The War Department suspended phase two requirements of the Cybersecurity Maturity Model Certification program on July 13, 2026, before their planned November implementation. The department also launched a 60-day review of CMMC requirements affecting cybersecurity, contractor participation and the defense industrial base.
Companies seeking War Department contracts must continue protecting federal information and meeting applicable phase one requirements. Department leaders said the pause is intended to address certification costs, administrative burdens and limited assessor capacity without reducing the cybersecurity obligations applying to contractors.
War Department Suspends CMMC Phase Two Requirements
The War Department said CMMC phase two requirements will not take effect as planned in November 2026. The suspension affects the next stage of a phased program created to verify that defense contractors can protect sensitive government information.
The department described the decision as a pause rather than an end to contractor cybersecurity requirements. Companies must continue complying with existing regulations governing federal contract information and controlled unclassified information.
| Indicator | Recent Movement | Context |
|---|---|---|
| CMMC phase two | Implementation suspended | The War Department paused requirements that had been scheduled to begin in November 2026. |
| Program review | 60-day task force launched | The War Department created a review and reform task force to examine the complete CMMC program. |
| Phase one | Requirements continue | The War Department said contractors must continue meeting applicable phase one cybersecurity obligations. |
| Certification capacity | Assessor shortage identified | Chief Information Officer Kirsten Davies said the available assessor workforce could not complete all expected evaluations before November. |
Phase One Cybersecurity Requirements Remain
Companies doing business with the department must continue safeguarding government information according to federal regulations. Additionally, contractors must meet applicable CMMC phase one requirements, which focus primarily on self-assessments and existing cybersecurity controls.
The War Department said cybersecurity across the defense industrial base remains a nonnegotiable priority. The practical effect is that the phase two pause removes an approaching certification stage while leaving current information-protection responsibilities in place.
Compliance Costs Raise Small Business Concerns
Kirsten Davies, the department’s chief information officer, said available data showed that current and planned CMMC requirements were creating prohibitive compliance costs and administrative burdens. She said those pressures were particularly significant for small businesses.
The U.S. Small Business Administration Office of Advocacy previously said the department had underestimated CMMC compliance costs. The War Department linked those costs to reduced contractor agility and the risk that smaller companies could leave or avoid the defense market.
Defense Industrial Base Barriers
The department said complex certification requirements can reduce the number and range of companies able to compete for defense work. Smaller firms may have fewer personnel and financial resources available for external assessments, documentation and recurring compliance activity.
- Small business costs: The War Department cited compliance expenses as a barrier for smaller defense contractors and potential suppliers.
- Market participation: Department leaders said administrative requirements could discourage startups, small manufacturers and nontraditional companies from pursuing contracts.
- Production capacity: The War Department linked broader contractor participation to its ability to expand production when military demand increases.
- Existing safeguards: Contractors remain responsible for meeting federal cybersecurity and information-protection requirements during the review.
60-Day CMMC Review Task Force Launched
The War Department created a CMMC review and reform task force with 60 days to conduct what it described as a top-to-bottom examination of the program. The review will consider certification requirements, compliance costs, contractor participation and the department’s need for visibility into industrial cybersecurity.
The task force will serve as the central point for reviewing industry responses to a public request for information. Its recommendations are expected to focus on security measures that can be applied across companies of different sizes and levels of technical capacity.
CMMC Review and Reform Process
The department said the review will use feedback from defense companies and other interested parties to identify realistic and scalable cybersecurity measures. Additionally, the task force will consider how future requirements can preserve operational resilience while reducing unnecessary barriers.
The review does not establish the final structure of a revised CMMC program. Its immediate result is a formal process through which the department can reassess requirements before proceeding with later implementation stages.
Department Links CMMC Reform to Defense Production
Michael Duffey, undersecretary of war for acquisition and sustainment, said reforming CMMC is part of placing the acquisition system on what he described as a wartime footing. He linked reduced administrative delay to the department’s need for faster industrial production.
The War Department said a broader supplier base could improve access to innovation, manufacturing capacity and specialized technology. However, the department also maintained that companies handling government information must continue meeting cybersecurity obligations.
Certification Assessor Capacity Adds Pressure
Davies said the number of department-approved assessors was not sufficient to complete all required evaluations before the planned November phase two deadline. The shortage created a practical implementation constraint in addition to concerns about cost.
The CMMC program relies on approved private-sector assessors for some certification levels. Consequently, insufficient assessor capacity could delay contractor approvals, affect eligibility for contracts and create uneven access to the defense market.
CMMC Program Faces Wider Cybersecurity Review
The CMMC program was first announced in 2020 to improve assurance that contractors and subcontractors protect sensitive government information. It combines cybersecurity requirements with assessments intended to verify that companies have implemented the controls required for the information they handle.
Phase one implementation began in November 2025 and focuses primarily on CMMC Level 1 and Level 2 self-assessments. The current pause prevents the planned expansion into phase two while the department evaluates whether the program can provide cybersecurity assurance without imposing disproportionate costs or delays.
Stakeholder Comments
Kirsten Davies, War Department Chief Information Officer said;
“I want to be clear, across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical, nonnegotiable priority.”
“The current CMMC requirements, including the future planned requirements, are creating prohibitive compliance costs and unacceptable bureaucratic burdens, especially to small businesses.”
Michael Duffey, Undersecretary of War for Acquisition and Sustainment said;
“We cannot expect our industries to build at the speed of relevance if they are drowning in peacetime paperwork and administrative bureaucracy.”
“By pausing phase two implementation, we are keeping more companies in the DIB who would otherwise be forced out of the market at a time when we need them most.”
The suspension delays CMMC phase two while leaving existing contractor cybersecurity responsibilities and phase one requirements in place. The War Department’s 60-day task force will now assess compliance costs, assessor capacity, industry participation and possible reforms to the certification program.
Future CMMC requirements will depend on the review’s recommendations and the department’s response to industry feedback. The central question is how the program can verify cybersecurity across the defense industrial base without creating barriers that reduce contractor participation or production capacity.
Sources: War Department, War Department Chief Information Officer, U.S. Small Business Administration Office of Advocacy.
Prepared by Ivan Alexander Golden, Founder of THX News, an independent news organization delivering timely insights from global official sources.
Research combines AI-assisted analysis with human-edited accuracy and context.






