Articles 3 min read

CMMC News: DoD Suspends Phase II Requirements: What Changes and What Doesn’t

Organizations following the latest CMMC news should be aware that on July 13, 2026, the Department of Defense (DoD) announced the immediate suspension of CMMC Phase II requirements, which had been scheduled to take effect on November 10, 2026. While the certification timeline has changed, Phase I self-assessment requirements remain fully in place.

The DoD is launching a 60-day, top-to-bottom review of the entire Cybersecurity Maturity Model Certification program to align it with Secretary Pete Hegseth’s Acquisition Transformation System (ATS), which prioritizes speed to capability, lower barriers for small, medium, and non-traditional businesses, and scalable security over bureaucratic compliance. CIO Kirsten A. Davies framed the move as removing “paralyzing costs” and “red tape” that — per recent SBA data cited in the release — have been driving innovative companies out of the Defense Industrial Base (DIB) and delaying delivery of capabilities to warfighters.

What This CMMC Update Means

Critically, the suspension does not relax the underlying obligation to protect federal data. During the interim period, the Department will enforce cybersecurity compliance against the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, focusing on tangible cyber hygiene rather than administrative overhead.

All defense contractors and subcontractors remain contractually bound to safeguard covered defense information under DFARS clause 252.204-7012. A newly established CMMC Reform Task Force will synthesize industry feedback gathered through a public Request for Information (RFI) and deliver a final report to the DoD CIO within 60 days.

Key Takeaway

While the certification timeline has changed, organizations should view this as a procedural pause – not a reduction in cybersecurity expectations.

What Organizations Should Do Now

While this CMMC update changes the certification timeline, it does not reduce organizations’ cybersecurity responsibilities.

While the CMMC Phase II implementation timeline may change, organizations should not view this announcement as a reason to pause cybersecurity efforts. The underlying requirements to protect sensitive defense information remain in place, and maintaining progress now will position your organization to respond quickly once updated CMMC guidance is released.

Whether your organization is evaluating its current readiness, addressing gaps or preparing for future certification requirements, Withum’s Cybersecurity Services Team can help you understand your obligations, identify gaps and prepare for what’s next.

Withum plus signs.

Have Questions or Need Guidance?

For more information on this topic, please contact a member of our team.

Contact Us

Related Insights

Read more
robot hand clicking on cybersecurity icon
Navigating AI Security: Challenges and Best Practices

Artificial intelligence has moved from experiment to everyday business tool. As organizations accelerate AI adoption, AI security has become just as important as innovation. Employees now draft communications, analyze data and even write software with AI assistants — often faster than leadership can put guardrails in place. That speed is a genuine competitive advantage, but…

Read more
Innovative research in healthcare with advanced digital technology showcasing a global perspective
Audits, Fines and Ransomware: The High Cost of ‘Good Enough’ IT in Healthcare

Healthcare organizations operate in a complex environment; stakes are high and there is no margin for error. Cybersecurity in healthcare is no longer just an IT concern – it directly impacts patient safety, regulatory compliance, and day-to-day operations. Protecting sensitive patient data, ensuring regulatory compliance, and supporting continuous care have never been more important.   When organizations settle for “good enough” IT solutions (systems and support/delivery) that merely meet minimum standards, they open…

Read more
cybersecurity digital lock with the year 2026.
Q1 2026 Cybersecurity Trends and Analysis: The Convergence of Social Engineering, Supply‑Chain Risk and Platform Trust Erosion

The first quarter of 2026 has made one thing abundantly clear: attackers are no longer “breaking in” — they’re logging in, redirecting, impersonating and exploiting trust at every layer of the digital ecosystem. From app store impersonation kits to nation state account hijacking to regulatory decisions that may unintentionally weaken home network security, Q1 has…