Department of War Suspends CMMC Phase 2 Implementation
The Department of War (DoW) has just announced that it is suspending implementation of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program, which had been scheduled to take effect on November 10, 2026. The Department will instead conduct a comprehensive review of the program to ensure cybersecurity requirements continue to protect sensitive government information while reducing unnecessary barriers for companies supporting the Defense Industrial Base (DIB).
The decision follows concerns from defense contractors that the current Phase II requirements would create significant financial and administrative challenges, particularly for small businesses. According to estimates cited by the U.S. Small Business Administration, compliance costs could reach nearly $594,000 for contractors requiring a third-party assessment and approximately $389,000 for those eligible to perform a self-assessment. With more than 120,000 small businesses expected to be impacted and a limited number of approved assessors available, many organizations expressed deep concern that certification timelines and costs could delay contract opportunities and reduce competition within the defense supply chain.
While Phase II implementation has been paused, cybersecurity compliance remains a critical priority for Department of War contractors. Organizations should continue strengthening their cybersecurity practices and stay informed as the Department evaluates potential updates to the CMMC framework. ReliAscent will continue monitoring developments and provide updates as additional guidance becomes available.