On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase II requirements, which had been scheduled to take effect on November 10, 2026. The action was formalized the same day in a signed memorandum from Under Secretary of War for Acquisition and Sustainment Michael P. Duffey, and announced directly by the DoW Chief Information Officer.
If you are a defense contractor or subcontractor, your inbox and LinkedIn feed are probably already full of takes on this. Some are treating it as a reason to shelve their compliance projects. We would urge you not to. Below is a clear-eyed breakdown of what changed, what did not, and, most importantly, what it means for your business.
DoW Chief Information Officer Kirsten A. Davies announced the suspension in a short (roughly three-minute) video message. We strongly encourage every client to watch it directly rather than rely on secondhand summaries.
The 60-day review of the CMMC program is owned by the DoW CIO, Kirsten Davies, who is standing up a CMMC Reform Task Force to lead a top-to-bottom review and deliver recommendations. The entire effort sits under Secretary of War Pete Hegseth’s broader Acquisition Transformation priorities, which the Department describes as forging the “Arsenal of Freedom”: speed to capability, lower barriers for small, medium, and non-traditional businesses, and scalable, resilient cybersecurity in place of bureaucratic compliance.
The Task Force is gathering industry input through a public Request for Information (RFI), “Reforming CMMC and Reducing Compliance Burden,” posted on SAM.gov. Responses are due August 14, 2026. This is the official channel for the Defense Industrial Base to shape what the reformed program looks like. If CMMC’s cost and complexity have been a burden on your organization, this is your opportunity to be heard as a stakeholder, and we recommend you take it.
The big picture: The DoW CIO has paused the CMMC rollout and suspended Phase II implementation as part of a broader acquisition overhaul tied to Executive Order 14265 (Modernizing Defense Acquisitions and Spurring Innovation in the Industrial Base, April 2025). A 60-day review is now underway.
The mechanics that affect your contracts:
In short: the third-party certification mechanism is being paused and reworked. The security expectations underneath it are not going away.
This is the part that matters. The only thing that has changed is the Phase II requirement to undergo a Certification Assessment by a Certified Third-Party Assessment Organization (C3PAO). Everything else you were already obligated to do, you are still obligated to do.
Here is what remains fully in force:
1. Your self-assessment is still REQUIRED.
CMMC Level 1 (Self) and Level 2 (Self) self-assessments remain required. Phase I was never suspended. You still perform the assessment, you still affirm it, and you still post your results to the Supplier Performance Risk System (SPRS), accessed through the Procurement Integrated Enterprise Environment (PIEE).
2. Your core safeguarding obligations are unchanged.
If you store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you must still meet:
A note on DFARS 252.204-7021 (the CMMC clause): with Phase II suspended and the program under a 60-day review, this clause is currently listed as “TBD” on the DoD CIO’s CMMC Resources page; its future application is to be determined pending the outcome of the review. That does not relieve you of anything above. Your safeguarding, self-assessment, and reporting duties continue regardless of where 7021 lands.
The one CMMC element that is suspended is the Phase II Certification Assessment performed by a C3PAO. Nothing about your obligation to actually protect FCI and CUI is lifted.
3. NIST SP 800-171 Revision 2 remains the standard.
Systems that process FCI or CUI must still meet NIST SP 800-171 Revision 2:
4. CUI cloud requirements are unchanged.
CUI must still be stored and processed only using cloud service providers (CSPs) that meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (or equivalent), consistent with DFARS 252.204-7012.
5. Incident reporting is unchanged.
Cyber incidents involving CUI must still be reported to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.
6. You must stay compliant for the life of the contract, and you can still be checked.
The DIB is required to maintain compliance for the entire duration of the contract, and you remain subject to select government-led assessments during this period; DFARS 252.204-7020 preserves the government’s right to assess. Self-assessment does not mean self-policing without consequence.
Firms that treated earlier CMMC delays as an excuse to stand down consistently found themselves scrambling later, at higher cost and under time pressure. The organizations that stayed the course kept their competitive edge.
Your obligations under DFARS 252.204-7012, FAR 52.204-21 (52.240-93), NIST SP 800-171 Rev 2 (all 110 controls and 320 objectives for CUI), FedRAMP cloud handling, and 72-hour DC3 incident reporting all remain in force, and you remain subject to government-led assessment. Peerless is still here to ensure you meet your requirements, whether that is the 15 basic safeguarding requirements for CMMC Level 1 (Self) or all 110 NIST SP 800-171 security controls for CMMC Level 2 (Self). If you have our services, nothing changes in our support. Our goal is to support and lead you to CMMC readiness based on NIST SP 800-171.
We encourage clients to review the primary sources directly:
This post is for general informational purposes and reflects the DoW announcement, signed memorandum, and CIO video dated July 13, 2026. It is not legal advice. Contractual obligations vary; consult your contracting officer and legal counsel regarding your specific requirements. Sources: U.S. Department of War press release, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements”; the memorandum “Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements” (26-P-1023), signed by Under Secretary of War Michael P. Duffey; the DoW CIO CMMC program page; and 32 CFR Part 170, FAR 52.204-21, and DFARS 252.204-7012.