Client Alerts & Publications
DoD Suspends Rollout of CMMC Program
Authors: Richard J. “RJ” Pinto II, Steven Weber,
Published Date: July 14, 2026
Citing prohibitive compliance costs and bureaucratic burdens, on July 13, 2026, the DoD announced the immediate suspension of the rollout of its Cybersecurity Maturity Model Certification (CMMC) program and the implementation of Phase 2, which was scheduled to begin on November 10, 2026. Effective immediately:
- As a condition of contract award, procuring agencies may only require a contractor to hold a status of CMMC Level 1 (Self) or Level 2 (Self). Any requirement for a status of Level 2 (C3PAO) or Level 3 (DIBCAC) is suspended until further notice, as is the implementation of Phase 2 of the CMMC program.
- If a current solicitation or contract includes a requirement for Level 2 (C3PAO) or Level 3 (DIBCAC), the procuring agency must initiate a solicitation amendment or contract modification removing such requirement as soon as practicable.
- Over the next 60 days, the DoD’s Chief Information Officer intends to review and reform the CMMC program to ensure the Defense Industrial Base remains secure without imposing significant burden on businesses.
- Contractors must continue to comply with the cybersecurity requirements set forth in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which remain in effect.
It is anticipated that further guidance will be provided at the conclusion of the DoD’s 60-day review. If you have any questions, please feel free to reach out to RJ Pinto at rpinto@pecklaw.com or Steven Weber at sweber@pecklaw.com.