Department of War Pauses CMMC Phase II Implementation & Launches 60-Day Program Review - Steptoe
The Department of War has paused CMMC Phase II implementation and initiated a 60-day program review, delaying mandatory cybersecurity certification for defense contractors.
Aforeworn detected this change in the Government Contracting (SAM/FAR) space on July 14, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. Defense contractors, small businesses with set-asides, GSA schedule holders, federal grant recipients should confirm how it applies to their specific situation before acting. There is a time constraint attached: Within 60 days (review period ends approximately 60 days from announcement date). Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors Government Contracting (SAM/FAR) continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.
What changed
CMMC Phase II implementation is paused; a 60-day review is underway, potentially altering certification requirements and timelines.
Who it affects
Defense contractors, small businesses with set-asides, GSA schedule holders, federal grant recipients
What you must do
Monitor the review outcomes and prepare for possible changes; do not halt current cybersecurity efforts but avoid new investments solely for CMMC Phase II until clarity emerges.
Deadline
Within 60 days (review period ends approximately 60 days from announcement date)
Never miss a change like this again
Aforeworn watches Government Contracting (SAM/FAR) around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.
Start your free trialRelated changes in Government Contracting (SAM/FAR)
- Revolutionary FAR Overhaul: FAR Council Proposes to Make Agency-Level Bid Protests a More Attractive Forum - The National Law Review
- Pentagon suspends CMMC Phase II requirements. - N2K CyberWire
- DoW Suspends CMMC Phase II — NIST SP 800-171 Self-Assessment Becomes the Interim Standard, With Rising False Claims Act Exposure - Hunton Andrews Kurth LLP
- US-CONGRESS HR872: Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
- Department of War suspends CMMC Phase II, launches 60-day review to reduce compliance burden on defense contractors - Industrial Cyber