On July 13th, 2026, at 3:30PM EST, the Department of War (DoW) released a memorandum for senior Pentagon leadership with a subject of "Implementing Department of War Chief Information Officer's Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements" and "Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements." Here are answers to some of the questions you might be asking.
Do I Still Have to Comply with CMMC?
Short Answer: Yes.
What Does It Mean?
Phase II of the CMMC Program (contractual requirements) is paused for 60 days pending review of this program and the burden it has put on small and medium sized businesses. CMMC Level 1 Self (FCI) Assessment and Level 2 Self (CUI) assessments and DFARS 252.204-7012 requirements are still there and still required.
What does this really mean? If you and your organization work with CUI, then you still need to protect this information with the methods outlined in DFARS 252.204-7012. NIST Special Publication 800-171 Rev. 2 is still in play due to these requirements, with a lot less pressure from this November deadline. If you and your organization are still dealing with contracts from the government, you still need to meet the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems — which includes 17 of the controls from NIST Special Publication 800-171 Rev. 2, but three of them are pushed into one control for a total of 15 controls.
The DoW stated that all government "Program Managers and requiring activities must only include the need for CMMC Level 1 (Self) or Level 2 (Self) assessments in procurement request and requirement documents. Program Managers and requiring activities may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments during this period. The allowed designations are CMMC Level 1 (Self) or CMMC Level 2 (Self)."
As a result, new and renewing contract requirements cannot mandate C3PAO certification for CMMC Level 2 or Level 3. Contracting offices may, however, continue to require CMMC Level 1 or CMMC Level 2 self-assessments where applicable.
This however does not remove the DFARS 252.204-7012 flow down requirements from primes to subs. Organizations who work as a sub will still have these requirements being pushed on them from a prime, but since the certification requirements are paused for now, there should be less pressure to meet that November deadline.
What Are They Doing During the Pause?
The memorandum establishes a 60-day task force to review the current certification model and recommend changes intended to reduce barriers for small and medium-sized businesses. They are delaying the requirements in the contracting world and giving themselves time to come up with a potential solution to what they see as a problem. So, at the end of this, you should expect some statement to come out, whether this is a "business as usual but we'll keep monitoring" or a formal regulatory amendment.
Next Steps
Business as usual should be the thing people are thinking about, not that CMMC will go away and you can go back to ignoring CMMC and DFARS requirements. You and your organization should be still working on CMMC by having your self-assessment done and waiting for a C3PAO to assess you. If you delay your CMMC efforts or choose not to pursue compliance during this 60-day period, and the requirement is reinstated after the delay, you will simply be 60 days behind with the same compliance requirement still in place. Ensure that you keep pressing forward!
Even stated in the memorandum was: "Interim Cyber Posture: During this suspension, the Department will continue enforcing baseline compliance with NIST SP 800-171 Rev 2 through DIB self-assessment and select government-led assessments, focusing on tangible cyber hygiene rather than third-party certifications…."
Looking Ahead
As already stated multiple times in both memorandums, CMMC isn't going anywhere — they are just putting a halt on the Certification requirement to be placed in contracts and proposals. CMMC has been codified in the 48 CFR, and it would take time and effort if their plan was to remove it.
What happens if, after this 60-day period, the Task Force comes up with a solution?
- Can they remove CMMC outright? No. Under the Administrative Procedure Act (APA), an indefinite pause is viewed as a "de facto repeal."
- Can they recommend to formally amend the CFR through a new notice-and-comment rulemaking process? Yes
- Will this amendment take time? Yes
- Can this change just only be a delay in CMMC phase in process? Also yes. They can just push back these requirements a year or two.
What happens if after this 60-day period, the Task Force comes up with no solution?
- Am I still going to need to be certified by the November deadline? Yes and No. It depends on if you are a sub to a prime or if you intend on bidding on a contract that has a level two certification requirement.
- Could the 60-day pause be extended? Yes. The Department could issue another memorandum extending the suspension while the Task Force continues its review.
- Would organizations receive additional notice before certification requirements resume? Most likely. We should be expecting to be issued guidance or another memorandum clarifying how contracting activities should proceed following the conclusion of the review period.
The Bottom Line
"If certification is paused, why spend the money?"
The pause changes the certification timeline, not the obligation to protect government information or comply with existing contractual requirements. Organizations handling FCI or CUI should continue implementing FAR, DFARS, and NIST SP 800-171 requirements while monitoring the outcome of the DoW's review. Maintaining momentum now positions organizations to respond effectively regardless of the direction the Task Force ultimately recommends.