Department of War Suspends CMMC Phase II Requirements...BUT NIST SP 800-171r2 Compliance is Still Required
On July 13, 2026, the Department of War (DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which was originally scheduled to come into effect on November 10, 2026."In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program," said DoW Chief Information Officer Kirsten A. Davies. "Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape." What is CMMC Phase II?Beginning November 10, 2026, applicable solicitations and RFPs will require contractors to hold a CMMC Level 2 certification.During this interim period, the Department will enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, focusing on tangible cyber hygiene rather than administrative overhead.It is critical to note that this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.The Department of War remains steadfast in its commitment to securing its digital domain while empowering the DIB to rapidly provide the most advanced capabilities to the warfighter. More information can be found here: Brilliant at the Basics
|





