Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Department of War Suspends CMMC Phase II: What Defense Contractors Need to Know

By Erik Dullea & Heidi Salow on July 14, 2026
Email this postTweet this postLike this postShare this post on LinkedIn
Lock Illustration

Key point: Effective July 13, 2026, the Department of War has suspended the upcoming CMMC Phase II requirements and initiated a 60-day review of the entire program. Phase I self-assessments remain mandatory, and DFARS 252.204-7012 is still fully in force.

What happened: The DoW[1] Chief Information Officer Kirsten A. Davies issued Memorandum 26-P-1023, immediately halting the November 2026 transition to CMMC Phase II and placing all pending Phase II implementation milestones in abeyance. Under Secretary for Acquisition and Sustainment Michael Duffey issued a companion memo directing program managers and contracting officers to remove CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) requirements from solicitations, and to strip those provisions from existing contracts at the next option period or administrative modification.

The official press release frames the action as part of the Acquisition Transformation System initiative, citing SBA data to assert that CMMC compliance costs have driven small and non-traditional businesses out of the Defense Industrial Base (DIB).

The CMMC Reform Task Force and the RFI: The CIO’s memo establishes a CMMC Reform Task Force charged with delivering a top-to-bottom review within 60 days. Along with that announcement, the Department released a Request for Information (RFI) seeking direct industry feedback to inform the Task Force’s recommendations. Among other things, the RFI asks contractors to identify compliance cost drivers, pinpoint which NIST 800-171 controls deliver tangible security uplifts and risk reductions, and propose actionable policy reforms. Responses are due by 12:00 p.m. ET on August 14, 2026.

What the suspension does not change: This is a pause on a verification mechanism, not a reprieve from the underlying obligation to protect covered defense information. DFARS 252.204-7012 remains contractually binding on every defense contractor and subcontractor handling covered defense information. Moreover, NIST 800-171 Rev 2 compliance is still required for contractors and subcontractors who are handling CUI, and their Level 2 compliance is being enforced through self-assessments and government-led reviews.

To be clear, the Phase I self-assessment requirements remain firmly in place, and your SPRS self-assessment scores still matter. In fact, your SPRS scores are arguably even more important, as they could become “Exhibit A” in False Claims Act investigations.

The cyber threat to the DIB remains. Adversary nations also ‘got the memo.’ On the same day the Pentagon suspended third-party certification requirements, NSA, CISA, FBI, and 15 international partner agencies issued a joint advisory warning that Russian threat actors are actively targeting poorly configured routers across the DIB, energy, communications, and healthcare sectors.

Keep in mind, the threat to contractors is not only malware; poorly configured routers are also a proven entry point for corporate espionage hunting for CUI and other company confidential materials.

If you have questions about how the action affects your contracts or subcontract flow-downs, contact Erik Dullea, Heidi Salow, or your Husch Blackwell attorney.


[1] The Department refers to itself as the ‘Department of War,’ though the statutory name, Department of Defense, remains unchanged under 10 U.S.C. § 111. The pending National Defense Authorization Act for 2027 proposes to equate those terms.

Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaEmailErik's Linkedin Profile
Show more Show less
Photo of Heidi Salow Heidi Salow

Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations…

Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations touching on healthcare and financial privacy, artificial intelligence, biometrics, and information security. She draws on a notable background as one of the first U.S. attorneys focused on data privacy and cybersecurity, as well as experience as a corporate executive. Heidi previously held executive roles at two large multinational corporations, Thomson Reuters and Leidos.

Read more about Heidi SalowEmail
Show more Show less
  • Posted in:
    Government Contracts, Privacy and Cybersecurity, Technology and AI
  • Blog:
    Byte Back
  • Organization:
    Husch Blackwell LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Library at LexBlog
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo