DoW Suspends the Nov 10, 2026 CMMC Phase 2 Deadline: What Government Contractors Need to Know
Authors
Bret S. Wacker , J. Chris White , Colleen Jarrott , Ronald D. Sullivan , Gabrielle Long
The Department of War (“DoW”) has put an immediate hold on the next phase of Cybersecurity Maturity Model Certification (“CMMC”) implementation. On July 13, 2026, DoW Chief Information Officer Kirsten Davies and Under Secretary of Defense for Acquisition and Sustainment Michael Duffey announced the suspension of CMMC Phase 2, which had been set to make Level 2 certification by a Certified Third-Party Assessment Organization (“C3PAO”) the default condition of award for many covered contracts beginning November 10, 2026. A newly formed CMMC Reform Task Force—drawing on representatives from DoW’s CIO office, Acquisition and Sustainment, Research and Engineering, Legislative Affairs, Public Affairs, and Legal—is expected to review the program and report findings within 60 days.
Why This Matters
DoW officials cited cost and assessor capacity as their major concerns for moving the deadline. Internal estimates indicated that compliance with the next CMMC phases could collectively cost small and mid-sized businesses over $7 billion annually and with only about 100 accredited C3PAO assessors available to serve more than 100,000 companies in the defense industrial base a major log jams are inevitable. Davies summarized the mismatch directly, telling reporters that “the math just simply doesn’t math” for small and mid-sized businesses to reach compliance by the transition date. Duffey framed the pause as an effort to keep companies in the industrial base rather than forcing them out at a time when the Pentagon needs their capabilities.
Notably, DoW officials did not rule out the possibility that the CMMC program could be cancelled altogether once the review period concludes. A public request for information (“RFI”) is expected, giving contractors a direct channel to provide feedback that will inform the task force’s recommendations.
What is and is Not Changing
- CMMC Phase 2—the C3PAO Level 2 assessment requirement that was to become a condition of award on November 10, 2026—is paused pending the task force review.
- DoW will continue to enforce cybersecurity compliance during this interim period through NIST SP 800-171 Revision 2 self-assessments and select government-led assessments. Contractors handling covered defense information remain responsible for DFARS 252.204-7012.
- Phase 1 self-assessment obligations that began in November 2025 are not reported as suspended.
- The CMMC Reform Task Force is due to report findings and recommendations within 60 days of its formation.
- DoW has left open the possibility of substantially revising, narrowing, or cancelling the program based on the review and RFI feedback.
Questions Contractors Should Ask Now
- Which pending solicitations, recompetes, or contract modifications had built in a CMMC Level 2/C3PAO certification requirement tied to the November 10, 2026 date?
- Have any prime contractors already imposed their own CMMC flow-down deadlines or evidence requirements independent of the DoW timeline, and do those still stand?
- What is the company’s current self-assessment posture under NIST SP 800-171 Revision 2, and is supporting documentation (SSP, POA&Ms) accurate and current?
- Should the company continue, pause, or adjust any C3PAO assessment scheduling or spend that was underway in anticipation of the November deadline?
Recommended Next Steps
- Do not treat the pause as a reason to stand down entirely—DoW has signaled that self-assessment enforcement continues and that Phase 2 could return in a revised form.
- Continue to maintain and evidence NIST SP 800-171 Revision 2 compliance, since that remains the operative standard during the interim period.
- Review contract, teaming, and subcontract language for CMMC-related representations or flow-downs that may need revisiting in light of the suspension.
- Track the CMMC Reform Task Force’s forthcoming RFI and consider submitting comments on cost, timeline, or assessor-capacity concerns.
- Reassess any C3PAO assessment contracts or vendor commitments made in anticipation of the November 10, 2026 deadline.
How Legal Counsel Can Help
The Clark Hill legal team can help contractors assess what obligations still apply during the interim period, evaluate risk in existing compliance representations, and prepare to respond quickly once the Reform Task Force issues its findings or DoW moves to reinstate, revise, or replace Phase 2. If you have questions or concerns about how the CMMC Phase 2 suspension may affect your business, contact one of these Clark Hill Government Contracts and Regulations Team attorneys:
- Bret S. Wacker (bwacker@clarkhill.com; 202.772.0906)
- Ronald D. Sullivan (rsullivan@clarkhill.com; 202.809.2235)
- Chris White (jcwhite@clarkhill.com; 517.318.3011)
- Colleen C. Jarrott (cjarrott@clarkhill.com; 202.640.6668)
- Gabrielle Long (glong@clarkhill.com; 312.701.6852)
Find these and other Government Contracts and Regulations Attorneys on our website.
Subscribe to receive future Clark Hill alerts directly to your inbox.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author(s) only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.