Pentagon Pauses CMMC Phase Two, Opens 60-Day Review

Pentagon suspends CMMC phase two set for Nov. 10 and launches a 60-day review; contractors must still meet phase one self-assessments and existing information-handling rules.
The Pentagon has suspended the second phase of the Cybersecurity Maturity Model Certification program that was scheduled to take effect on Nov. 10, 2026, and has opened a 60-day review of the program. Department officials said contractors must continue to meet phase one self-assessments and follow existing rules for handling federal contract information and controlled unclassified information.
A newly formed CMMC review and reform task force will collect industry feedback and recommend adjustments aimed at reducing administrative barriers for small and nontraditional suppliers. Officials cited a shortage of approved third-party assessors as one factor making the November deadline infeasible.
CMMC 2.0, which took effect on Nov. 10, 2025, condensed the original five-level framework into three levels. Level 1 covers protection of federal contract information. Level 2 aligns with NIST Special Publication 800-171 controls for controlled unclassified information. Level 3 is intended to defend the most sensitive CUI against advanced persistent threats. Phase one required Level 1 and Level 2 self-assessments. Phase two would have required Level 2 third-party certification for new contracts. Phase three was scheduled for Nov. 2027 to introduce Level 3 certification, with full implementation across applicable contracts planned by 2028.
Kirsten Davies, the Defense Department chief information officer, said the change “clears bureaucratic obstacles without lowering the bar on cybersecurity” and added that investing in and dynamically maintaining robust cybersecurity “remains a critical, nonnegotiable priority.” Michael Duffey, the undersecretary for acquisition and sustainment, described the pause as intended to prevent compliance costs from squeezing smaller manufacturers out of the defense industrial base.
Pentagon officials emphasized the suspension applies only to the phased escalation to mandatory third-party assessments and does not remove existing obligations. Contractors and subcontractors that process, store or transmit federal contract information or controlled unclassified information must continue to follow phase one self-assessment requirements and current information-handling regulations while the 60-day review proceeds.



