMMC revision since 2020: yes, it does.
Before diving into the implications, here’s what actually happened:
- 120,000+ small businesses face compliance uncertainty under the paused framework
- ~100 approved third-party assessors existed at announcement time (a supply-demand gap that was mathematically impossible to close)
- $388,600 to $593,800 estimated compliance costs per small firm, according to SBA analysis
- August 14, 2026, 12 PM ET deadline for RFI submissions to inform the reform process
The Department of War didn’t mince words about why they pulled this lever. Kirsten Davies, DoW Chief Information Officer, framed it cleanly during the announcement video and the accompanying reform memo:
“We believe the DIB can achieve both [cybersecurity and operational resilience], while we reduce unnecessary government red tape.” – Kirsten A. Davies, DoW CIO
Michael Duffey, Under Secretary of War for Acquisition and Sustainment, put it even more bluntly in the official press release:
“The CIO’s decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain.” – Michael Duffey, Under Secretary of War for Acquisition and Sustainment
Kelly Loeffler, SBA Administrator under the Trump administration, was equally direct about small business impact:
“Cybersecurity cannot come at the cost of bureaucracy that shuts out the very companies our warfighters depend on.” – Kelly Loeffler, SBA Administrator
What changed with the CMMC suspension – and what stayed the same?
The suspension targets Phase II third-party certification requirements specifically. Level 2 assessments through C3PAO and Level 3 through DIBCAC are off the table during the review period. Existing contracts carrying those requirements should get modified before the next option period or administrative change, according to implementation memos distributed to senior Pentagon leadership.
Phase I self-assessments remain in full effect, and NIST SP 800-171 Rev 2 compliance continues unabated. DFARS clause 252.204-7012 – safeguarding covered defense information plus cyber incident reporting – stays fully enforceable. Nothing about your obligation to protect federal data has disappeared just because the certification pathway shifted.
What contractors should focus on:
- Update self-assessments accurately (False Claims Act exposure remains regardless of third-party verification status)
- Monitor solicitation amendments (C3PAO requirements should get stripped out “as soon as practicable” according to contracting guidance)
- Review subcontract flow-down provisions (primes may independently maintain stricter assessment terms)
- Prepare RFI responses (feedback due August 14, 2026 will directly shape Task Force recommendations)
- Continue NIST SP 800-171 implementation efforts (pause compliance work at your own peril)
The legal landscape hasn’t gotten softer, either. Inaccurate self-attestations still carry False Claims Act (FCA) liability, and government-led assessments can still happen selectively during the suspension period. Existing certified contractors retain their competitive advantages without new pressure to recertify.
Has CMMC been delayed or revised before?
History shows a clear pattern of false starts that predated CMMC; I remember working with several defense contractors in the years before CMMC and it was a rough go.
- CMMC 1.0 launched in 2020 with five certification levels and mandatory third-party assessments across the entire Defense Industrial Base.
- Early 2021 brought a Biden Administration review that produced CMMC 2.0 in November of that year – streamlining to three levels and expanding self-assessment eligibility.
- The rulemaking process ate up most of 2022, 2023, and early 2024 while Title 32 and Title 48 regulations got finalized.
- Phased implementation began late 2025, and now, less than a year later, another pause arrives before Phase II ever officially kicks in.
However, this is the first time the Department has paused a scheduled implementation phase after the revised framework entered contract execution. That distinction matters because previous delays happened during rulemaking, not while contractors faced active compliance deadlines.
Why did the Department of War suspend CMMC Phase II?
The assessor shortage alone explains half the story. The SBA estimated total compliance costs could reach approximately $593,800 per CMMC certification for small firms requiring third-party assessment, and about $388,600 for firms eligible for self-assessment (SBA). Meanwhile, only about 100 approved assessors existed to service over 120,000 small businesses.
That math doesn’t math.
SBA Administrator Loeffler highlighted the impact during the announcement press release, noting that compliance pressures caused many firms to leave or consider leaving defense-related work. Through its nationwide manufacturing tour and Red Tape Hotline, the agency engaged with DoW partners to identify ways to reduce unnecessary compliance costs while preserving cybersecurity protections.
“The small businesses that undergird our defense industrial base are committed to protecting our nation’s digital domain – but cybersecurity cannot come at the cost of bureaucracy that shuts out the very companies our warfighters depend on.” – Kelly Loeffler, SBA Administrator
The Trump SBA positioned itself as a mediator between industry concerns and acquisition priorities. Working closely with DoW officials, the SBA reportedly heard directly from mission-critical small businesses that CMMC compliance was becoming untenable.
KEY DATES
| Date | Event |
|---|---|
| July 13, 2026 | Suspension announced effective immediately |
| August 14, 2026, 12 PM ET | RFI submission deadline |
| September 2026 | Expected Task Force recommendations (60-day window) |
| November 10, 2026 | Original Phase II deadline (now suspended) |
What happens after the 60-day CMMC review period?
The CMMC Reform Task Force has until roughly September 2026 to deliver recommendations. Their mandate includes redesigning supply chain cybersecurity approach to align with Secretary Hegseth’s Acquisition Transformation System directives, and the task force will synthesize industry feedback from the public RFI. From there, they’ll recommend realistic, scalable security measures prioritizing speed to capability.
Possible outcomes include streamlined CMMC continuing with modified requirements, a completely alternative certification model replacing third-party audits, or extended suspension with intermittent reviews. Based on the pattern of previous revisions, structural changes seem far more likely than minor adjustments.
Each prior has resulted in updates to the standard. Given that the DoW paused remaining CMMC implementation for longer than the expected review period, further updates appear probable. The focus on small, medium, and non-traditional businesses suggests potential carve-outs or reduced requirements for companies of particular sizes, those more commercially focused, or newer to the defense sector.
Principal obligations protecting CUI and FCI material remain unlikely to disappear entirely, and might get added to non DoD contracts. Companies working toward CMMC compliance should avoid pausing efforts, and instead use this moment to implement practices needed to satisfy standards once the review concludes.
What should defense contractors do during the CMMC suspension?
The November 10, 2026 deadline isn’t happening. That certainty exists alongside continued NIST SP 800-171 obligations and DFARS 252.204-7012 enforcement, while FCA risks are still out there for inaccurate self-attestations. Whatever you do, don’t stop implementing your cybersecurity program, because we’ll probably see FCA enforcement based on what happens during this current period. After all, look at what happened just recently to Logzone.
Six years into this program, with four major iterations and now a fourth pause, CMMC is unfortunately an unstable policy in flux. Whether that volatility ends with sustainable reform or another cycle of delay stays unclear. What contractors can control involves maintaining compliant cybersecurity programs regardless of which framework emerges from the Task Force recommendations.
The Department of War framed this suspension as clearing bureaucratic roadblocks without lowering the cybersecurity bar. Whether that promise holds depends entirely on what replaces third-party certification requirements. For now, contractors operate under self-assessment with selective government oversight – a temporary state that becomes permanent only if the Task Force recommends it.
Time will tell if this pause represents meaningful reform or another extension of an unresolved problem. The next 60 days determine which path forward gets chosen.