High urgency

DoW Pauses CMMC Phase 2: What Defense Contractors Need - Clark Hill

Detected July 17, 2026 · in Government Contracting (SAM/FAR)

The Department of Defense (DoD) has paused implementation of CMMC Phase 2, delaying mandatory cybersecurity certification requirements for defense contractors. This pause affects contractors preparing for CMMC assessments and those relying on CMMC compliance for contract awards.

Aforeworn detected this change in the Government Contracting (SAM/FAR) space on July 17, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. Defense contractors, especially those in the defense industrial base, small businesses with set-asides, and GSA schedule holders who handle controlled unclassified information (CUI). should confirm how it applies to their specific situation before acting. There is a time constraint attached: Ongoing; no new deadline for CMMC certification, but existing compliance deadlines for NIST SP 800-171 (e.g., annual self-assessment) still apply.. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors Government Contracting (SAM/FAR) continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.

What changed

DoD paused CMMC Phase 2, which would have required contractors to achieve CMMC certification (Level 2 or higher) to bid on or perform certain contracts. The pause means no new CMMC requirements will be enforced until further notice, but existing DFARS 252.204-7012 and NIST SP 800-171 compliance obligations remain.

Who it affects

Defense contractors, especially those in the defense industrial base, small businesses with set-asides, and GSA schedule holders who handle controlled unclassified information (CUI).

What you must do

Continue to maintain compliance with DFARS 252.204-7012 and NIST SP 800-171 self-assessment requirements. Do not halt cybersecurity preparations; the pause is temporary and CMMC may be reinstated with modifications.

Deadline

Ongoing; no new deadline for CMMC certification, but existing compliance deadlines for NIST SP 800-171 (e.g., annual self-assessment) still apply.

Source: https://news.google.com/rss/articles/CBMikAFBVV95cUxNZDhFQ2tBelZwQWtqeEZQOE0zYTlvRjZSeVRYRkNvYVVVa3Q3bnpUY28zN3NHWEFDQkp5bkU1ZGdFcnRLU0NmNU80R0lFbjltQk9FRkZaN2d5Y1NVUExTTEtSRk5LM1FURnU1Qkc0dGtha3RKeC1mMUM0WTN5YlpHdVVDS3kwY3BXdjZKbVJxLVM?oc=5

Never miss a change like this again

Aforeworn watches Government Contracting (SAM/FAR) around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.

Start your free trial

Related changes in Government Contracting (SAM/FAR)