Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Five Charged in “Russian Coms” Fraud Platform Case

July 14, 2026

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

July 14, 2026

Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

July 14, 2026
Facebook X (Twitter) Instagram
Wednesday, July 15
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Pentagon Suspends CMMC Phase II Requirements for Defense Contractors
News

Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

Team-CWDBy Team-CWDJuly 14, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The US Department of Defense (DoD) has suspended the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements until it reviews the program to allow for more innovation in the US defense industrial base (DIB).

Originally scheduled to come into effect on November 10, 2026, the requirements corresponded to the second stage of the DoD’s phased rollout for the CMMC, a program designed to enhance cyber hygiene for US defense contractors and subcontractors handling federal contract information (FCI) and controlled unclassified information (CUI) for the DoD – also known as the Department of War (DoW).

While the first phase (CMMC Phase I) allowed companies to self-report their cybersecurity compliance levels, this second phase would have required contractors that work with the military and handle sensitive information to have this checked by an outside company.

Specifically, CMMC Phase II requirements were designed to transition US defense contractors handling CUI from basic self-attestations to mandatory, independent assessments led by Certified Third-Party Assessment Organizations (C3PAOs) to verify compliance with the 110 security controls referred to in NIST SP 800-171, a standard published by the US National Institute of Standards and Technology (NIST).

The DoD previously estimated that between 220,000 and 300,000 companies participate in the DIB, with roughly 80,000 that were expected to require CMMC Phase II.

A CyberSheath report published in October 2025 revealed that only 1% of defense contractors felt fully prepared for CMMC Phase II audits.

Furthermore, Phase II was supposed to be followed by a third and a fourth phase, scheduled to be completed in November 2027 and November 2028, respectively.

Phase III was to introduce level 3 audits, led directly by the DoD, for contracts with the most sensitive data, while Phase IV would have meant all DoD contractors and subcontractors would need full CMMC compliance. 

CMMC Has Created “Bureaucratic Burdens” for the DIB

To justify the suspension of CMMC Phase II, the DoD argued in its July 13 statement that the program has “created prohibitive compliance costs and bureaucratic burdens” instead of enhancing cybersecurity for DIB firms.

“Recent data, including reports from the Small Business Administration (SBA), confirmed that CMMC compliance is forcing innovative companies out of the DIB which will delay the delivery of critical capabilities to the warfighters,” said the Department.

Therefore, the DoD will establish a ‘CMMC Reform Task Force’ to conduct a 60-day, top-to-bottom review of the program to ensure that it is aligned with the Secretary of War Pete Hegseth’s acquisition transformation system (ATS) strategy.

This includes directives lowering barriers for small, medium and non-traditional businesses and “replacing bureaucratic compliance with scalable, resilient cybersecurity measures.”

“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape,” said the Department’s CIO, A. Davies, who will be responsible for putting together the task force.

During the interim period, the DoD said it will enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, “focusing on tangible cyber hygiene rather than administrative overhead.”

Experts Warn Against Abandoning CMMC Compliance Efforts

Following the announcement, some security compliance experts shared their interpretation for the sudden suspension.

Dave Schroeder, director of National Security Initiatives at the University of Wisconsin Madison, said on LinkedIn that because CMMC is a program to prove a firm’s compliance with NIST 800-171 and DFARS 252.204-7012, the reason behind the recent DoD is likely due to not enough contractors being ready to comply with CMMC Phase II by Nov 10.

Nelina Varenas, director and a founding member of the KDM Consortium, emphasized in a LinkedIn article published on July 14 that contractors should not interpret the delay as an opportunity to abandon their compliance efforts.

“First, as the DoD announcement stated, all CMMC Level 1 self-assessment requirements remain in place,” Varenas noted.

She urged concerned organizations not to abandon their compliance efforts, warning that the delay should not be misinterpreted as a relaxation of standards. Instead, she advised the suspension should be viewed as valuable breathing room to ensure cybersecurity practices are implemented correctly and thoroughly before potential future enforcement resumes.

The future of CMMC remains uncertain, but Varenas cautioned, “This is not the time to step back; it’s the time to ensure compliance is done right.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleUbiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
Next Article Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes
Team-CWD
  • Website

Related Posts

News

Five Charged in “Russian Coms” Fraud Platform Case

July 14, 2026
News

Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

July 14, 2026
News

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

July 14, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Beware of Winter Olympics scams and other cyberthreats

February 2, 2026

Why the tech industry needs to stand firm on preserving end-to-end encryption

September 12, 2025

What to consider before asking an AI chatbot for health advice

May 27, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.