Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

DoW Suspends CMMC Phase II Requirements – Launches 60-Day Review

By Edwin O. Childs, Andrew Konia, Abram J. Pafford, Jack White, Jason M. Vespoli, Léa Dickinson, Sophie Marsh & John Sullivan on July 14, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

Table of Contents

  • Overview
  • Key Takeaways
  • Background - The CMMC Program to Date
  • What the Announcement Does—And Does Not—Change
  • Practical Implications for Defense Contractors
  • Recommended Action Items
  • Related McGuireWoods Coverage

Link to Overview Overview

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of all Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had originally been scheduled to take effect November 10, 2026, including the transition to mandatory third-party assessments by CMMC Third-Party Assessment Organizations (C3PAOs) for contractors handling Controlled Unclassified Information (CUI). The DoW simultaneously established a CMMC Reform Task Force charged with delivering a comprehensive report within 60 days recommending “realistic, scalable security measures” for the Defense Industrial Base (DIB).

The suspension, announced by DoW Chief Information Officer Kirsten A. Davies, aligns with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives and the broader “Arsenal of Freedom” initiative. Critically, the action does not relieve contractors of their underlying obligations to protect federal data, which includes the current DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and the NIST SP 800-171 Rev. 2 security controls upon which the CMMC Phase II requirements are based.

Link to Key Takeaways Key Takeaways

  • Immediate Phase II / III suspension: CMMC Phase II (third-party C3PAO assessments) and all future CMMC milestones are suspended immediately. Phase I self-assessments remain in place.
  • No changes to current requirements: DFARS 252.204-7012, NIST SP 800-171 Rev. 2 requirements, SPRS scores, and cyber incident reporting obligations remain fully in place, mandatory, and actionable from an enforcement perspective.
  • FCA risk unchanged: Failure to comply with these cybersecurity requirements remain subject to False Claims Act enforcement under DOJ’s Civil Cyber-Fraud Initiative.
  • 60-day clock: The CMMC Reform Task Force must deliver its final report by mid-September 2026. DoW published an RFI to solicit industry input, with comments due by 12:00 PM ET on Friday, August 14, 2026.
  • Interim standard: DoW will enforce cybersecurity through self-assessments and select government-led assessments, using DoW’s “Brilliant at the Basics” IT/OT Top 10 standards as a practical benchmark.
  • At present, program reform—not elimination: DoW has signaled its intent to reform, not dismantle, cybersecurity certification. DoW intends for contractors to maintain compliance readiness.

Link to Background – The CMMC Program to Date Background – The CMMC Program to Date

The DoW has been developing the CMMC program for the better part of a decade. The CMMC 2.0 final program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, following a nearly five-year rulemaking process. The corresponding DFARS contract clauses (DFARS 252.204-7021 and 252.204-7024) were finalized in a rule published September 10, 2025, effective November 10, 2025.

The DoW had anticipated implementing the CMMC program across a three-tiered model:

  • Level 1: Self-assessment against 15 FAR 52.204-21 requirements for Federal Contract Information (FCI).
  • Level 2: Compliance with 110 controls from the NIST SP 800-171 Rev. 2 requirements for CUI, verified via self-assessment or third-party C3PAO certification depending on the sensitivity of the contract.
  • Level 3: Compliance with 110 controls from the NIST SP 800-171 Rev. 2 requirements plus 17 additional NIST SP 800-172 controls, assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The CMMC 2.0 rollout was planned in the following phases:

  • Phase I (November 10, 2025): Level 1 and Level 2 self-assessment requirements took effect.
  • Phase II (November 10, 2026): Third-party C3PAO assessment requirement for Level 2 contracts.
  • Phase III (November 10, 2027): Level 3 DIBCAC assessments.
  • Phase IV (no later than November 10, 2028): Full incorporation into all DoW contracts.

The DoW’s actions have suspended the latter three of these four phases.

