Department of War Suspends CMMC Phase II: What Defense Suppliers Need to Do Next

Posted By: Tom Morrison Community,

In a major policy shift affecting thousands of manufacturers across the Defense Industrial Base, the U.S. Department of War recently announced it is immediately suspending Phase II of the Cybersecurity Maturity Model Certification (CMMC) program and launching a comprehensive 60-day review of its implementation.

The decision pauses the mandatory third-party cybersecurity certification requirements that were scheduled to begin on November 10, 2026, providing welcome relief for many manufacturers that were preparing for costly and time-consuming C3PAO assessments.

For many MTI Members serving aerospace and defense customers, the announcement offers additional flexibility, but not an excuse to slow cybersecurity efforts.

According to Nick Espinosa, CEO of Security Fanatics and MTI's Official Cybersecurity Advisor, the announcement should be viewed as an opportunity to strengthen cybersecurity programs…not abandon them.

A Pause…Not a Cancellation

"The immediate pressure to complete a third-party C3PAO audit has been reduced," said Espinosa. "However, this pause does not cancel CMMC, and it does not remove the underlying cybersecurity obligations for companies handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)."

The Department emphasized that cybersecurity remains a national security priority. The review is focused on how contractors demonstrate compliance, not whether cybersecurity requirements continue to exist.

Officials cited concerns that the current Phase II rollout was creating excessive costs, administrative burdens, and barriers to entry, particularly for small and medium-sized manufacturers that form a critical part of the U.S. defense industrial base. The Department concluded these burdens were discouraging innovation, reducing competition, and slowing the delivery of military capabilities.

To address these concerns, the Department has established a CMMC Reform Task Force that will work with industry over the next 60 days to recommend a more practical and scalable cybersecurity framework.

What Has Changed?

The Department's announcement provides several important takeaways:

  • Phase II is suspended immediately. Mandatory third-party CMMC certifications scheduled to begin in November 2026 are on hold.
  • Phase I remains in effect. Organizations must continue completing required Level 1 and Level 2 self-assessments where applicable.
  • Cybersecurity obligations remain unchanged. Existing DFARS requirements, including protection of Controlled Unclassified Information (CUI), incident reporting, cloud security requirements, and subcontractor flow-down responsibilities, continue to apply.

"The smartest path is to treat this as breathing room, not a reason to stop," Espinosa explained.

What Should Manufacturers Do Now?

While companies may have more time before a third-party certification becomes mandatory, the underlying expectation to protect sensitive government information has not changed.

Espinosa recommends that manufacturers continue to:

  • Implement the NIST SP 800-171 security requirements if they handle Controlled Unclassified Information.
  • Maintain accurate System Security Plans (SSPs), documentation, and objective evidence supporting compliance.
  • Continue submitting and maintaining accurate SPRS scores and required annual affirmations.
  • Close identified cybersecurity gaps and continue strengthening internal security controls.
  • Evaluate planned third-party C3PAO assessments based on existing contracts, prime contractor requirements, and upcoming business opportunities.

"Organizations should continue building and documenting a compliant environment while reassessing whether a formal third-party audit is immediately necessary based on their contracts and future opportunities," Espinosa said.

Frequently Asked Questions

Following the Department's announcement, several questions have emerged from defense suppliers.

Is CMMC canceled?

No. The Department has paused the next phase of implementation, but Phase I self-assessment requirements remain in place.

Do companies still need to implement NIST SP 800-171?

Yes. Any organization handling Controlled Unclassified Information under Department of War contracts must continue implementing these security requirements through existing DFARS clauses.

Should companies continue maintaining their SPRS scores?

Absolutely. Organizations should continue maintaining accurate self-assessments, SPRS submissions, and annual affirmations. Inaccurate self-attestation could create both contractual and legal risk.

Should companies cancel scheduled C3PAO assessments?

Not necessarily. Espinosa recommends evaluating each situation individually. If a third-party certification is required by a customer, prime contractor, or upcoming contract opportunity, it may still make sense to proceed. In other cases, organizations may choose to postpone the audit or convert it into a readiness assessment.

Good News for Heat Treaters

One of the most significant aspects of the Department's announcement is its recognition that compliance costs were placing an increasing burden on smaller manufacturers.

Many MTI Member companies had expressed concerns about the expense, complexity, and time required to achieve third-party certification. By pausing Phase II, the Department hopes to develop a more balanced approach that maintains strong cybersecurity protections while reducing unnecessary burdens that limit competition and innovation.

If successful, the revised framework could make cybersecurity compliance more practical for smaller manufacturers while continuing to protect sensitive defense information.

MTI's Recommendation

MTI encourages Members to use this additional time wisely.

Rather than viewing the announcement as a reason to delay cybersecurity initiatives, companies should use the pause to improve documentation, remediate vulnerabilities, strengthen employee awareness, and build a more mature cybersecurity program.

As Espinosa summarized, "You may have more time before a third-party audit becomes mandatory, but you still need to be able to truthfully demonstrate that you are protecting Controlled Unclassified Information."

MTI will continue monitoring the Department's 60-day review through its partnership with Security Fanatics and Nick Espinosa. As additional guidance becomes available, Members will receive timely updates on what the changes mean and how they should prepare.

While the certification process may evolve, one thing remains unchanged: cybersecurity is now a fundamental business requirement for manufacturers serving the defense industry. Companies that continue investing in strong cybersecurity practices today will be better positioned to protect their customers, compete for future contracts, and navigate whatever the next version of CMMC ultimately becomes.

CLICK HERE to read the full notice from the Department of War.

If you have any questions, you can contact Nick Espinosa from Security Fanatics at nick@securityfanatics.com.