On July 13, 2026, the Department of War announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which was originally scheduled for November 10, 2026. All Phase I self-assessment requirements remain firmly in place. The Department will begin a comprehensive review of CMMC aimed at aligning with the Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives prioritizing speed to capability, lowering barriers for small, medium, and non-traditional businesses, and replacing bureaucratic compliance with scalable, resilient cybersecurity measures.

About CMMC

Cybersecurity is a top priority for the Department of War (DoW). The defense industrial base (DIB) faces increasingly frequent and complex cyber-attacks. On July 13, 2026 the DoW suspended the implementation of Phase II of the CMMC and established a CMMC reform task force. During this period the DoW will enforce cybersecurity compliance with NIST 800-171 Rev 2 through self-assessments and select government-led assessments.

Overview of the CMMC Program

The CMMC Program aligns with the Department’s existing information safeguarding requirements for the DIB.

Key features of the CMMC Program:

  • Tiered Model: CMMC assesses compliance with cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the FCI or CUI. The program also outlines protection requirements for information flowed down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the Department to verify DIB implementation of foundational cybersecurity standards.
  • Implementation through Contracts: DoW contractors and subcontractors entrusted with FCI or CUI must achieve a specific CMMC level as a condition of contract award.

Protected Information

The CMMC model is designed to enforce the protection of FCI and CUI.

  • Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
  • Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoW CUI Registry website.

Overview of Assessments

The CMMC Program is paused in Phase 1 and may only require self-assessments at two levels.

Level 1: Basic Safeguarding of FCI

  • Requirements: Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

  • Requirements:
    1. A self-assessment every three years, with annual affirmation of compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

 

CMMC Status Source & Number of Security Reqts. Assessment Reqts. Plan of Action & Milestones (POA&M) Reqts. Affirmation Reqts.
Level 1
(Self)
  • 15 required by FAR clause 52.204-21
  • Conducted by Organization Seeking Assessment (OSA) annually
  • Results entered into the Supplier Performance Risk System (SPRS)
  • Not permitted
  • After each assessment
  • Entered into SPRS
Level 2
(Self)
  • Conducted by OSA every 3 years
  • Results entered into SPRS
  • CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4
  • Permitted as defined in 32 CFR § 170.21(a)(2) and must be closed out within 180 days
  • Final CMMC Status will be valid for three years from the Conditional CMMC Status Date
  • After each assessment and annually thereafter
  • Assessment will lapse upon failure to annually affirm
  • Entered into SPRS

 

CMMC Post-Assessment Remediation: Plans of Actions and Milestones

The CMMC Program allows limited use of Plans of Action and Milestones (POA&Ms).

  • Level 1: POA&Ms are not permitted.
  • Level 2 Self-Assessment: The POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.

CMMC Implementation

The first phase of CMMC implementation began on November 10, 2025 and CMMC implementation is paused in Phase 1. This action does not eliminate the requirement for companies to protect information in accordance with DFARS clause 252.204-7012.