On July 13 2026, the U.S. Department of Defense (DoD) announced a temporary halt to the rollout of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program. The pause will last 60 days while the agency reviews the program’s requirements and the availability of third‑party assessment organizations (TPOs). The decision follows concerns about the cost and feasibility of the upcoming certification deadlines.

The CMMC 2.0 framework, which went into full effect on November 10 2025, requires defense industrial base (DIB) contractors to meet one of three maturity levels. Level 1 protects Federal Contract Information (FCI) with basic controls; Level 2 protects Controlled Unclassified Information (CUI) and incorporates the 110 controls of NIST Special Publication 800‑171; Level 3 adds advanced safeguards against persistent threats. Phase I, completed on November 10 2025, required contractors to conduct self‑assessments for Level 1 and some Level 2 work. Phase II, scheduled to begin on November 10 2026, would have required many Level 2 contractors to obtain third‑party certification.

According to reports, the DoD cited a shortage of accredited TPOs as a key reason for the delay. The agency also noted that the cost of certification could exclude small and mid‑size contractors from DoD contracts. Chief Information Officer Kirsten Davies said the pause “gives an opportunity to remove burdensome requirements while still maintaining national security.”

To address these concerns, the DoD has created a CMMC Review and Reform Task Force. The task force will solicit feedback from industry stakeholders, with a focus on ensuring that small businesses and non‑traditional contractors are not disproportionately burdened. Undersecretary of War for Acquisition and Sustainment Michael Duffey stated that the DoD wants to prevent “small manufacturers from being shut out of the defense market due to the cost and complexity of the CMMC.”

The suspension does not affect Phase I requirements. Davies confirmed that the self‑assessment obligations for Level 1 and the existing Level 2 work remain in full force until further notice. The DoD will use the 60‑day review period to recommend revisions to the CMMC 2.0 framework that balance security needs with industry capacity.

If the review concludes that the current structure is viable, the DoD may resume Phase II on schedule. Otherwise, the agency could adjust the timeline for the third and fourth phases, which were originally planned for 2027 and FY 2028, respectively. The third phase would introduce Level 3 requirements, while the fourth phase would aim for a complete transition to the new framework.

The pause has drawn mixed reactions. The Small Business Administration praised the decision as a relief for small contractors, while some industry groups expressed concern that the delay could prolong uncertainty. Analysts note that the review will be critical for determining whether the CMMC can be scaled to meet the DoD’s cybersecurity objectives without stifling the supply chain.

As of July 15 2026, the DoD has not yet issued a revised timeline. Contractors are advised to continue complying with Phase I self‑assessment requirements and to monitor DoD communications for updates on the review’s findings and any subsequent changes to the certification schedule.

In summary, the DoD’s temporary suspension of Phase II reflects challenges in meeting the certification deadlines and a commitment to reassessing the program’s burden on industry. The 60‑day review will shape the future rollout of CMMC 2.0, potentially redefining the balance between national security and contractor feasibility.