On July 13, 2026, the Department of War suspended the CMMC Phase II requirements that were set to take effect November 10, 2026, citing high compliance costs and a priority on speed over bureaucracy. Phase I self-assessment requirements stay in place, and a CMMC Reform Task Force will review the program and report back within 60 days. “We are not reducing cybersecurity through this measure. We are reducing the red tape,” said the Department of War’s Chief Information Officer, Kirsten Davies.
What changed
- The November 10 Phase II deadline is suspended while the 60-day review runs.
- You don’t need to schedule a formal third-party C3PAO certification right now, though a C3PAO mock assessment is still a smart way to validate your self-assessment score before you certify it.
What did not change
- You still have to protect federal data. Every defense contractor and subcontractor is still contractually obligated to safeguard covered defense information under DFARS clause 252.204-7012.
- During the interim, the DoW will continue to enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led (DIBCAC) assessments.
- You are still exposed to the False Claims Act. A false or inflated self-assessment score is still a legal risk.
- Your primes will still push requirements down. They can require compliance to award and keep work, no matter the federal timeline.
Where PreVeil stands
The DoW review sets three goals: speed to capability, lower barriers for small, medium, and non-traditional businesses, and scalable, resilient security in place of bureaucratic compliance. This is the approach PreVeil has always taken. We help contractors get compliant fast and at low cost, and we protect data with end-to-end encryption instead of paperwork. The PreVeil Compliance Accelerator is the most affordable and fastest path to self-assessment, so you keep the contracts you have and win the ones you want.
What should you do during the 60-day review?
Get CMMC-ready and self-assess now. If you handle CUI or have DFARS clauses in your contracts, you’re still required to meet DFARS 7012, the DoW can assess you anytime, and your primes can still gate awards on compliance. The review targets the Phase II certification mechanism, not the underlying standard, and Phase I self-assessment stays in place.
The formal C3PAO certification is what can wait. That’s the piece under review, so you don’t need to schedule one right now. However, a C3PAO mock assessment is still worth doing to validate your score.