The Department of Defense pauses upcoming third-party assessment requirements and opens a comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program.
The U.S. Department of Defense (DoD) has suspended CMMC Phase 2 requirements and initiated a comprehensive review of the Cybersecurity Maturity Model Certification (CMMC) program, according to the official Department release issued on July 13, 2026. The move pauses the third-party cybersecurity assessments that tens of thousands of defense contractors had been preparing to meet, and once again places the program’s future in question.
The suspended Phase 2 requirements were scheduled to take effect on November 10, 2026, and would have required many contractors handling Controlled Unclassified Information (CUI) to pass an assessment by a Certified Third-Party Assessment Organization (C3PAO) before winning certain DoD contracts. The Department confirmed that Phase 1 self-assessment requirements, in force since November 2025, remain in place, while later milestones (Phase 3 and full implementation) are suspended as well. During the review, the DoD will enforce cybersecurity compliance through NIST SP 800-171 Revision 2 self-assessments and select government-led assessments.
Why the DoD Paused CMMC Phase 2
DoD leaders said the current program placed prohibitive costs and administrative burdens on the Defense Industrial Base (DIB), particularly small and mid-size businesses, and pointed to a shortage of approved assessors relative to the number of companies awaiting review. To lead the effort, the Department established a CMMC Reform Task Force, which will collect industry feedback, including through a public Request for Information (RFI) with responses due August 14, 2026, and deliver findings and recommendations within 60 days.
CMMC was established to strengthen cybersecurity across the DIB and safeguard Federal Contract Information (FCI) and CUI shared throughout the defense supply chain. According to the DoD CIO CMMC Program Office, the framework was designed to verify that contractors adequately protect sensitive information, shifting the model from self-attestation toward independent verification.
“The suspension of Phase 2 should not be read as a reduction in cybersecurity expectations,” said an iQuasar spokesperson. “Contractors should keep strengthening their security posture and stay aligned with NIST SP 800-171 Revision 2 while the Department finalizes its next steps.”
What This Means for Federal Contractors
Although the implementation timeline has changed, cybersecurity remains a strategic priority for the federal government. Contractors pursuing Department of Defense opportunities should continue preparing for future compliance obligations and maintaining security controls that support the protection of sensitive information.
Organizations currently working toward CMMC readiness should continue focusing on:
- Alignment with NIST SP 800-171 requirements
- Multi-factor authentication (MFA)
- Access control and identity management
- Security awareness training
- Incident response planning
- Continuous monitoring and vulnerability management
- System Security Plans (SSPs)
- Plans of Action and Milestones (POA&Ms)
The review period may ultimately lead to modifications in assessment requirements, certification methodologies, or implementation timelines. However, cybersecurity readiness will remain a critical factor in protecting government information and maintaining competitiveness in the federal marketplace.
Federal contractors should closely monitor updates from the Department of Defense Chief Information Office (DoD CIO) and trusted government contracting news sources as additional information becomes available.
Conclusion
The CMMC Phase 2 suspension buys the Defense Industrial Base time, not a pass. Phase 1 obligations still apply, existing DFARS data-protection requirements are unchanged, and the standards contractors need today are the same ones that will underpin whatever the program becomes. Companies that treat this pause as an opportunity to close gaps, rather than a reason to stall, will be best positioned when the requirements return.
iQuasar helps government contractors assess their current cybersecurity posture, map gaps against NIST SP 800-171 Rev. 2, and build assessment-ready documentation, so a shift in timeline never becomes a change in eligibility.
To review your readiness or talk through what the CMMC changes mean for your business, contact iQuasar’s team for a tailored discussion of your compliance and growth goals.





