Department of War Suspends CMMC Phase II Cybersecurity Requirements
The U.S. Department of War suspended CMMC Phase II requirements to reduce bureaucratic burdens and prohibitive costs for small businesses in the defense industrial base.
The United States Department of War immediately suspended the rollout of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which were scheduled for implementation on November 10, 2026. The decision follows a directive from Secretary of War Pete Hegseth to prioritize speed to capability and reduce bureaucratic hurdles for small and non-traditional businesses within the defense industrial base.
Officials cited a critical shortage of qualified third-party assessors—roughly 100 for over 100,000 businesses—and prohibitive compliance costs. The Small Business Administration estimated these costs could reach nearly $600,000 per certification, leading some firms to exit the supply chain. While third-party audits for Phase II, III, and IV are halted, the department will continue enforcing baseline cybersecurity through NIST SP 800-171 Rev 2 self-assessments and DFARS clause 252.204-7012.
To determine a future path, the department established a CMMC Reform Task Force to conduct a 60-day comprehensive review. This task force will collect industry feedback via a request for information, with responses due by August 14, to align cybersecurity measures with the Secretary's Acquisition Transformation System. Procuring agencies have been directed to remove suspended Level 2 and Level 3 requirements from current solicitations and contracts.