By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
What Defense Contractors Need to Know About the Latest CMMC Announcement
The Department of War (DoW) has announced a significant change to the Cybersecurity Maturity Model Certification (CMMC) program, suspending the planned November 10, 2026, transition to Phase 2 while it conducts a comprehensive review of the certification framework.
For defense contractors, this announcement provides relief from upcoming third-party certification deadlines, but it does not eliminate cybersecurity obligations.
What Changed?
The DoW cited concerns that the current CMMC implementation was creating unintended barriers for small, medium-sized, and non-traditional defense contractors. Specifically, officials pointed to:
- High compliance costs
- Limited availability of certified third-party assessors
- Implementation timelines that could discourage companies from participating in the Defense Industrial Base (DIB)
What Remains in Effect?
While the third-party certification timeline has been paused, cybersecurity requirements have not gone away.
The Department has made it clear that organizations should continue to:
- Complete Level 1 and Level 2 self-assessments where required
- Maintain compliance with NIST SP 800-171 Rev. 2
- Comply with DFARS 252.204-7012 safeguarding and cyber incident reporting requirements
- Participate in government-led assessments when applicable
The DoW also confirmed that existing cybersecurity support resources, including Project Spectrum, the DoW Cyber Crime Center (DC3), and the NSA Cybersecurity Collaboration Center, remain available to contractors.
A 60-Day Review is Underway
The Department has established a CMMC Reform Task Force to conduct a comprehensive 60-day review of the program.
According to the announcement, the Task Force will evaluate how to:
- Lower barriers for small and non-traditional businesses
- Improve supply chain resilience
- Reduce reliance on costly third-party compliance models
- Better align cybersecurity requirements with the Department’s Acquisition Transformation System (ATS)
The outcome of this review could significantly reshape how CMMC Level 2 requirements are implemented in the future.
What This Means for Defense Contractors
Although organizations that were preparing for a CMMC Level 2 certification may have additional time before third-party assessments become mandatory, this is not the time to pause cybersecurity efforts.
Companies that continue strengthening their cybersecurity programs will be better positioned regardless of how the revised framework evolves.
Areas that remain important include:
- Maintaining NIST SP 800-171 compliance
- Closing security gaps identified through self-assessments
- Documenting policies and procedures
- Improving technical safeguards and incident response capabilities
- Preparing for future assessment requirements, whether through self-attestation, government assessments, or a revised certification model
As additional guidance emerges from the DoW’s review, organizations should continue treating cybersecurity readiness as a business priority.
How Keiter Can Help
Keiter’s Risk Advisory & Cybersecurity team helps defense contractors:
- Assess readiness against NIST SP 800-171
- Identify and remediate compliance gaps
- Strengthen cybersecurity governance and documentation
- Prepare for evolving CMMC and DFARS requirements
- Develop practical compliance strategies that align with business operations
Questions on how these CMMC changes may impact your company’s certification process? Contact us: Email | 804.747.0000
Sources:
- Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements | U.S. Department of War
- Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements | Memorandum for Senior Pentagon Leadership Commanders of the Combatant Commands Defense Agency and DoW Field Activity Directors | Federal News Network.com
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.