Link to What the Announcement Does—And Does Not—Change What the Announcement Does—And Does Not—Change

Requirements Suspended (Effective Immediately):

  • The transition to mandatory third-party C3PAO assessments under CMMC Level 2 (Phase II), previously scheduled for November 10, 2026;
  • All pending and future CMMC implementation milestones across DoW solicitations and contracts (Phases III and IV); and
  • Any new solicitation requirements referencing the suspended CMMC phases.

Remaining in Full Force:

  • Phase I requirements, including both Level 1 and Level 2, self-assessment requirements remain in place (Level 1 and Level 2 self-assessments under DFARS 252.204-7021).
  • DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) remains the baseline CUI-based contractual cybersecurity self-certification obligation for all DoW contractors and subcontractors.
  • The NIST SP 800-171 Rev. 2 remains the baseline DoW CUI security control framework, enforced through self-assessments and select government-led assessments focused on “tangible cyber hygiene rather than administrative overhead.”
  • Supplier Performance Risk System (SPRS) score submission and maintenance requirements remain in place.
  • All contractual obligations to protect Covered Defense Information (CDI) and report cyber incidents remain in place.

New Initiatives:

  • CMMC Reform Task Force:  The DoW announcement establishes a “CMMC Reform Task Force,” a DoW CIO-led body, that is charged with conducting a complete review of the CMMC program. The task force is expected to synthesize industry feedback received through a public Request for Information (RFI) on compliance challenges, which DoW published on July 14, 2026 with comments due by 12:00 PM ET on Friday, August 14, 2026.  The Task Force must deliver a final report to the DoW CIO within 60 days of the announcement (approximately mid-September 2026).
  • “Brilliant at the Basics” Initiative:  The DoW announcement also establishes the new “Brilliant at the Basics” Initiative, a DoW CIO cybersecurity campaign that provides IT and Operational Technology (OT) “Top 10” best-practices lists designed to empower DIB partners—particularly small, mid-sized, and non-traditional companies—to secure their networks and protect sensitive DoW information during the interim period.

Link to Practical Implications for Defense Contractors Practical Implications for Defense Contractors

1. No “Stand Down” on Cybersecurity Compliance.  The suspension eliminates the near-term C3PAO assessment requirement but does not roll back existing cybersecurity requirements, including Level 2 self-assessments.  Moreover, DFARS 252.204-7012 remains a binding regulatory and contractual requirement.  The DoW will continue to enforce NIST SP 800-171 Rev. 2 compliance through self-assessments and targeted government-led assessments. Contractors who relax cybersecurity efforts do so at their own risk.  To that end, the Level 2 self-certification requirements implemented through Phase I of CMMC remain in effect.

2. False Claims Act Risk Persists.  The Department of Justice is continuing to pursuant cybersecurity compliance failures under the False Claims Act (FCA), including through the Civil Cyber-Fraud Initiative.  Contractors who (1) expressly certify compliance in SPRS submissions, or (2) hold contracts that include cybersecurity requirements may face FCA liability if the contractor’s cybersecurity posture is inconsistent with those requirements, regardless of whether a C3PAO has conducted a formal CMMC assessment.

3. Reassess—But Do Not Abandon—C3PAO Preparation Timelines.   Contractors that have invested in preparing for Level 2 third-party certification may want to reassess timelines for finalizing CMMC Level 2 certification efforts, but should not abandon remediation efforts. The 60-day task force review may result in a modified (not eliminated) assessment regime, and contractors who maintained compliance posture during the suspension will be better positioned when requirements resume in any form.  Moreover, the CMMC Level 2 requirements are consistent with the DFARS 252.204-7012 requirements, meaning that such efforts may help limit potential civil and administrative exposure.

4. “Brilliant at the Basics” as an Interim Benchmark.  The DoW CIO’s IT and OT Top 10 best-practices lists, available at dowcio.war.gov/BrilliantBasics/, identify DoW’s expectation for “tangible cyber hygiene” for, at a minimum, the next sixty days. Contractors may want to benchmark their cybersecurity programs against the standards and activities described in these lists and document compliance as evidence of good faith.

