| Quick Answer
The Department of War suspended CMMC Phase 2 requirements effective July 13, 2026, pausing the transition that was set to begin November 10, 2026. Phase 1 self-assessment requirements remain fully in place. The DoW CIO has launched a 60-day CMMC Reform Task Force review to recommend scalable, less burdensome security requirements. In the meantime, contractors must still self-assess against NIST SP 800-171 Rev 2 and remain contractually bound to protect covered defense information under DFARS clause 252.204-7012. Compliance work should continue, not stop. |
If you've been tracking the November 10, 2026 CMMC Phase 2 enforcement deadline, that timeline just changed. On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase 2 requirements, along with a 60-day review aimed at overhauling how the certification program works.
For defense contractors and subcontractors across Maryland and the DMV region, this is a moment to understand exactly what changed, what didn't, and what to do next — without losing the compliance progress you've already built.
What Actually Changed
The DoW's announcement, titled “Forging the Arsenal of Freedom,” suspends the transition to CMMC Phase 2 requirements as well as pending and future CMMC implementation milestones across DoW solicitations and contracts. The decision was driven in part by data from the Small Business Administration showing that CMMC compliance costs were pushing innovative companies out of the Defense Industrial Base (DIB) — delaying capability delivery to the warfighter.
DoW Chief Information Officer Kirsten A. Davies framed the move as part of Secretary of War Pete Hegseth's Acquisition Transformation System (ATS) directive, which prioritizes speed to capability and lowers barriers for small, medium, and non-traditional businesses.
What Hasn't Changed
| Phase 1 self-assessment requirements remain fully in effect.
NIST SP 800-171 Rev 2 self-assessments — and select government-led assessments — are still enforced during the review period. DFARS clause 252.204-7012 still requires contractors to safeguard covered defense information (CDI). The requirement to protect federal data has not been eliminated — only the Phase 2 certification timeline has paused. |
The 60-Day CMMC Reform Task Force
The DoW CIO is standing up a CMMC Reform Task Force to conduct a top-to-bottom review of the certification program. The task force will synthesize industry feedback gathered through the Department's public Request for Information (RFI) on compliance challenges, then deliver recommendations to the DoW CIO within 60 days.
Under Secretary of War for Acquisition and Sustainment Michael Duffey said the goal is to “maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain.” The stated intent is scalable, resilient cybersecurity measures — not a rollback of security expectations.
Before vs. During the Suspension
| Requirement | Status |
| CMMC Phase 1 self-assessments | In effect, unchanged |
| CMMC Phase 2 certification requirements | Suspended, effective immediately |
| CMMC contract milestones (pending/future) | Suspended during the 60-day review |
| NIST SP 800-171 Rev 2 self-assessment | Still enforced |
| DFARS 252.204-7012 (safeguarding CDI) | Still enforced, contractually binding |
| November 10, 2026 Phase 2 deadline | Paused pending task force recommendations |
What This Means for Your Business Right Now
A suspension of Phase 2 enforcement is not the same as compliance becoming optional. Contractors who pause their security work now risk falling behind once the task force issues its recommendations — and NIST 800-171 obligations haven't gone anywhere in the meantime.
| Don't Pause Your Compliance Work
The finish line moved. The underlying risk, and your contractual obligations, did not. Contractors who keep strengthening their security posture through the review period will be ready no matter what the task force recommends — and won't be scrambling if Phase 2 requirements return on a new timeline. |
Practical next steps for contractors during the review period:
- Continue (or start) your NIST SP 800-171 Rev 2 self-assessment — it's still required.
- Keep your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) current.
- Maintain safeguards for covered defense information under DFARS 252.204-7012.
- Watch for the CMMC Reform Task Force's findings, expected within 60 days (by mid-September 2026).
- Consider submitting feedback through the DoW's public RFI process if compliance costs have been a barrier for your business.
Why This Matters for the DMV Defense Industrial Base
Maryland and the broader DMV region are home to a dense concentration of defense contractors and subcontractors, many of them small and mid-sized businesses that have been working toward CMMC Phase 2 readiness for months. This suspension gives that community breathing room — but the underlying cybersecurity expectations that CMMC was built to enforce, protecting FCI and CUI, remain a business requirement, insurance requirement, and often a prime contractor flow-down requirement regardless of DoW's certification timeline.
Frequently Asked Questions
Does this mean CMMC is going away?
No. The DoW suspended Phase 2 certification requirements and is reviewing the program — it did not eliminate CMMC or the underlying requirement to protect federal data. Phase 1 self-assessments remain in place, and a new framework or timeline is expected once the 60-day review concludes.
Do I still need to comply with NIST SP 800-171?
Yes. The Department will continue to enforce cybersecurity compliance with NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments during the review period.
What is the CMMC Reform Task Force reviewing?
The task force is conducting a comprehensive review of the CMMC program, using industry feedback from the DoW's public RFI to recommend scalable, realistic security measures that lower barriers for small and non-traditional businesses while maintaining a strong security baseline. Its report is due to the DoW CIO within 60 days.
Should I stop working on my CMMC readiness?
No. Contractors who continue strengthening their security posture now will be better positioned once new requirements or timelines are announced, and will remain aligned with the NIST 800-171 and DFARS obligations that are still in force today.
When will Phase 2 requirements return?
The DoW has not announced a new Phase 2 timeline. The CMMC Reform Task Force is expected to deliver its recommendations within 60 days of the July 13, 2026 announcement, after which the Department is expected to provide updated guidance.
| Not Sure Where Your CMMC Readiness Stands?CISPOINT helps Maryland and DMV defense contractors navigate CMMC and NIST 800-171 compliance — through this review period and beyond.
→ Schedule a Free CMMC Readiness Assessment **Insert link to CMMC Consultation form** |








