DoW Review Pauses Parts of the CMMC Program

With four months to go before the release of most solicitations requiring a Cybersecurity Maturity Model Certification (CMMC) Level 2 status with a third-party assessment, the Department of War (DoW) announced an immediate suspension of those forthcoming requirements and any subsequent milestones for the CMMC program. The suspension will not pause the DoW’s release of solicitations or enforcement of contract requirements mandating CMMC Levels 1 or 2 established with a self-assessment. Nor will it alleviate the contractors’ responsibility to comply with pre-existing cybersecurity terms (e.g., DFARS 252.204-7012; FAR 52.204-21). The DoW explained that the suspension was necessary to allow for a comprehensive 60-day review of the CMMC program’s consistency with recent directives to prioritize speed to capability and ensure less barriers for small, medium, and non-traditional businesses.

To conduct the review, the DoW established a CMMC Reform Task Force. The DoW has also released a Request for Information (RFI) seeking industry input on current readiness, cost drivers, and state of cybersecurity control implementation to directly inform the Task Force’s recommendations. Responses to the RFI are due by Friday, August 14, 2026 at 12 PM Eastern Time (ET) via email to: whs.mc-alex.ad.mbx.eosd-psb-branch-mailbox@mail.mil and leanne.m.condren.civ@mail.mil.

According to the initial release, the DoW will enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through both self-assessments and select government-led assessments during the suspension period. However, an associated memorandum for DoW Program Managers and requiring activities clarified that the DoW would not mandate any new CMMC Level 2 (Certified Third-Party Assessor Organization or C3PAO) or Level 3 (DIBCAC) assessments during this period. As a result, the only Level 3 assessments that occur during this period may potentially be those that are already scheduled.

The suspension of third-party assessment requirements does not diminish False Claims Act exposure arising from cybersecurity self-attestations. Contractors should treat any NIST SP 800-171 self-assessment submitted during the suspension period with the same rigor as a third-party assessment, since inaccurate or unsupported scores can still form the basis of a False Claims Act claim.

The memorandum also provides that any existing solicitations with requirements for CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) should be amended to remove those requirements as soon as practicable. Any contracts or agreements with those requirements should similarly be modified to remove those terms before the exercise of the next option period, or during the next scheduled administrative modification. The memorandum added that the DoW will not process waivers of any requirements for CMMC third-party assessments during the suspension period.

Although the DoW releases do not address prime contractors explicitly, primes should consider revisiting their subcontract flow-down provisions during this period. Because the suspension affects only DoW-imposed CMMC Level 2 (C3PAO) and Level 3 (DIBAC) requirements, primes should confirm whether their own subcontract terms independently impose third-party assessment obligations that are broader than what the prime contract currently requires. In the case of any disconnects, primes should consider coordinating amendments to align subcontract terms with the corresponding modifications the DoW directs at the prime contract level. Such steps can help primes avoid a mismatch in compliance obligations across the supply chain or, at least, mitigate the possibility of prolonged subcontract negotiations.

Takeaways

The CMMC program has been paused several times dating back to its unveiling in 2019. Each pause has resulted in updates to the standard, with the aim of ensuring compliance with the already existing cybersecurity requirements persistently remaining in focus. Given that the DoW paused the remaining implementation of the CMMC for longer than the period of its expected review, further updates to the CMMC program are likely forthcoming again. In light of the focus on “small, medium, and non-traditional businesses,” it is possible that there will be some carve-outs or reduced requirements for companies of a particular size, those that are more commercially focused, or those that are newer to the defense sector. But the principal obligations of protecting CUI and FCI material and ensuring compliance with the already-existing standards of cybersecurity, are unlikely to go away. Companies that have been working on their compliance with the necessary requirements should avoid pausing their efforts and instead use this moment to implement the practices they need to satisfy the CMMC standard once the DoW’s most recent review comes to a close.

In This Article

You May Also Like