5. M&A and Due Diligence Considerations.  For transactions involving DIB companies, CMMC certification status has been a relevant valuation and risk factor. The Phase II suspension may shift deal dynamics: targets that had not yet achieved C3PAO certification face reduced near-term risk.  That said, acquirers should still assess the target’s NIST SP 800-171 compliance posture, SPRS score accuracy, and readiness to comply with whatever regime emerges from the 60-day review and limit risk from a cyber fraud standpoint.

6. Subcontract Flow-Down Obligations.  Prime contractors should review subcontract terms referencing CMMC Phase II milestones. While the DoW suspension applies to government solicitations and contracts, primes that contractually required subcontractors to achieve C3PAO certification by specific dates may wish to consider formal guidance to their supply chains given the suspension and interim steps being taken by the DoW.

Link to Recommended Action Items Recommended Action Items

In light of the Phase II suspension, we recommend that defense contractors take the following steps:

  1. Continue Phase I Self-Assessments and SPRS Score Maintenance.  These obligations are unaffected by the suspension.  Contractors must ensure that SPRS scores accurately reflect their current implementation status.
  2. Do Not Pause NIST SP 800-171 Rev. 2 Remediation Efforts.  The underlying control set remains the compliance standard. Plans of Action and Milestones (POA&Ms) should continue to be executed and documented (except where such efforts are not permitted under CMMC Phase I).
  3. Maintain DFARS 252.204-7012 Cyber Incident Reporting Readiness.  None of the DoW’s efforts have changed the 72-hour reporting obligation for cyber incidents affecting covered contractor information systems.
  4. Benchmark Against the “Brilliant at the Basics” IT/OT Top 10 Lists. Contractors may want to treat these “lists” as DoW’s interim compliance guidelines and document alignment with those terms.
  5. Monitor the CMMC Reform Task Force and Consider Responding to the RFI. The 60-day review will shape the future of the program. Contractors with strong views on compliance costs, scalability, or alternative approaches should consider submitting comments.  This is particularly true for small, mid-sized, and non-traditional companies, which the DoW has suggested is the primary focus of the 60-day suspension.  Comments are due by 12:00 PM ET on Friday, August 14, 2026. 
  6. Review Subcontract Flow-Down Provisions.  Contractors may want to assess whether subcontract terms referencing Phase II milestones require modification or formal communication to supply chain partners.
  7. Evaluate Pending Proposals and Solicitations.  Contractors should assess whether any pending proposals reference Phase II requirements that may now be inapplicable and seek guidance from contracting officers as appropriate.
  8. Consult Counsel on FCA Risk.  Contractors should ensure that cybersecurity compliance representations in proposals, SPRS submissions, and contract performance are accurate and defensible.  To the extent that any issues, risks, or non-compliances are identified, we recommend that contractors speak to counsel regarding mitigation or disclosure requirements that may be implicated.

The DoW’s suspension of CMMC Phase II represents a significant shift in the near-term compliance landscape for defense contractors, but it does not mean that contractors should reduce cybersecurity vigilance. Contractors should view the interim period as an opportunity to strengthen foundational compliance while positioning for whatever regime emerges from the 60-day review. McGuireWoods is continuing to monitor developments from the CMMC Reform Task Force, the  open RFI , and any further DoW guidance.

For questions about the CMMC Phase II suspension, the interim compliance framework, or how these developments may affect your organization’s government contracts or cybersecurity programs, please contact a member of the McGuireWoods Government Contracts or Data Privacy & Cybersecurity teams.

