CMMC

CMMC Phase II Is Suspended

Here's What Defense Contractors Should Do Next

Has the Department of War suspended CMMC Phase II?

Yes.

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements, including the planned rollout of mandatory third-party assessments for applicable contracts. Phase I self-assessment requirements remain in effect while the Department conducts a 60-day review of the program.

The announcement has created uncertainty across the Defense Industrial Base (DIB), but one thing has not changed:

Organizations handling Controlled Unclassified Information (CUI) must continue protecting it in accordance with NIST SP 800-171 and existing contractual obligations.

What Changed?

The Department of War has paused the implementation of Phase II, which was originally scheduled to begin on November 10, 2026.

The decision was made after concerns that the current program imposed significant costs and administrative burdens on small and medium-sized defense contractors, potentially discouraging innovation and participation in the Defense Industrial Base. A 60-day review has been launched to evaluate how CMMC can better balance cybersecurity with acquisition speed and supplier participation.

What Has Not Changed?

This is where many contractors are getting confused. The suspension does not eliminate cybersecurity requirements. The following remain in place:

  • Phase I self-assessment requirements
  • NIST SP 800-171 security requirements for protecting CUI
  • Existing cybersecurity obligations in DoD contracts
  • The expectation that contractors maintain a mature cybersecurity program

In other words, the assessment requirement has paused, but cybersecurity expectations have not.

Why Did the Department Suspend Phase II?

According to the Department, several challenges influenced the decision:

  • Rising compliance costs
  • Limited availability of third-party assessors
  • Delays affecting contract awards
  • Reduced participation from small and innovative suppliers
  • A desire to simplify acquisition without weakening cybersecurity

The Department will use the review period to determine how the program can be modernized while maintaining protection for sensitive defense information.

Should Defense Contractors Pause Their CMMC Efforts?

No.

If your organization supports the DoD or handles CUI, this is not the time to stop preparing. Organizations that continue to invest in cybersecurity will be better positioned, regardless of how the revised program evolves.

Focus on:

  • Protecting CUI
  • Maintaining NIST SP 800-171 compliance
  • Improving documentation
  • Strengthening evidence collection
  • Closing security gaps
  • Preparing for future assessments

Cybersecurity maturity remains a competitive advantage, even if certification timelines change.

What Should Contractors Do Now?

Continue Building Your NIST SP 800-171 Program: The 110 security requirements remain the foundation for protecting CUI. Continue implementing and validating these controls.

Complete a Gap Assessment, Identify:

  • Missing controls
  • Documentation gaps
  • Technical weaknesses
  • Policy deficiencies
  • Evidence gaps

This allows your organization to stay prepared regardless of future CMMC updates.

Strengthen CUI Protection
Review:

  • Where CUI resides
  • Who has access
  • How data moves
  • Whether systems are properly segmented

Proper scoping remains one of the most important cost-saving activities.

Improve Evidence Management: One of the biggest challenges organizations face is proving controls are working. Maintain:

  • Access reviews 
  • Vulnerability scans
  • Incident response records
  • Security monitoring
  • Risk assessments
  • Training records

Organizations with continuous evidence collection will be ready when assessment requirements return.

Monitor Regulatory Updates: The Department has launched a 60-day review, meaning additional guidance is expected. Contractors should monitor official announcements and be prepared to adjust their compliance strategy as new requirements emerge.

What This Means for the Defense Industrial Base

The suspension should not be viewed as the end of CMMC.
Instead, it represents an opportunity to improve how cybersecurity requirements are implemented across the Defense Industrial Base.

Most industry experts expect cybersecurity verification to remain part of future DoD acquisitions, although the implementation model may evolve to reduce cost and complexity.

Organizations that continue strengthening their cybersecurity posture today will have a significant advantage when the revised program is announced.

How Accorian Helps Contractors Stay Ready

Regulatory changes should not derail your cybersecurity strategy. Accorian helps defense contractors maintain readiness through:

  • CMMC readiness assessments
  • NIST SP 800-171 gap assessments
  • CUI scoping and boundary definition
  • Remediation planning
  • Policy and documentation development
  • Mock assessments
  • Continuous compliance support

Using GORICO, organizations can accelerate readiness through AI-powered compliance automation. GORICO helps centralize evidence, track remediation, monitor control maturity, and, through its direct integration with HITRUST MyCSF, streamline HITRUST compliance for organizations pursuing multiple regulatory frameworks alongside CMMC.

Conclusion

The suspension of CMMC Phase II changes the timeline, not the mission.

Cyber threats targeting the Defense Industrial Base continue to grow, and protecting Controlled Unclassified Information remains a critical national security priority.

Rather than viewing this pause as a reason to delay cybersecurity investments, defense contractors should use it as an opportunity to strengthen their security posture, mature their compliance program, and prepare for whatever form the next phase of CMMC takes. Organizations that stay ready today will be in the strongest position tomorrow.

CONTACT US

Table of Contents

Related Articles