The Department of Defense (DOD) announced today that it is immediately suspending the Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, delaying the next phase in DOD’s multiyear cybersecurity certification rollout that had been scheduled to take effect Nov. 10, 2026.
The department said all Phase 1 self-assessment requirements will remain in effect while it conducts a comprehensive 60-day review of the program.
According to officials, the review is to ensure CMMC is aligned with Defense Secretary Pete Hegseth’s Acquisition Transformation System directives, “prioritizing speed to capability, lowering barriers for small, medium, and non-traditional businesses, and replacing bureaucratic compliance with scalable, resilient cybersecurity measures.”
The announcement marks a significant shift in the department’s implementation of CMMC, which entered its phased rollout in November 2025 after years of development.
The department originally planned to implement the program in four phases over three years.
The program, first introduced in 2020 and revised as CMMC 2.0 in 2021, was designed to strengthen cybersecurity across the defense industrial base. While the updated framework reduced certification levels from five to three and expanded self-assessment options, industry groups continued to raise concerns about compliance costs, particularly for small businesses.
Under the original implementation schedule, Phase 1 required contractors to complete Level 1 or Level 2 self-assessments beginning Nov. 10, 2025. Phase 2 was scheduled to begin Nov. 10, 2026, requiring Level 2 certifications for applicable contracts, followed by Level 3 certification requirements in 2027 and full implementation of all applicable CMMC requirements for contract awards in 2028.
In announcing the suspension, the department argued that CMMC, while intended to improve cybersecurity, had instead created prohibitive compliance costs and administrative burdens.
“Recent data, including reports from the Small Business Administration, confirmed that CMMC compliance is forcing innovative companies out of the Defense Industrial Base which will delay the delivery of critical capabilities to the warfighters,” according to the official statement from the department.
The suspension also applies to pending and future CMMC implementation milestones in DOD solicitations and contracts.
According to Chief Information Officer (CIO) Kirsten Davies, “robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness.”
“We believe the DIB can achieve both, while we reduce unnecessary government red tape,” she added.
The DOD has established the CMMC Reform Task Force to conduct the review of the certification program. The task force will analyze feedback submitted through a public request for information on compliance challenges and recommend security measures that support faster capability delivery while lowering barriers for smaller contractors.
The task force is expected to deliver its findings to the CIO within 60 days.
During the review period, the department said it will continue enforcing cybersecurity requirements through NIST SP 800-171 Rev. 2 self-assessments and selected government-led assessments, emphasizing cyber hygiene over administrative compliance.
The department stressed that the suspension does not eliminate contractors’ obligations to protect federal data. Defense contractors and subcontractors must continue safeguarding covered defense information under Defense Federal Acquisition Regulation Supplement clause 252.204-7012.
Under the Trump administration, the DOD was rebranded as the Department of War.