skip to main content
UHY US
UHY header-overlay
Department of War Suspends CMMC Phase II Requirements

07/14/26

News

Department of War Suspends CMMC Phase II Requirements3 Min Read

Key Takeaways
  • The Department of War suspended CMMC Phase II third-party certification requirements while it conducts a 60-day review of the program.
  • Phase I self-assessments, NIST SP 800-171 controls, DFARS obligations and annual SPRS score affirmations remain in effect.
  • Organizations should use the delay to close security gaps, strengthen documentation and prepare for the revised CMMC framework.

 

Understanding the impact of the CMMC Phase II suspension

Effective July 13, 2026, the Department of War (DOW) suspended the Phase II requirements of the Cybersecurity Maturity Model Certification (CMMC), which was scheduled to be in effect on November 10, 2026. But as many companies breathe a sigh of relief, it's important to understand what requirements are still in effect and what your next steps are.

The Phase II rollout requiring mandatory third-party certification (by a certified third-party assessor organization) have been suspended while the Department conducts a 60-day comprehensive review of the program and considers potential reforms. This review will recommend measures to remove barriers to entry for small and mid-sized businesses and encourage innovation, while maintaining a strict security baseline.

Phase 1 self-assessment requirements remain in effect

Organizations supporting the Defense Industrial Base (DIB) are still expected to implement and maintain the required cybersecurity controls, including compliance with NIST SP 800-171 Rev 2 and DFARS clause 252.204-7012. This includes assessing your Supplier Performance Risk System (SPRS) score against NIST SP 800-171 Rev 2 and annually affirming the score is accurate.

Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) remains a contractual and operational requirement. This is  a pause on  one aspect of the certification rollout, not cybersecurity.

Use the delay to prepare for future CMMC requirements

Use this time wisely. Based on your contractual requirements, perform a readiness assessment and conduct a CMMC Level 1 and/or CMMC Level 2 self-assessment, ensuring you have the documentation to support your organization's score.

In addition, continue strengthening your security program, addressing gaps, and preparing for future CMMC requirements, whatever form they ultimately take. Being ready will put your organization in the best position when the revised framework is announced.

Turn the Phase II delay into readiness advantage

The UHY Technology Risk & Compliance team is actively helping organizations assess their readiness, implement NIST SP 800-171 security requirements, and prepare for future CMMC expectations. Connect with our team to understand how the Phase II suspension affects your organization and identify the steps you should take now to strengthen compliance and reduce future certification risk.

Share this article

Contact Our Technology, Risk & Compliance Team

Complete this form to connect with our team to understand how the Phase II suspension affects your organization.

By submitting this form, you agree to be contacted by UHY. 

Author

KIMBERLY ANDERSON

KIMBERLY ANDERSON

Managing Director, UHY Advisors

Kimberly Anderson has over 20 years of information technology consulting, developing business continuity strategies and disaster recovery solutions. She provides audit, attest, consulting, and compliance services for clients and performs System and Organization Controls (SOC) readiness assessments and attestations, including SOC 1®, SOC 2® and SOC 3®.

Join Our Mailing List

Sign Up Now
Uhy Logo

You are leaving UHY website to visit a site not hosted by UHY. Please review the third-party’s privacy policy, accessibility policy, and terms. UHY is not responsible for the content provided by third-party sites.