The Department of War has announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect November 10, 2026. For many organizations, particularly smaller federal contractors, the news brings real relief. With a limited pool of authorized third-party assessors (C3PAOs) available and external audit costs running high, the Phase II certification process had become a significant barrier.
Before we dive into what this announcement means for federal contractors lets answer some basic questions: What Is CMMC, and Does It Apply to Your Organization?
CMMC is a federal cybersecurity certification framework built on top of NIST SP 800-171, a standard governing how organizations protect Controlled Unclassified Information (CUI). If your organization handles CUI as part of any federal relationship, the framework potentially applies to the contracts you bid on. That includes a construction firm working near a military installation, a manufacturer supplying government-adjacent clients, or a service provider supporting federally funded projects.
CMMC Phase I requirements remain fully in place. The federal government will enforce cybersecurity compliance with NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments during the interim period. And critically, every organization that handles covered federal data remains contractually obligated to protect it under DFARS clause 252.204-7012, regardless of whether they consider themselves a defense contractor.
"Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness," said DoW CIO Kirsten A. Davies. "We believe the DIB can achieve both, while we reduce unnecessary government red tape."
The 60-Day Review & What It Means For Your Organization
The Department is establishing a CMMC Reform Task Force to conduct a comprehensive review of the certification program, with a final report due to the DoW CIO within 60 days. The task force will collect industry feedback through a public Request for Information focused on compliance challenges. Its mandate is to recommend security measures that are realistic, scalable, and less burdensome for small and non-traditional organizations, aligned with Secretary Pete Hegseth's Acquisition Transformation System framework. The goal is to maintain a strict security baseline while removing the compliance costs that have been squeezing smaller organizations out of federal work.
What comes out of this review will shape how cybersecurity requirements are written into future federal solicitations across agencies. Organizations that participate in the RFI process have a concrete opportunity to influence that outcome.
What You Should Be Doing Right Now
The suspension does not create a window to deprioritize cybersecurity. If anything, it highlights the importance of maintaining a defensible baseline posture during a period when formal certification timelines are in flux.
Self-assessments against NIST SP 800-171 Rev 2 remain active and enforceable through existing contract language for any organization handling CUI.
Protections for covered federal data under DFARS 252.204-7012 carry the same legal and contractual weight they always have, regardless of the Phase II pause.
Organizations that have not yet conducted a formal gap assessment against NIST 800-171 should treat this period as the time to do it, before any new framework requirements are finalized.
The 60-day review is short, and the resulting framework will define what federal cybersecurity compliance looks like across the board. The organizations best positioned after that review are the ones that have already built a credible, documented security program, not the ones that treated the suspension as a reason to wait.
If your organization handles federal data and you are unsure where you stand against current NIST SP 800-171 requirements, InfoPathways can help. We work with contractors across industries, including construction, manufacturing, and professional services, to build practical, right-sized cybersecurity programs that meet federal standards.
Contact us to schedule a compliance assessment before the next round of requirements takes shape.