Link to Related McGuireWoods Coverage Related McGuireWoods Coverage

  • Department of Defense Issues Final Rule on Cybersecurity Standards for Contractors (Subject to Inquiry, September 2025)
  • DoD Issues Final CMMC Framework for Defense Contractors (McGuireWoods Legal Alert, October 23, 2024)
  • DHS Issues Final Rule Regulating Federal Contractors’ Handling of Controlled Unclassified Information (McGuireWoods Legal Alert, July 19, 2023)
  • CMMC 2.0: Department of Defense Revamps Cybersecurity Maturity Model Certification Program (Subject to Inquiry, November 19, 2021)
  • Ready or Not … Government Contractor Cybersecurity Requirements Roll Out This Month (McGuireWoods Legal Alert, November 9, 2020)
Photo of Edwin O. Childs Edwin O. Childs

As a leader of the firm’s Defense, National Security and Government Contracting industry team, Ned Childs is a government contract and investigations and enforcement attorney who represents companies across a wide range of sectors, including the defense, services, technology, and aerospace industries. His…

As a leader of the firm’s Defense, National Security and Government Contracting industry team, Ned Childs is a government contract and investigations and enforcement attorney who represents companies across a wide range of sectors, including the defense, services, technology, and aerospace industries. His practice, spanning more than a decade in Washington, encompasses a broad array of legal services, including government contract investigations, disclosures, and regulatory enforcement actions; bid protests and government contract disputes; government contract counseling; export licensing and enforcement; prime contractor-subcontractor disputes; corporate ownership and acquisition issues; and election law investigations and enforcement matters.

Read more about Edwin O. ChildsEmail
Show more Show less
Photo of Andrew Konia Andrew Konia

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace. As chair of the firm’s data privacy and security team, Andrew leads a nationally recognized team of professionals dedicated to protecting clients’…

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace. As chair of the firm’s data privacy and security team, Andrew leads a nationally recognized team of professionals dedicated to protecting clients’ systems, networks and data, managing information, and responding to cyber incidents.

Read more about Andrew KoniaEmail
Show more Show less
Photo of Abram J. Pafford Abram J. Pafford

Abe focuses his practice on protecting the rights and interests of companies and individuals who face disputes or conflicts with the federal government in its role as purchaser, prosecutor, and chief regulator. For more than twenty years, Abe has represented government contractors, participants…

Abe focuses his practice on protecting the rights and interests of companies and individuals who face disputes or conflicts with the federal government in its role as purchaser, prosecutor, and chief regulator. For more than twenty years, Abe has represented government contractors, participants in regulated industries, and companies and individuals targeted for federal investigation or prosecution, consistently achieving successful results for clients confronting difficult odds.

Read more about Abram J. PaffordEmail
Show more Show less
Photo of Jack White Jack White

Jack is an accomplished trial lawyer and legal strategist who guides clients through complex challenges, including high-profile and sensitive litigation and government investigations. He focuses his practice on civil litigation, regulatory enforcement, and congressional investigations for clients in the defense, technology, federal contracting…

Jack is an accomplished trial lawyer and legal strategist who guides clients through complex challenges, including high-profile and sensitive litigation and government investigations. He focuses his practice on civil litigation, regulatory enforcement, and congressional investigations for clients in the defense, technology, federal contracting, higher and K-12 education, and other business sectors.

Read more about Jack WhiteEmail
Show more Show less
Photo of Jason M. Vespoli Jason M. Vespoli

Jason focuses his practice on federal and state procurement, government technology, bid protests and government contract disputes, and regulatory compliance. He utilizes experience in state government, government technology, and complex procurement to solve problems in innovative and efficient ways.

Read more about Jason M. VespoliEmail
Photo of Léa Dickinson Léa Dickinson
Email
Photo of Sophie Marsh Sophie Marsh

Sophie focuses her practice on government contracts and government investigations matters.

Read more about Sophie MarshEmail
Photo of John Sullivan John Sullivan

John is an associate within the Government Investigations and White Collar Litigation group.

Read more about John SullivanEmail
  • Posted in:
    Technology and AI
  • Blog:
    Subject to Inquiry
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
Library at LexBlog
  • About LexBlog
  • The Field We Built
  • Library at LexBlog
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo