THE US Department of Defense (DoD) announced the suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, initially scheduled for implementation on November 10, 2026. This decision comes as the DoD aims to review the program to foster innovation within the defense industrial base (DIB). CMMC was designed to improve cybersecurity for contractors managing sensitive federal information, shifting from self-attestations to mandatory third-party assessments.
However, the DoD cited prohibitive compliance costs and bureaucratic burdens that hindered companies' participation. A CMMC Reform Task Force will conduct a 60-day review to align the program with new strategic objectives, while interim compliance with NIST SP 800-171 will continue through self-assessments and select government evaluations. Experts have urged contractors to maintain compliance efforts despite the suspension, emphasizing the importance of cybersecurity readiness.