The CMMC Pause: The DoD Suspends Phase 2 Requirements - embedded.com
The DoD has suspended Phase 2 of the CMMC program, delaying mandatory cybersecurity certification for defense contractors.
Aforeworn detected this change in the Export Controls & ITAR (DDTC / BIS / DFARS) space on July 17, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated Medium urgency. Defense contractors and subcontractors subject to DFARS cybersecurity requirements should confirm how it applies to their specific situation before acting. There is a time constraint attached: No immediate deadline; monitor DoD announcements for resumption.. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors Export Controls & ITAR (DDTC / BIS / DFARS) continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.
What changed
The DoD paused implementation of CMMC Phase 2, which would have required third-party certification for handling CUI. Existing DFARS 252.204-7012 requirements remain in effect.
Who it affects
Defense contractors and subcontractors subject to DFARS cybersecurity requirements
What you must do
Continue to comply with current DFARS cybersecurity clauses (self-assessment) but pause preparations for third-party audits until further notice.
Deadline
No immediate deadline; monitor DoD announcements for resumption.
Never miss a change like this again
Aforeworn watches Export Controls & ITAR (DDTC / BIS / DFARS) around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.
Start your free trialRelated changes in Export Controls & ITAR (DDTC / BIS / DFARS)
- Department of War Pauses CMMC Phase II Implementation & Launches 60-Day Program Review - Steptoe
- Sanctions on Sudan under the Chemical and Biological Weapons Control and Warfare Elimination Act
- US-CONGRESS BILLS-119s4784rs: National Defense Authorization Act for Fiscal Year 2027
- Department of War Suspends CMMC Phase II Requirements, but Cybersecurity Obligations Remain - Morgan Lewis
- US-CONGRESS S2904: SHADOW Fleet Sanctions Act of 2026