On July 13, 2026, the U.S. Department of War (DoW) announced a temporary suspension of the implementation of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program. This phase was set to take effect on November 10, 2026. The suspension applies for a period of at least 60 days.
As a reminder, Phase II provided that, starting November 10, 2026, a CMMC Level 2 certification issued by an accredited third party (C3PAO) would be required for U.S. defence contracts.
The DoW indicates that the current certification process has proven too heavy and too costly. Among the reasons cited: a significant bureaucratic burden, a number of accredited auditors (C3PAOs) that falls well short of the number of companies to be certified, and costs that are difficult to absorb or justify for small subcontractors.
Over the coming weeks, the DoW will conduct a review of the program in order to reassess the certification process, reduce the administrative burden, and better align it with its priorities.
Official source: https://dodcio.defense.gov/cmmc/Resources-Documentation/
To date, only the requirement to obtain a CMMC Level 2 certification performed by a C3PAO is temporarily suspended, for a period of at least 60 days. All other requirements remain in force and unchanged:
One point deserves particular attention: any inaccurate information provided during a self-assessment, for example an erroneous SPRS score, could be interpreted by the DoW as an attempt at fraud. The organizations concerned would expose themselves to consequences under the False Claims Act.
At this stage, continuing efforts toward CMMC and NIST SP 800-171 Rev.2 compliance remains the most prudent course for any organization that handles CUI.
Work already undertaken retains its full value. Implementing security controls, drafting policies and procedures, developing the System Security Plan (SSP), and collecting evidence will continue to strengthen your cybersecurity posture, regardless of the adjustments made to the program.
The DoW will continue to require organizations to demonstrate an appropriate level of compliance with the applicable requirements. Maintaining compliance with the 110 NIST SP 800-171 Rev.2 controls, where they apply, therefore remains essential. This suspension targets the third-party certification mechanism, not the underlying security standard.
The CMMC program is entering a review period whose conclusions are not yet known. StreamScan is following the file closely and will publish updates as the DoW clarifies its direction and final decisions.
To discuss the impact of this announcement on a CMMC compliance project, contact our team.