Key point: Effective July 13, 2026, the Department of War has suspended the upcoming CMMC Phase II requirements and initiated a 60-day review of the entire program. Phase I self-assessments remain mandatory, and DFARS 252.204-7012 is still fully in force.
What happened: The DoW[1] Chief Information Officer Kirsten A. Davies issued Memorandum 26-P-1023, immediately halting the November 2026 transition to CMMC Phase II and placing all pending Phase II implementation milestones in abeyance. Under Secretary for Acquisition and Sustainment Michael Duffey issued a companion memo directing program managers and contracting officers to remove CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) requirements from solicitations, and to strip those provisions from existing contracts at the next option period or administrative modification.
The official press release frames the action as part of the Acquisition Transformation System initiative, citing SBA data to assert that CMMC compliance costs have driven small and non-traditional businesses out of the Defense Industrial Base (DIB).
The CMMC Reform Task Force and the RFI: The CIO’s memo establishes a CMMC Reform Task Force charged with delivering a top-to-bottom review within 60 days. Along with that announcement, the Department released a Request for Information (RFI) seeking direct industry feedback to inform the Task Force’s recommendations. Among other things, the RFI asks contractors to identify compliance cost drivers, pinpoint which NIST 800-171 controls deliver tangible security uplifts and risk reductions, and propose actionable policy reforms. Responses are due by 12:00 p.m. ET on August 14, 2026.
What the suspension does not change: This is a pause on a verification mechanism, not a reprieve from the underlying obligation to protect covered defense information. DFARS 252.204-7012 remains contractually binding on every defense contractor and subcontractor handling covered defense information. Moreover, NIST 800-171 Rev 2 compliance is still required for contractors and subcontractors who are handling CUI, and their Level 2 compliance is being enforced through self-assessments and government-led reviews.
To be clear, the Phase I self-assessment requirements remain firmly in place, and your SPRS self-assessment scores still matter. In fact, your SPRS scores are arguably even more important, as they could become “Exhibit A” in False Claims Act investigations.
The cyber threat to the DIB remains. Adversary nations also ‘got the memo.’ On the same day the Pentagon suspended third-party certification requirements, NSA, CISA, FBI, and 15 international partner agencies issued a joint advisory warning that Russian threat actors are actively targeting poorly configured routers across the DIB, energy, communications, and healthcare sectors.
Keep in mind, the threat to contractors is not only malware; poorly configured routers are also a proven entry point for corporate espionage hunting for CUI and other company confidential materials.
If you have questions about how the action affects your contracts or subcontract flow-downs, contact Erik Dullea, Heidi Salow, or your Husch Blackwell attorney.
[1] The Department refers to itself as the ‘Department of War,’ though the statutory name, Department of Defense, remains unchanged under 10 U.S.C. § 111. The pending National Defense Authorization Act for 2027 proposes to equate those terms.
