On July 13, 2026, the Department of War (DOW) announced that it would suspend the November 10 deadline to transition to the Phase 2 requirements of the Cybersecurity Maturity Model Certification (CMMC) program. Phase 2 was set to begin on November 10, 2026, one year after CMMC Phase 1 began. However, it is vital for contractors to understand exactly what this suspension means and what it does not mean for their compliance obligations.
CMMC Phase 1, which is still in effect and is not impacted by the pause, requires contractors to self-certify their compliance with NIST SP 800-171 Rev. 2 through the Supplier Performance Risk System (SPRS). Phase 2 requires contractors to obtain assessments from Certified Third-Party Assessment Organizations (CPAOs).
The DOW’s announcement that Phase 2 would be temporarily suspended was met with praise from the Small Business Administration (SBA), which emphasized the significant costs that have been placed on defense contractors to comply with CMMC. Specifically, SBA estimates that each CMMC Phase 2 third-party certification can cost small contractors almost $600,000 and roughly $388,600 for a Phase 1 self-assessment. According to SBA, these increased costs were causing firms to refrain or consider refraining from pursuing defense contracts, which is at odds with the DOW’s stated goals of expanding the Defense Industrial Base and establishing the Acquisition Transformation System (ATS).
Also recognizing the significant costs of compliance, the Senate Armed Services Committee recently advanced the FY2027 NDAA, which if passed into law, would provide maximum grants of $100,000 to DOW contractors to offset direct costs associated with obtaining CMMC Level 2 certification from a third-party assessment.
After receiving feedback that CMMC-induced compliance costs were impeding the streamlining of production and delivery of critical systems for the military, the DOW elected to conduct a full review of the program before requiring contractors to move into Phase 2.
What Has Changed
The DOW suspension means that, for now, contractors will not be required to transition to CMMC Phase 2 as planned on November 10, 2026. The DOW has created a CMMC Reform Task Force to conduct a top-to-bottom 60-day review of the CMMC program and has been charged with “redesigning our supply chain cybersecurity approach to strictly align with the Secretary of War’s ATS directives.” Until further guidance is promulgated, it is unclear exactly what the CMMC Reform Task Force will recommend and what the impact on the CMMC program will be.
What Has Not Changed
Most importantly, CMMC Phase 1 and DFARS 252.204-7012 are still in effect. Contractors who store, process, or transmit Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) on their systems are still required to self-certify their compliance with the NIST cybersecurity standards laid out in 32 C.F.R. § 170.2. The self-assessment requirement is critical because it means that exposure to liability under the False Claims Act (FCA) still exists. When contractors attest to their cybersecurity compliance score in SPRS, that attestation can form the basis of an FCA action if it is later discovered that the contractor did not actually implement the NIST SP 800-171 Rev. 2 standards, even if there is no cybersecurity incident or data breach. The suspension also has no impact on the Defense Industrial Base Cybersecurity Assessment Center’s (DIBCAC) authority to audit any contractor’s cybersecurity compliance.
DFARS 252.204-7012 also remains in place, as it has for nearly 10 years now. This contract clause requires contractors to comply with the NIST SP 800-171 Rev. 2 standards, which opens up contractors to additional liability for breach of contract if those standards are not met. The clause also imposes an obligation on contractors to report cyber incidents to the Government within 72 hours of discovering them. All of those obligations remain in place.
Lastly, contractors should keep in mind that a suspension is not a rescission. The entire CMMC rule, which became effective last year, is still in place. Notably, the review by the CMMC Reform Task Force is expected to be complete by September 11, 2026, roughly two months before CMMC Phase 2 was planned to begin. Therefore, it is entirely possible that after the 60-day period, the suspension could be lifted and CMMC Phase 2 could still begin on November 10, 2026, even if it is a modified version. The best practice for defense contractors would be to continue reviewing their implementation of applicable NIST controls and preparing for C3PAO assessments in the near future.
Key Takeaways
- All of the obligations of CMMC Phase 1 and DFARS 252.204-7012 remain in place, which means that the NIST SP 800-171 Rev. 2 controls are still applicable and FCA liability for non-compliance is on the table.
- The suspension also does not guarantee that the CMMC is going to change significantly. The Government has devoted substantial resources to improving cybersecurity standards for the Defense Industrial Base and the continued enforcement of those standards through FCA prosecutions only suggests that the CMMC program is here to stay, even if it is in a modified form.
- Contractors should keep an eye out for further DOW guidance and requests for feedback on the CMMC program in the coming months and expect an update after the report from the CMMC Reform Task Force is completed.
Womble Bond Dickinson’s Government Contracting and Privacy and Security teams have a highly talented team of lawyers who have extensive experience assisting federal contractors with their cyber security compliance and reporting needs, including the analysis of applicable regulations, handling cyber security incidents, addressing voluntary and mandatory disclosures, and government contracts disputes. If you have any questions about this client alert or federal contract cybersecurity requirements, please contact the authors or your regular Womble Bond Dickinson attorney.

/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-07-15-13-39-17-604-6a578d855b77ac71bbc79e58.jpg)
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-07-08-13-49-13-579-6a4e5559da24724bd1f35a73.jpg)
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-07-06-18-22-30-019-6a4bf2665c05f02be1d4f87f.jpg)